I'm in the tech support class at my high school and my teacher introduced us to an interesting software issue that has gone unanswered for 5 years. We still do not have the answer. If anyone has any thoughts, please tell me and I'll reply with details that I do not post below.
Problem:
A graphical design teacher has the need for Roller Coaster Tycoon 3 to be on all of the student computers in his room (dont ask me why). 5 years ago, Roller Coaster Tycoon 3 was ghosted onto all of his computers along with the rest of the stuff he needed. Unfortunately, students are unable to play the game.
Each student has their own user account with their own username, password, and networked saving drive. These accounts can be accessed on any computer in the school that is connected to the network. Also note that all of these computers run windows xp and I believe they all have nvidia graphics cards (or ATI, not sure).
To play the game, here is the process the student follows:
1) turn on computer and student logs on
2) start program
3) fail -- RCT3.exe is running at 50% cpu but the program has not initialized
4) student logs off
5) administrator logs on
6) administrator starts program
7) program works fine on administrator account
8) administrator logs off (does not turn off computer)
9) student logs on
10) student starts program
11) program works fine just like on the administrator account
12) student logs off and turns computer off
13) student turns computer on and logs on
14) student starts program
15) fail -- RCT3.exe is running at 50% cpu but the program has not initialized (back to square one)
Clearly, the administrator is capable of doing something to the program that the student users are unable to do this. This is almost definitely permissions, but the problem is we do not know where the administrator is making the change. We cannot give all the students administrator abilities, so we need to grant permission to particular files if that is the problem.
Any thoughts?
Full Version: School Tech Support Problem -- 5 Years Unanswered So Far
We have this same issue at my work with MOSS 2007. Marketing has restricted access to development servers, the invoicing system in particular and when trying to manually access an invoice.
The only way they can manually view or obtain it is if I (being on Sys/Network Admin Priv) or another staff with my access level accesses it first. We still cannot find a sensible solution except for a script we made to temporarily assign admin permissions and then 8 seconds later, revoke it.
The only way they can manually view or obtain it is if I (being on Sys/Network Admin Priv) or another staff with my access level accesses it first. We still cannot find a sensible solution except for a script we made to temporarily assign admin permissions and then 8 seconds later, revoke it.
now for that script, how did it give them admin abilities? I ask because this is one thing we may be able to implement.
I assume the easiest script would be to give admin permissions to the particular .exe file (which works inconsistently from what we've tried). The problem we came across when thinking this was an option was how exactly the script would allow admin access. Does your script effectively do it all in the command prompt, or is there some other way it does it. Is this something that can be done using .java?
I'm very interested in how it works. If you could explain it, I could probably create one for my school.
I assume the easiest script would be to give admin permissions to the particular .exe file (which works inconsistently from what we've tried). The problem we came across when thinking this was an option was how exactly the script would allow admin access. Does your script effectively do it all in the command prompt, or is there some other way it does it. Is this something that can be done using .java?
I'm very interested in how it works. If you could explain it, I could probably create one for my school.
The script basically works like this. When the user clicks into the page (they must be logged in), they are checked against the database of users. If the user has a priviledge level less then "admin" (for this particular directory) when they click onto the page they are automatically added to the "admin" group. Then on the next page, they are removed from the "admin" group.
I am unsure how your system is set up but I spose I could help you out with a solution. I do not know if it is possible in Java (as I do not know it) but there would be a similar work around available.
I am unsure how your system is set up but I spose I could help you out with a solution. I do not know if it is possible in Java (as I do not know it) but there would be a similar work around available.
Ok, well I took a crack at it and I am trying to figure out how to bypass the admin block.
I have tested the program using a normal .exe. It launches WinRAR.exe without any issues. Below is the code of the unblocked program.
Code:
Then I tested it with a program that I knew needed admin permissions. I am running into what I expected I would, an admin block. However that admin block seems to be more of a pain in the ass than I expected. What I need to know is: does anyone know how to execute the runas command, auto input the admin password, and execute the .exe using java? Since I am just testing on my personal computer, and the admin has no password, simply finding out how to execute the runas command would be useful. I have tried some research, I have found examples, but I havent found anything telling me HOW it works so that I can edit it for my own needs. Below is the code of the blocked program and first line of the exception I am getting.
