Actionscript - run as domain user

Does anyone have any experience/suggestions how commands/scripts in an actionscript can be called as an AD domain account? The system account the BigFix client runs as does not have domain permissions. Running the command as a Scheduled Task in Windows is not ideal. And what about securing the password of the domain account? How can that be passed into the fixlet but not be in cleartext in the stored parameters, .fxf files, and BESClient log files?

It seems like some of the challenges would have been resolved by the Windows Local User Management fixlets that are available in the BigFix Labs site.

There’s no way to run as a specific user but you can make the action only relevant if the current user is a domain user and run as that user.

The system account has whatever permissions on your network you grant it.

If you add the computer object in Active Directory into a group and grant that group access to something – bigfix and the system account will also have access.

Just keep in mind the security implications of allowing computer objects to make changes on your network/domain. All it takes for an admin user to impersonate the system account is “psexec -i -s cmd.exe”

I’m not exactly certain, but I think with PSExec and similar tools you can run something as a particular user with the user name and password.

You can use secure parameters to send the password securely to the client and it won’t show up in the FXF file or in the logs.

Yes you could probably do that but its always a concern to send passwords even though they may be encrypted.

If the user is logged on of course we don’t need the password.

in my case, the user will not be logged on. I’ll investigate running with PSExec, but I think there needs to be an official capability built into the platform.

There is a capability built in to run as the current user, and there is a built in way to send a password to an endpoint securely. I feel that a template for the actionscript and/or some examples would be sufficient.