Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 24
Reply with quote  #1 
I have been catching some work as a local per Diem contractor for a large computer company. 
The clients I get sent to are ones that have leased their systems.  These clients are usually medium to large companies and the work I do is centered around moving users from legacy to new devices.   Each client's work is unique; I may have to literally rebuild highly customized bar code printer configurations for one client and do nothing except a simple, routine data move for another client. 

For some clients, I have a "computer company tech" account, plus local and domain admin accounts I can use.

For other clients, I get NOTHING except two sticks, a piece of string and a bottle of whiskey. Oh.  Wait.  Wrong story.  Well, for some clients, I don't even get a tech account.  I get nuttin'.  AKA "the shaft."

Recently, I've been sent out to several local branches of a VERY large company.  For this client, I have been given the.... uhhh.... the nuttin'.  And as luck would have it, they have some Cisco (damn them!) software for both VPN access and security that gets tangled up with the data transfer software.  Basically, the data transfer software sets a static ip on both machines, which are connected directly with a patch cable.  (It does a bunch of other stuff too, but that involves the full bottle of Whiskey and 3 bendy straws, which part of that whole 'nother story...)

When the Cisco software gets tangled up, it prevents the two machines from seeing each other. 
The transfer software is supposed to kill these processes, but on a handful of machines, it doesn't.  
The Cisco software doesn't fully load (if it does, I can disable it from the tray), but it gets far enough along that it manages to run as a process in the background. 

I end up needing to call someone to come kill whatever processes I point to 😉
I wait f.o.r.e.v.e.r sometimes.  

So I was wondering if there was some way to create a local admin account that just has the ability to end processes.  And I can't say what account has started these processes, but logged in as a user I can see them, so am I correct in thinking these are user account processes and not something else, like SYSTEM?  (Win 8.1)  I should've looked, but didn't think of it...I can be such a doo-mass 😉

So, if it is possible to create an account with such narrow rights, would it be able to kill any process or just certain ones?  

So now I'll tell you 'bout the Whiskey and the stra.... nahhhhh...  I need to put a few more monthly calendar pages between me and that bottle of Whiskey before anything gets admitted... the statute of limitations isn't up yet. (hahahahaha)


~spammy

__________________
If at first you don't succeed, destroy all evidence that you tried.

0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 47
Reply with quote  #2 
What about the taskkill command from an elevated command prompt?
0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 24
Reply with quote  #3 

Quote:
Originally Posted by Donato
What about the taskkill command from an elevated command prompt?


Yes, I could use that, but since it needs elevation, I'm screwed.  The problem (which I should have been more explicit about - my bad :/ ) is, this large client doesn't allow "us" (the computer company techs) to have admin rights.  They have this stance not because of a breach / failure, but because they just bought back all their branch locations which had previously been franchises and this is just a part of their efforts to consolidate controls previously handled at the branch level.

There's a definite willingness to consider allowing admin access to us, but I don't think I'd have a snowball's chance in hell of getting them to agree to giving us a standard local admin account.  I'd start out asking for an account with most basic rights included, but I can't negotiate until I know what the minimum rights are that I could accept.    

Also, it's not like this is a two week project.  This is a "laddered" project.  The project is 3 years long; each year, an avg of 57,000 computers are swapped out, worldwide.  Once the 3 years are up, the project is re-bid and begins all over again.  I have direct access to the 2 project managers at the computer company who oversee the entire project, globally.  They directly negotiate with the client how the project will be executed and what the techs will need at each site.  

(It's not a "pinnacle of your career" type of job, but it is an absolute blast.  You can be flown anywhere, finding yourself in crazy cool places and get to work with some awesome people - long enough to build lasting friendships but still short enough that you never learn what their bad points are 😉
   

~spammmmmmm

__________________
If at first you don't succeed, destroy all evidence that you tried.

0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 300
Reply with quote  #4 
Well, as long as those PCs are domain members, there's always PowerShell JEA which does exactly this: takes a non-admin and restricts which Cmdlets she can invoke, which parameters of those Cmdlets she can specify and even the values the parameters may be assigned by this particular user. THEN, if the user enters a valid Cmdlet with a valid set of parameters and values, this Cmdlet gets run under a (real or virtual) ADMIN account the person calling the Cmdlet has no knowledge about.

The problem with JEA is, it is complex and not easy to manage. But there are of course ways to automate this.

If LOCAL admin is sufficient to achieve the task at hand, a simple Group Policy can make any AD account local admin on a member machine.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 24
Reply with quote  #5 
Quote:
Originally Posted by Donato
What about the taskkill command from an elevated command prompt?


D, you rock!

Originally, I was looking to find a way to kill processes interfering with my work.

However, just today, I heard enough chatter to figure out that on the old machines, the technical staff had the ability to open task manager and kill an unresponsive app, but that they lost this ability in the move to new machines.  

Their main app (basically the sole reason some of these people have this specific laptop) has been locking up, sometimes several times a day.  (This awesome feature, locking up, also getting introduced with "le' hardware la' new.") 

Without the ability to kill the process from task manager, they were resorting to rebooting the machine. 

So I thought about this while I ate, and using your original idea, came up with:

taskkill /f /fi "status eq not responding"

I showed it to Mark, the IT guy at the site, and he and his co-worker jumped on it. 

Logged in as one of technicians on that technician's new laptop, Mark added that as a shortcut on the desktop.  He opened the offending app, and caused it to hang by clicking on that button.  You know, that button you avoid like the plague but somehow before your brain can say "shiiiiiiiiiiiiiiiiiit!!!!", your finger has pressed the left mouse button - the cursor being 1 pixel too far over (although you think not, and demand a full investigation be held to adjudicate your ability to operate a freekin' mouse) and you end up clicking on that button instead of the next one over which is what you meant to click... and once you see that change in button shadow which indicates a mouse click event has transpired, you feel the life drain out of you as you realize this is not just a nightmare and that yes, you fcking clicked that @#$%ing button, yes, the app hung, no, it's never going to recover, yeah sure, task manager will open fer ya', but the wait time will be measured in months and no, you didn't save all that other crap you were working on...

So with the offending window refusing any keyboard or mouse foreplay, Mark clicked on the shortcut.
A cmd window flashed and immediately, the offending window closed.

They ran out and did some more tests, and deemed the temporary solution "WooooooooHoooooooooo!!!!!!!!!!!"  So thanks to you, I got a pat on the back (well, actually some high-fives) and... well, no, not a raise or a parade or anything, but I'll take high fives any day!!

So high five to you!
[wink]


~spazzster

__________________
If at first you don't succeed, destroy all evidence that you tried.

0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 47
Reply with quote  #6 
I'm glad that it worked. Thanks for the high five.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.