Rem: Running a Script with Alternate Credentials

Do you have a scripting-related question or problem? You can send your question or problem to [email protected].

I'm new to VBScript, and I'm curious as to whether I can, within a script, specify alternate credentials so that the script can run with elevated credentials. For example, suppose I want to add a domain group to a local group on some workstations, and a Domain User starts the script. Can you provide any insight into how I can specify Administrator credentials? I know I can use the Microsoft Script Encoder to encrypt the script to avoid exposing the Administrator password.

Depending on the type of script you're creating, you can generally specify alternate credentials. For example, you can use the OpenDSObject method to specify alternate credentials in an Active Directory Service Interfaces (ADSI) script, as Listing 1 shows. You can also use the ConnectServer method to specify alternate credentials in a Windows Management Instrumentation (WMI) script, as Listing 2, page 6, shows. Callout A in Listing 1 demonstrates how to use the OpenDSObject method, whereas callout A in Listing 2 demonstrates how to use the ConnectServer method.

To use the script in Listing 1, you must change the strUserDN and strPassword variables' values to values appropriate for your domain. You must also change the OpenDSObject method's first parameter to your domain's distinguished name (DN).

To use the script in Listing 2, you must change the strComputer, strUser, and strPassword variables' values to values that are appropriate for connecting to a remote computer on your network. You can't specify alternate credentials when connecting to the local computer in a WMI script. If your situation dictates running a WMI script locally with elevated credentials, you must employ another solution, such as runas.exe, Scheduled Tasks, or a Group Policy—based startup script run under the built-in LocalSystem account.

Finally, bear in mind that the Script Encoder doesn't encrypt scripts. It simply encodes the script to protect the script's source from casual observers. Thus, someone might be able to crack the encoding algorithm and gain access to the script's source code.