Extra88

MakeMeAdmin script

This is an interesting script. It has some room for error but I have an idea about how to avoid that.

Some fellow who seems to work for Microsoft in some capacity has written a batch script called MakeMeAdmin that uses runas in clever ways to make a program run as the user but with admin privileges. The advantages over simply running programs using a local admin account are the program will use the user's profile instead of the admin account's and the programs will have access to domain resources.

Here are the phases of the script:
1. Open a command prompt as a local administrator (user is prompted for this account's password)
2. Current user is added to the local Admin group
3. Open command prompt (or another specific program) as current user (user is prompted for their own password)
4. Current user is removed from the local Admin group

Changes to group membership don't affect existing login sessions, only new ones. Therefore when runas is used in step 3 to start a program as the current user, it's a separate session and therefore the Admin group membership takes affect. Step 4 can happen immediately because the user's removal from the Admin group won't affect the session opened in step 3.

It's a clever script and probably useful for admins and developers who are cautious with their own logins but I'm not sure it would be advisable to have regular users in an organization use it (not that the author is advocating such use). First, the fact that you have to enter two passwords when you run the script is a turn-off and a step back from an ordinary runas script. Second, there is a risk of the user's privilege elevation not being removed. If the script is exited before step 4, *every* subsequent login by that user on the computer will be as a local Admin. I'm not thinking about this being done intentionally (you're already trusting the user with a local admin password) but accidentally by closing the command prompt window before logging in with their own password.

The risk could be mitigated by a system scheduled task that would check the Admin group membership, say, once an hour and removing anyone who shouldn't be there permanently. Ooh, this could be incorporated into the script! After step 2 but before step 3, the script could create a one-time scheduled task to remove the user from the Admin group 5 minutes in the future. The user would then have to login to the second runas with their own account within 5 minutes for them to have admin privileges. This would remove the window of time in which someone could accidentally be added to the Admin group for an extended period.

Looking at the script, I think the thing to do would be to add a line like the following someplace before the 2nd runas:

soon.exe 300 net localgroup %_Group_% "%*" /DELETE

%_Group_% is a variable containing the name of the Administrators gropu and %* is the current user's name. Soon.exe is a Resource Kit program for scheduling tasks X number of seconds in the future. The problem with using soon.exe is has to be in the path of the local admin user and since the local admin can't access domain resources, that means it has to be on the local drive. A nuisance but as long as you're installing this script on a computer, I guess you can install soon along with it. I'm sure there are other ways to schedule a task to run X minutes in the future that don't involve separate executables but I'll leave those as an exercise for the reader.

HOWTO - free copies from Canon copiers

As far as I'm concerned, my use of the copier is free-to-me but I want to see if this trick works on the models we have. The stuff about messing them up so badly a technician has to come fix it is not cool, though.

HOW TO: Obtain Free Copies and Do Other Fun Stuff to Copiers

My new office

We're finally adding someone to our department, they start Monday. The main office isn't big enough for all of us so I've moved into a private office nearby. I hope it will help me hunker down when working on projects but I don't like the feeling of being out of touch. The office has other drawbacks, which are explained in this little "photo essay", with comments.

What won't get you the job

We're looking to fill a new position so we are, yet again, trudging through resumes. I'm accustomed to tech geeks not being too strong wit de social skills or writing skills but I do find spelling and grammar errors in resumes and cover letters a bad sign. We don't automatically send them to the trash bin, in fact one of our better candidates had the most errors, but it can tip one into the "No" column. I thought this sentence from a recent cover letter was most unfortunate:

I am very hard worker and a stickler for details.

Why I'm not switching to Safari

It’s a little thing but I do it all the time in Mozilla. In Safari, I can’t load a URL by dragging it onto a tab. In Safari I have to either right-click then choose New Tab from the menu or command-click the link, which requires two hands. Then I still have to click on the tab to bring it to the front (there are keyboard commands for tab switching but they’re also two-handers - shift-command-right arrow and left arrow). When I’m done with the page, I have to close the tab because it’s not much good for anything else.

In Mozilla, I can drag a URL onto an existing tab or even drag to a blank part of the tab bar to create a new tab. Since I’m using the mouse for the action, the cursor is already in position to bring the tab to the front, if that's what I want. I don’t need to close the tab again because I can re-use it for a different URL.

Another important factor is I use Windows at work but OS X at home and having the same browser on both is helpful.

In general, Safari is a nice browser. It's fast, seems to render pages well, and I like the Bookmarks interface. I like the "Block pop-up windows" option is right in the Safari menu and has a keyboard command. I always leave mine on but I can imagine people making use of that, possibly on a public computer. I also like being able to access the browser history from a menu in Safari. Mozilla makes you open a History window. Of course Mozilla lets you access your bookmarks from a menu while Safari make you open a window so they're reversed on that point. I've never used SnapBack so I guess it doesn't mean much to me. The Aqua styled web form elements are nice but you still can't use the keyboard to operate them.

Radmind reaches 1.0

From MacInTouch:

Released after an extended beta-testing period, Radmind 1.0 is a suite of Unix command-line tools and a server designed to remotely administer the file systems of multiple Unix machines. It can detect changes to any managed filesystem object (files, directories, links, etc.) and can optionally reverse the change. For Mac OS X, Radmind Assistant provides a graphical interface to the command-line tools. Radmind is free for Mac OS X, Linux, FreeBSD, OpenBSD, and Solaris.

Disconnect USB Audio, crash your App

Mac OS X: Audio Application Unexpectedly Quits If Third-Party Audio Device Is Disconnected or Turned Off

It doesn't affect only USB audio devices but also FireWire. Their solution is to quit the app before disconnecting the device. Seems pretty lame, I hope they fix that in a patch before releasing 10.3. We have a bunch of Macs which we want to switch to OS X this Summer but we'll be going with 10.2 because that's what we already own.

That reminds me, this year, we need to make sure our Mac orders are placed late enough to definitely get 10.3. included.

FileMaker->MySQL migrator

Not that we don't love our FileMaker databases but at some point we might need the FmPro Migrator. Someone on MacSlash had an interesting idea. They might use FileMaker as a database prototyping system the use the migrator to move everything to MySQL when it becomes a production system.

demo available but I'm not sure what the demo's capabilities are. The migrator can also handle FileMaker-to-Oracle but I don't think we'll be using Oracle databases anytime soon.

Lookup NetBIOS names from OS X

This falls under so many categories. MacOSXHints has this storyAn AppleScript to look up NetBIOS names. but Real Men use the Terminal. Here's the command line bit that does the real work:

nmblookup -T -U <WINS server IP> -R <NetBIOS name>

Here's an example for work and its output:

cwcx% nmblookup -T -U 128.151.209.155 -R esmdc
querying esmdc on 128.151.209.155
esmdc.esm.rochester.edu, 128.151.209.155 esmdc<00>

In this case I used the WINS server to look up the WINS server's NetBIOS name.