Post #133,133
1/1/04 10:30:25 AM
|
Re: NET SEND to all except a few systems?
You want to push the output from 'NET USERS /DOMAIN' into a FOR loop controlling NET SEND
FOR /F "skip=4" %i in ('net users /domain') do if not "%i"=="serverlogonaccountname" net send %i Messagetext
qts
|
Post #133,137
1/1/04 11:47:06 AM
|
ROFL
After not having to deal with a braindead cmd prompt for a while, you can't imagine how stupid and crippled that looks. What a joke of an OS.
-drl
|
Post #133,138
1/1/04 11:50:45 AM
|
It inspires me
to write a GUI version that is easier to use. One that has a way of polling what users/systems are out there and allowing the user to select only the ones to send the message to. It would take investigation of the API calls used, or shelling out to the NET.EXE program multiple times.
While I could make money off of that, I was thinking of making it open sourced and making it so that anyone could download it and use it.
Unless, of course, someone already wrote one.
"Lady I only speak two languages, English and Bad English!" - Corbin Dallas "The Fifth Element"
|
Post #133,139
1/1/04 12:07:10 PM
1/1/04 12:11:51 PM
|
Re: It inspires me
Windows has no real user context so you can forget about it. After all these years Windows is every bit as stupid as it was in the beginning. It got rich by a combination of crime and luck and so it has expensive, tawdry clothes, but it still wears a crooked dimestore toupee and wanders around pretending no one knows.
Every day I have to shovel the shit that Windows begat off my doorstep before I can read my email. And why are all the jobs vanishing to India? Because for every real systems guy out there, a hundred, five hundred punk-ass X-er Windows jackoffs are sucking the life out of IT as a respectable profession. So when the cheap fuck managers who ordered this type of world decide to get shed of some deadwood, they throw out the good logs out with the wormy ones.
Thanks Billy, and thanks to all the Windows assholes who made him possible.
-drl
Edited by deSitter
Jan. 1, 2004, 12:11:51 PM EST
|
Post #133,152
1/1/04 3:23:51 PM
|
On this we agree
too many "Nick Burns your company's computer guy" making the rest of us looking bad. Too many people getting into IT for the money, rather than the love of it. I keep hearing radio commercials "Get Microsoft certified and make over $60K a year" and every snot nosed kid with an attitude problem signs up for that course and then makes the rest of us look bad. Then you got the code monkies, people who write code very fast and very sloppy, skills learned from fast food joints. Management expects everyone else to code as fast as these code monkies, so the end result is poor quality programs that crash the system at random times. Makes us look bad, so they send the jobs overseas.
"Lady I only speak two languages, English and Bad English!" - Corbin Dallas "The Fifth Element"
|
Post #133,305
1/2/04 6:38:33 PM
|
Windows has no user context?
I am not sure what you mean by "user context", but surely windows has more developed system of user right management than any default installation of Linux.
--
"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"
-- James Lileks
|
Post #133,313
1/2/04 7:53:05 PM
|
process-level user context
A login is not a user. In principle, the Windows idea of a "user" hasn't changed since LAN Manager.
-drl
|
Post #133,341
1/2/04 10:22:02 PM
|
I am still at a loss as to what you mean
--
"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"
-- James Lileks
|
Post #133,348
1/2/04 11:36:02 PM
|
A login is a profile
on a Windows machine, which can have custom settings, policies, and other things. It has to log into a server part to become a user, except for peer to peer networking where it is treated as a virtual user. Each profile has a password assigned to it, no password is just a blank password on Windows 9X/ME and on those machines one can simply hit "Cancel" to log in on the default profile on the login box. The server password may be different than the profile password. There are ways around policies in 9X/ME, like removing the group policies program, or tweaking the registry to no longer load it. This makes Windows security a joke.
"Lady I only speak two languages, English and Bad English!" - Corbin Dallas "The Fifth Element"
|
Post #133,352
1/3/04 12:02:12 AM
|
Re: I am still at a loss as to what you mean
The user features of Windows systems are pasted onto the kernel. The UNIX kernel itself understands how to assign privileges to processes based on user context. Try googling "Windows process accounting" - you won't find many hits.
