i have been searching around for a while to find a way to Trigger a logon on a remote machine as a different user.
This is for an Blueprism RPA requirement. We have few virtual machines that run RPA processes and these machines will need to be logged in with the bot account for the processes to run. We have a Login agent that can be used to trigger logons on the machines, but they need to be done per machine basis which can sometimes be time consuming.
I can remote login to those machine to initiate the logons, but the automation fails if I close the session due to some display thingy.
If there is something like a command that I can trigger from my CMD that would do the job for me would be of great help
TIA
If you'd like to ensure that the machine is logged in, before the process start, then you can build it in into the scheduler.
Set the first step in the process as "login" and no matter if it completes or fails, after set amount of time run the process.
Finally managed to get this done using AutomateC.exe utility that comes with Blueprism. You can pretty much run any process on any VM and also specify input parameters. This is pretty handy when there is a need to interact with too many VMs.
Related
I have an odd set of constraints and I'm not sure if what I want to do is possible. I'm writing a Python script that can restart programs/services for me via an Uvicorn/FastAPI server. I need the following:
For the script to always be running and to restart if it stops
To be constantly logged on as the standard (non-admin) user
To stop/start a Windows service that requires admin privileges
To start a program as the current (non-admin) user that displays a GUI
I've set up Task Scheduler to run this script as admin, whether logged in or not. This was the only way I found to be able to stop/start Windows services. With this, I'm able to do everything I need except for running a program as the current user. If I set the task to run as the current user, I can do everything except the services.
Within Python, I've tried running the program with os.startfile(), subprocess.Popen(), and subprocess.run(), but it always runs with no GUI, and seemingly as the admin since I can't kill the process without running Task Manager as admin. I'm aware of the 'user' flag in subprocess, but as I'm on Windows 8, the latest Python version I can use is 3.8.10, and 'user' wasn't introduced until Python 3.9.
I've tried the 'runas' cmd command (run through os.system() as well as a separate batch script), but this doesn't work as it prompts for the user's password. I've tried the /savecred flag and I've run the script manually both as a user and as admin just fine, but if I run this through Task Scheduler, either nothing happens, or there is a perpetual 'RunAs' process that halts my script.
I've tried PsExec, but again that doesn't work in Task Scheduler. If I run even a basic one-line batch file with PsExec as a task, I get error 0xC0000142, which from what I can tell is some DLL error: NT_STATUS_DLL_INIT_FAILED.
The only solution I can think of is running two different Python scripts in Task Scheduler (one as admin, one as non-admin), but this is not ideal as I want only one Uvicorn/FastAPI server running with one single port.
EDIT -
I figured out a way to grant service perms to the user account with ServiceSecurityEditor, but I'm still open to any suggestions that may be better. I want the setup process for a new machine to be as simple as possible.
Let's state a situation:
I have the possibility to run arbitrary commands on a server as an unprivileged user, through "unconventional means".
I do not have the possibility to login using ssh to that server, either as my unprivileged user or anything else. So I do not have currently a CLI allowing me to run any commands I would like in a "normal" way.
I can ping that server and nothing prevents me to connect to arbitrary ports.
I still would like to have a command line to allow me to run arbitrary command as i wish on that server.
Theoretically nothing would prevent me to launch any program as my unprivileged user, including one that would open a port, allow some remote user to connect to it and just forward any commands to bash, returning the result. I just don't know any good program to do that.
So, does any one know? I looked at ways to launch ssh_server as an unprivileged user but some users reported that recent versions of ssh_server do not allow that anymore. Actually I don't even need ssh specifically, any way to get a working CLI would do the trick. Even a crappy node.js program launching an http server would work, as long as I have a CLI (... and it's not excessively crappy, the goal is to have a clean CLI, not something that bugs every two characters).
In case you would ask why I would like to do that, it's not related to anything illegal ^^. I just have to work with a very crappy Jenkins server for which I'm not allowed to have direct access to its agents. Whoever is responsible for that server doesn't give a sh** about its users' needs so we have to use hacky solutions just to have some diagnostic data about that server (like ram, cpu and disk usage, installed programs, etc...). Having a CLI that I can launch some time instead of altering a build configuration and waiting 20 minutes to have an answer about what's going on would really help.
Thanks in advance for any answer.
So do you have shell access to the server at least once? E.g., during the single day of the month when you are physically present at the site of your client or the outsourcing contractor?
And if you have shell access then, can you or your sysmin install Cockpit?
It listens on port 9090.
You can then use the credentials of your local user and open a terminal window in your browser. See sidebar item "Terminal" on the screenshots of the cockpit homepage.
According to the documentation
Cockpit has no special privileges and doesn’t run as root. It creates a session as the logged in user and has the same permissions as that user.
