1

First of all, here are my limitations:

  1. I'm running PSExec and Netuse from a batch file.
  2. I need to run as a different user than the currently logged in one. We have a strict permission scheme where server admins are not desktop admins and visa versa. I'm running my batch file as a server admin and need to use desktop admin credentials on the target machine.
  3. Not a limitation, just a note. I have complete control and access to both of these needed accounts.
  4. Needs to be headless, can't have a popup asking to type a password.

My current usage works using the -u and -p flags (/user for net use), but much to my horror a security guy showed me my password being logged in plain text. I should have realized this would be the case. I had taken steps to keep everything non-interactive and never stored the password in plain text but of course the log would see it.

Is there a way to do this? I want the command to be logged, but obviously not while having such a large security risk.

The normal solution is to run the script as an elevated user and all of the commands are run as that user. However, due to the permissions breakdown if I run it as the desktop admin I cannot run the script on the server at all. If I run it as the server admin all my remote attempts are denied.

Colt
  • 1,939
  • 6
  • 20
  • 25

0 Answers0