I guess the best way to say it - all Windows processes are on the same level inside the "Windows NT Executive", with no concept of ownership, while UNIX processes are always in a parent-child relationship. UNIX uses user and group IDs to maintain process access and hierarchy, while Windows uses "access tokens" and there is no process heirarchy. When a process in Windows creates another process, it donates its access token to the new process. Every process has to maintain its own table of associated processes.
-drl
|
Post #133,395
1/3/04 4:05:28 PM
|
You're much mistaken
WRT Windows NT and XP.
Every object in the kernel has ownership and access priveleges. You can restrict access to things like mutexes, processes, threads, files, file handles, directories, pipes - anything at all. The user management and privileges are completely customizable, you can create you own secured objects with their own prveleges, although the APIs are obscure, obtuse and rarely used.
I certainly do agree with you about Win 95 family - there, security is limited to a network share and completely useless.
--
"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"
-- James Lileks
|
Post #133,408
1/3/04 5:09:19 PM
|
Can you be logged in as two people at once?
With the two people having different access levels?
Without paying for an additional product like Windows Terminal Server that is.
This capability is central to how *nix works. You always have processes around who are logged in as different users with different privileges. You can even have many GUIs running.
Cheers, Ben
"good ideas and bad code build communities, the other three combinations do not" - [link|http://archives.real-time.com/pipermail/cocoon-devel/2000-October/003023.html|Stefano Mazzocchi]
|
Post #133,409
1/3/04 5:13:05 PM
|
Not log in, no.
But you can have multiple processes running under different user permissions at the same time.
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #133,418
1/3/04 7:33:08 PM
|
I'll tuck that away in case I ever need it
"good ideas and bad code build communities, the other three combinations do not" - [link|http://archives.real-time.com/pipermail/cocoon-devel/2000-October/003023.html|Stefano Mazzocchi]
|
Post #133,428
1/3/04 8:10:23 PM
|
Yes you can and it is a weak security system
that allows it. If you can run CMD.EXE in the NT/2K/XP/2003 schedule program, it will be run as Admin access. Any program you open from that CLI will get run with Admin access inculding NET.EXE, horror of horrors!
Users can bypass the program install block by installing certain software to their Documents directory which has write access. A real secure system wouldn't even let them run the install program. Some programs check for Admin rights before installing, but some like OOo does not. It is up to the install program to check for access rights before installing.
If the user has access to the Notepad or Wordpad, they can give themselves access to almost anything. Usually by "Viewing Source" in IE, they get a Notepad program, even if their policies and rights disable it. All they do is clear out the HTML source and write in a batch file and save it somewhere writable, like their start menu or documents folder. Then click on it. Create a command to add CMD.EXE to the scheduler, and they can get Admin access or whatever the system runs those programs as.
Also IIS and other programs run as certain users and have a certain level of access that the logged in user may not have. So an ASP web page can be used to write to a file or database, when the user cannot, via IIS.
"Lady I only speak two languages, English and Bad English!" - Corbin Dallas "The Fifth Element"
|
Post #133,451
1/3/04 11:54:08 PM
|
Re: Yes you can and it is a weak security system
If you can run CMD.EXE in the NT/2K/XP/2003 schedule program, it will be run as Admin access. Wrong. The CMD.EXE process will be run as the user that started it, and security will work accordingly.
Peter [link|http://www.debian.org|Shill For Hire] [link|http://www.kuro5hin.org|There is no K5 Cabal] [link|http://guildenstern.dyndns.org|Blog]
|
Post #133,510
1/4/04 12:10:45 PM
|
Certainly
Telnet Server is available
Terminal Server comes bundled with XP
Every service runs on an account different from the currently logged on user: either a special "system" account, or whatever the adminstrator chose.
Any process can start a subprocess as different user. API has full support for it, even though shell has none.