I need to create tools so that a non-experienced/non-technical users can use (which means connect and start/stop) a Virtual machine on Azure. For connection, the RDP connection is doing a good enough job and is easy to take a hand-on. On the other side, to start / stop a virtual machine you normally need to access to the Azure portal which (on top of being not straightforward for a non-technical user) causes some access policy problems. One option could be to just let the virtual machine always "on" but then we are billed for 100% of time even though the user only needs it for a couple hours a week.
That's why I investigated the possibility to create a script that could be put into an executable file that would launch automatically the virtual machine by just clicking the exec. I have already seen this stackoverflow question :
Start azure virtual machine without azure portal
which suggests to create an Azure PowerShell script that would start the virtual machine. Only problem is that launching a powershell script is out of the technical level of the person who would use it. On top of that, there is a need to install Azure add-on for powershell (if I understand correctly) which would not be possible depending on the machine and the rights the user have on it.
So my question : Do you have any idea on how I could make a simple program (in the form for example of an executable that would run on any machine without any dependency) that would start an azure virtual machine ?
One solution I thought about but it seemed very complicated : create a "super low cost" virtual machine that would be on 100% of time and just create an exec that instruct this VM to start the other virtual machine on demand ?
Thanks for your help
I have a problem with the idea that a powershell script is outside of the scope of a user that can run an exe file. If built properly, a ps1 should just be a double-click, exactly like an exe.
Aside from that, you have a couple hurdles to look at.
Your user can't have access to the resources that they need to interact with.
This can be done by passing custom PScredential objects through the script and pulling the credentials from a file. You would build the credential file with ConvertFrom-SecureString and then import it in with CovertTo-SecureString. The biggest problem with this is that if the user can see where that file is stored, they could potentially write a script to access that file and gain privileged access.
Your user doesn't have permission to run the powershell resources needed to execute the script. For this, you'd need to build in runas permission on the script, and I think creating an exe might be the best avenue for that. Although you could have the initial script call another shell with elevated permissions and work through that.
There are tools out there like PowerGUI, that will compile a ps1 file into an exe format. A properly compiled and secure exe file would hide the scripts that call out to secure string files and also allow for custom runas permissions built into the program.
I've been unable to find anything which really answers the question that I have, so if anyone can shed some light on the matter, I'd be grateful.
I'm not a Unix/Linux guy, so I'm running ActivePerl on Windows NT.
The scenario is this:
webscript.cgi calls background.pl to do some dirty work while the user continues browsing the site, using system($cmd). This works fine and all, but what I am wondering is THIS:
What happens if MULTIPLE calls are made within seconds of each other as a result of users actions to run background.pl? Will multiple instances of background.pl run simultaneously? Will one instance have to complete before the next can begin? Will any subsequent instances called simply fail? Or, will my machine begin to smoke and then perhaps explode? (chuckle)
Again, this is running in a Windows environment so I'm not sure if the rules with ActivePerl are a bit different than running in a Unix environment. Thanks to anyone who might have some information about this!
The web server doesn't know anything about the process running background.pl, so it does what it always does. It runs webscript.cgi which launches background.pl.
Now, if webscript.cgi waits for background.pl to complete, you could run into a situation where the web server stops accepting requests because all of its workers are running webscript.cgi. It will resume once a script ends.
All of this is very easy to test.
Will one instance have to complete before the next can begin?
No.
Will any subsequent instances called simply fail?
No.
Or, will my machine begin to smoke and then perhaps explode? (chuckle)
A poorly configured server could indeed be brought down by trying to run too many programs at once.
I'm trying to automate Coded UI tests.
My test controller launches the tests on a remote test server, which I normally access via a Remote Desktop connection.
Is it possible to run the Coded UI tests without having to connect via remote desktop?
Currently, the tests only run when I have connected via Remote Desktop, and the window must be open. When I close the Remote Desktop session, the tests do not run.
If it isn't possible to run coded UI tests without remote desktop, how can I automate connecting via remote desktop?
Thanks
As to your first question, the test agent needs to be "online" for tests to run. and the test agent is "online" only when the environment is in "ready" state.
You cannot run a test in an environment(remote connection/local machine) without it being in "Ready" state.
With regards to your second question about automating a desktop connection, this
link, however seems to be helpful:
Automating remote desktop connection
Coded UI tests are independent of Remote Desktop.
All UI tests are dependent on UI though. This means, the user must be logged in, and the screen cannot be locked.
Usually, when you disconnect from an RDP session, the screen gets locked. Also, you would have to set the user to auto-login in order for tests to be run. (RDP connections will also log you in.)
So, if you are able (allowed) to, easiest is:
Set user to auto-login.
Use VNC software for connection, like UltraVNC. You do not have the problem of the screen locking on disconnect.
You can automatically initiate RDP connection. I used it, and it is a bad idea, because it is fragile, and if it breaks, it will fail your tests (e. g. when you have it linked to a build job and it should run all the time).