Code:
Exception:
I assume the elevation thingy is talking about admin protected. If not, please tell me what I should be doing to fix it. Also, if anyone notices anything else wrong, please tell me.
Cheers
I have tested the program using a normal .exe. It launches WinRAR.exe without any issues. Below is the code of the unblocked program.
Code:
CODE
import java.io.IOException;
public class FileOpenTest
{
public static void main(String[] args) throws Exception
{
Process p = Runtime.getRuntime().exec("\"C:/Program Files (x86)/WinRAR/WinRAR.exe\"");
p.waitFor();
}
}
public class FileOpenTest
{
public static void main(String[] args) throws Exception
{
Process p = Runtime.getRuntime().exec("\"C:/Program Files (x86)/WinRAR/WinRAR.exe\"");
p.waitFor();
}
}
Then I tested it with a program that I knew needed admin permissions. I am running into what I expected I would, an admin block. However that admin block seems to be more of a pain in the ass than I expected. What I need to know is: does anyone know how to execute the runas command, auto input the admin password, and execute the .exe using java? Since I am just testing on my personal computer, and the admin has no password, simply finding out how to execute the runas command would be useful. I have tried some research, I have found examples, but I havent found anything telling me HOW it works so that I can edit it for my own needs. Below is the code of the blocked program and first line of the exception I am getting.
Code:
CODE
import java.io.IOException;
public class FileOpenTest
{
public static void main(String[] args) throws Exception
{
Process p = Runtime.getRuntime().exec("\"C:/Program Files/TOSHIBA/TOSHIBA Recovery Disc Creator/TRDCLcher.exe\"");
p.waitFor();
}
}
public class FileOpenTest
{
public static void main(String[] args) throws Exception
{
Process p = Runtime.getRuntime().exec("\"C:/Program Files/TOSHIBA/TOSHIBA Recovery Disc Creator/TRDCLcher.exe\"");
p.waitFor();
}
}
Exception:
CODE
Exception in thread "main" java.io.IOException: Cannot run program ""C:/Program": CreateProcess error=740, The requested operation requires elevation
I assume the elevation thingy is talking about admin protected. If not, please tell me what I should be doing to fix it. Also, if anyone notices anything else wrong, please tell me.
Cheers
I think you are going the wrong way about this. Instead of automatically obtaining the password, etc. you should only have to allow the user to be automatically assign to the admin group (sys process). You may be able to do this easier if the program is on a server and you are all accessing it from there.
QUOTE(NaRzY @ Oct 4 2009, 12:15 AM) 
I think you are going the wrong way about this. Instead of automatically obtaining the password, etc. you should only have to allow the user to be automatically assign to the admin group (sys process). You may be able to do this easier if the program is on a server and you are all accessing it from there.
I talked to my tech teacher about that way and I cannot remember exactly what he said, but it was something along the lines of:
1) assigning the user to admin group would have to happen on user login because of whatever way the system is set up and
2) he doesnt think it is practical because of the fact that there could be between 6 to 20 (random max) different people logging on to each computer each day.
The general feeling is that he thinks throwing the student accounts in the admin group for a very short period of time will be way too excessive and complex.
So I figured that if I managed to create a .jar file that would replace the desktop shortcut and would simply force the program to always run in Run-As-Administrator mode, that would be a "solution". Its clearly not a fix, but it would prevent the students from knowing the administrator password (because it would all effectively run in the background) and would serve as a bypass the block without really bypassing it. The only thing that I'm worried about is the school's virus protection program mistaking my bypass for Malware or something else bad (which is essentially what it is, but its not for deconstructive purposes).
I am beginning to believe ghosting it was where you went wrong. Let's just say, he picked up a bad/corrupt file, now all the machines would have it. It would be worth looking into and just checking nothing else has come of his ghosting of computers. This could be why you have permissions issues.
QUOTE(NaRzY @ Oct 21 2009, 01:33 PM)
I am beginning to believe ghosting it was where you went wrong. Let's just say, he picked up a bad/corrupt file, now all the machines would have it. It would be worth looking into and just checking nothing else has come of his ghosting of computers. This could be why you have permissions issues.
A problem with the operating system part of the ghost or with the program part of the ghost? Because we have done clean installations of RCT3, but I do not know if he has ruled out any problem with the operating system part of the ghost. I assume he has, but I can ask him when he gets back from his vacation.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.