In any case, "paying for additional products" reflects price structure and marketing, not technology.
--
"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"
-- James Lileks
|
Post #133,517
1/4/04 12:57:05 PM
|
Re: Certainly
Exactly - Terminal server is an add-on to the base operating system, because the latter is not really a multi-user OS. Only one user in base NT has a "desktop" context. In order to have many desktops you have to change the OS in such a way that large parts of it are replicated for every user. And this is just the login context.
-drl
|
Post #133,576
1/4/04 8:35:49 PM
|
You keep hearing yourself, not me
NT can have arbitrary number of desktops, only one of them normally visible on a given console. All services run on an invisible desktop (I am not aware of any way to make that one visible). Terminal server gives you the ability to make invisible desktops visible. Another way to get an alternative desktop, I believe (I may be wrong here) is to hit ctrl-alt-del. The visual you see is actually a different desktop.
Also, you don't have to have a desktop to run a process, hence telnet server.
--
"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"
-- James Lileks
|
Post #133,435
1/3/04 9:28:42 PM
|
Re: You're much mistaken
As I said, this is done with the glommed-on idea of access tokens - it's not a hierarchy of processes as in UNIX. I don't consider the former to be multi-user, and neither do OS theorists.
-drl
|
Post #133,511
1/4/04 12:14:02 PM
|
What does hiererchy of processes have to do with it?
And, btw, you can emulate hierarchy with process groups. Not nice, but possible.
--
"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"
-- James Lileks
|
Post #133,516
1/4/04 12:54:51 PM
|
Re: What does hiererchy of processes have to do with it?
Because it guarantees that a process will have a determinate user context. As you know, there are floating "NT_AUTHORITY" and "SYSTEM" contexts in NT that are only there so legacy code can run. Plus, there is no simple way to isolate everything executing in a given context in NT - you have to slog through all the processes and get their access tokens. NT was deliberately not built with a determinate user context so that legacy code would run.
Eric Raymond wrote a FAQ about UNIX programming, I think he talks about it in there. He points out that because of all the compromises related to legacy code, NT become practically impossible to make secure. The boundaries are "too porous" as he put it. In a real multi-user system, the user context is always known and determinate.
To give a practical example, suppose I want to immediately remove a user from a UNIX system. I remove his login, find his top-level processes and terminate them, and he's gone. In NT, you make a change to the user database, this has to propagate everywhere, his processes still run until they quit. Because there is no determinate user context, he fades away.
-drl
|
Post #133,578
1/4/04 8:42:31 PM
|
I am not sure what NT_AUTHORITY is
But System is a very definite context. It has all rights of Adminstartor account on a local machine and no rights on the network. It has no user name/password associated with it, so users cannot log in on it.
Legacy is indeed a major problem for Windows, but it's mostly in GUI and SMB code. Avoid both, and you should be OK.
On single NT or Unix machine, you remove the user the same way: disable login and terminate processes. It's immaterial whether you jave to kill all processes or "top-level" processes: in practice, in Unix and NT you keep killing till there is nothing to kill. And yes, NT knows who started the processes.
On multi-machine installations, such as NIS or NT Domain, you disable the user in the central database and it may or may not have to propagate. Apples to apples, please.
--
"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"
-- James Lileks
|
Post #133,620
1/5/04 1:55:07 AM
|
Except:
But System is a very definite context. It has all rights of Adminstrator account on a local machine and no rights on the network. It has no user name/password associated with it, so users cannot log in on it. That's not the same thing as saying users can't execute code under its authority. Just run a service as System.
I was one of the original authors of VB, and *I* wouldn't use VB for a text processing program. :-) Michael Geary, on comp.lang.python
|
Post #133,630
1/5/04 7:18:30 AM
|
RIght you are
--
"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"
-- James Lileks
|
Post #133,631
1/5/04 7:20:06 AM
|
Bottom line
If you can start a service, you can start it as System.
Peter [link|http://www.debian.org|Shill For Hire] [link|http://www.kuro5hin.org|There is no K5 Cabal] [link|http://guildenstern.dyndns.org|Blog]
|
Post #133,141
1/1/04 12:31:49 PM
|
Careful there . .
. . if you use Microsoft programming tools the ULA specifically forbids creating open source products.
[link|http://www.aaxnet.com|AAx]
|
Post #133,144
1/1/04 1:53:29 PM
|
Does it really?
I thought that they forbid open source products with any of a series of licenses that they dislike (including the GPL), but had no objection to, say, the BSD license.
Cheers, Ben
"good ideas and bad code build communities, the other three combinations do not" - [link|http://archives.real-time.com/pipermail/cocoon-devel/2000-October/003023.html|Stefano Mazzocchi]
|
Post #133,147
1/1/04 2:23:54 PM
|
I don't remember all the details . . .
. . but I'm pretty certain they won't allow distribution of anything that includes their libraries if you haven't paid for the development product. That would place redistribution encumbrances on the source code which would be non-compliant with the BSD license and pretty much any other open source license.
[link|http://www.aaxnet.com|AAx]
|
Post #133,149
1/1/04 2:48:58 PM
|
The licenses are more forgiving than you think
There is nothing stopping me from writing source-code and distributing the source under a BSD license, no matter what the copyrighted material that the compiled source has to pull in.
Microsoft can choose whether to let me distribute the binary under a BSD license, but the source is OK. (And if I have bought licenses to their development environment for production use, their license normally allows me to compile things for redistribution. After all that is what I was purchasing it for.) Anyone who has not purchased the Microsoft libraries won't be able to compile it, but the BSD license insists on nothing like that. Heck, even the GPL would be fine with linking with some of their proprietary libraries if it falls under the OS exemption.
This is well-trodden ground. Open source people have worked in proprietary environments for decades and have a well-understood set of compromises to follow.
But the issue was far worse. As I recall, if you agreed to their user agreement, then you couldn't do something as simple as use their editor to edit a piece of existing GPLed C code which you were then going to compile on another platform. Likewise while you could compile anything that you wanted and sell it to your neighbour, you couldn't download a GPLed program, compile it, and then give it to your neighbour.
I'm not sure of the current status of that mess, but I think that they backed away. (Even if they didn't, I don't care, I no longer use Windows for anything.)
Cheers, Ben
"good ideas and bad code build communities, the other three combinations do not" - [link|http://archives.real-time.com/pipermail/cocoon-devel/2000-October/003023.html|Stefano Mazzocchi]
|
Post #133,153
1/1/04 3:27:39 PM
|
Really interesting issue
please let me know what you guys find out about it.
I've seen open sourced code that was written to compile under Visual C++ like the GiFT file sharer. I haven't been able to get it to compile, and the VC++ documentation is missing on how to do that, but people on their forum claim they have compiled with VC++ and VC++.Net to get the program to work.
I figure if an open sourced program can be written to use VC++, it also can be made to use VB as well. Unless these guys are violating the ULA that Microsoft has.
I can now see why some open sourced projects actually charge money for Windows ports of the programs.
Thanks.
"Lady I only speak two languages, English and Bad English!" - Corbin Dallas "The Fifth Element"
|
Post #133,145
1/1/04 2:07:29 PM
|
Bah! I'll make it freeware then.
Unless Microsoft has a EULA condition against that as well?
"Lady I only speak two languages, English and Bad English!" - Corbin Dallas "The Fifth Element"
|
Post #133,255
1/2/04 12:36:33 PM
|
that's what I did
drop down box with "SEND ALL" as well as each individual system, a text box for the message and a button for SEND.
I've also filtered out the server names as it got annoying having to click thru all the messages on them.
Darrell Spice, Jr. [link|http://www.spiceware.org/cgi-bin/spa.pl?album=./Artistic%20Overpass|Artistic Overpass]\n[link|http://www.spiceware.org/|SpiceWare] - We don't do Windows, it's too much of a chore
|