9

I am trying to change a password with active directory using cfexecute. The only code on my page is this (username and the new password are filled in):

<cfexecute
name="c:\windows\system32\cmd.exe"
arguments="NET USER username password /domain"
outputfile="C:\Users\administrator\Desktop\test.txt"
timeout="90">
</cfexecute>

When I tried running this code through dreamweaver on my pc the tab in my browser just kept spinning even after 5 min... I closed the tab went to the server logged in and the text.txt was there empty. But I am unable to delete it because it says coldfusion.exe is using it???? Also it did not change the users password.

So then I opened up the command line on my pc and ran NET USER username password /domain it gave me a System error 5 has occured. Access is denied..

So then I went on to the server logged in as an administrator ran NET USER username password /domain and it worked.

How do I tell cfexecute to run as that administrator when it runs so that it works properly?

I looked up the docs of cfexecute and it is not like cfldap where you can choose a username and password.

Any help with this would be greatly appreciated!

Edit

Also checked log files in admin and it stated this:

Error occurred: coldfusion.tagext.lang.ExecuteTag$TimeoutException: Timeout period expired without completion of c:\windows\system32\cmd.exe

(It cant run that simple command within a 90 second timeout? But runs instantly when I run it in the command line?) Is there something wrong with using cfexecute?

EDIT IS IT POSSIBLE? To Add a user it always runs as to change the password like so?:

"/c net user /user:domain\Administrator <admin-pwd> username password /domain"
James A Mohler
  • 11,060
  • 15
  • 46
  • 72
David Brierton
  • 6,977
  • 12
  • 47
  • 104
  • There are two issues here: a) timeout and b) possible permissions issues. The initial timeout is because cmd.exe is still running (check the Task Manager). You need to add `/c` to the arguments so it runs the command and terminates cmd.exe. Try this simple test, and print out the two variables: result and errorMessage: `` – Leigh Feb 14 '17 at 22:15
  • If it works, try it with `net use`. I do not remember off the top of my head if `net use` will work using the default CF account or requires elevated permissions. – Leigh Feb 14 '17 at 22:17
  • @Leigh the screen is just all white and there was nothing in the log files on admin – David Brierton Feb 14 '17 at 22:20
  • (Edit) Not sure if you saw this part: *Try this simple test, and print out the two variables: `result` and `errorMessage`*. ie You need to output the variables containing the results to find out what happened. If the simple test worked, the `result` variable should contain the word "Success" and `errorMessage` should be empty, ie no error. – Leigh Feb 14 '17 at 22:27
  • like write a try and catch with it? – David Brierton Feb 14 '17 at 23:51
  • No, just cfoutput or cfdump those two variables on screen after the cfexecute. ie `Result = #result#` . – Leigh Feb 15 '17 at 00:00
  • @Leigh when i run it it said this `Result = Success ErrorMessage = ` – David Brierton Feb 15 '17 at 02:27
  • Good. That means it worked. Now try it again, but with the `net use` command instead of `arguments="/c echo Success"`. If it is a permissions problem, `ErrorMessage` will probably contain "System error 5 has occured,..." – Leigh Feb 15 '17 at 02:35
  • @Leigh So i tried `/c net user /domain` and it worked but when i try `/c net user /domain` i get this error `ErrorMessage = System error 5 has occurred. Access is denied.` – David Brierton Feb 15 '17 at 02:36
  • if i open up the command prompt as the administrator on that server and run that command it works though. How do i make sure this code runs as that user? – David Brierton Feb 15 '17 at 02:38
  • 1
    What permissions does it actually require? If you do not know, check the windows docs. The CF windows service usually runs under a limited account like "System" by default. If that is insufficient, you may need to change it, but **never run CF under the Administrator account**. That is a major security risk. – Leigh Feb 15 '17 at 03:12
  • Do you mean it would be a data source in the CFadmin? Is that the username and password that tells the application to run as that user? Iv only ever set up MSSQL data sources. Is this the section that I would need to set up this project to run under one of those administrator accounts? So that this code can access it through that certain user under the data source i create? – David Brierton Feb 15 '17 at 03:20
  • No relation to datasources. CF runs as a [windows service](http://www.howtogeek.com/school/using-windows-admin-tools-like-a-pro/lesson8/), which "Log on" (or run) under the security of a specific account like "Local System". – Leigh Feb 15 '17 at 03:23
  • I am confused how do i know what user this code is being ran under? If I run the net user command as my self on my pc in the command line i get that error. But if i log in as the domain admin on the server where the code runs and run that line in the command prompt it works. So how do I allow this code to run as an administrator? How do I chose the user this code runs as? Or am I just completely lost? :( – David Brierton Feb 15 '17 at 03:33
  • I am super confused because I don't understand what user this code is being ran under. If this code is located on that server the only user I can think its going through is that of the CFAdmin settings (CFIDE or whatever people call it). – David Brierton Feb 15 '17 at 03:36
  • When you run cfexecute, it runs under the context of whatever user the CF *service* is logged in under. Go to control panel > windows services, and find the main ColdFusion service. Check the "Log on" tab (see images in link above). Whatever is listed ("System", etc...) is the "user" your commands are running under. I am heading out. Night! – Leigh Feb 15 '17 at 03:39
  • On the log on page it just has the radio button chosen for Local System account – David Brierton Feb 15 '17 at 13:25
  • Like I said above, that is the "user" account CF is running under. Find out what permissions `net use` requires. If "Local System" lacks those permissions, change the "Log on As" user to one that does have the necessary permissions (**not** Administrator obviously). There is not much else I can tell you. You just have to dig in and read the MS documentation to answer those basic questions. – Leigh Feb 15 '17 at 15:57
  • @Leigh sorry if I am being a pain. I was just curious if there is a way to change the user in my code. Like setting that user in my code and maybe even setting it back after the execute runs. Just dont know if other programs are using the specific user for anything and dont want to break other peoples programs. – David Brierton Feb 15 '17 at 16:06
  • Sorry if what I am asking doesnt make any sense :( – David Brierton Feb 15 '17 at 16:06
  • You are not being a pain, I just was not sure if my comments were making sense to you. Also, I honestly do not remember all of the specifics of `net use` with cfexecute, and cannot test it at the moment. So I would have to look it up in the docs, same as I suggested to you :-) Based on the errors, and what little I remember, I *think* it does require more permissions than "Local System" has, and I do not believe that can be changed via code, but ... again I am not certain about that. You would have check the docs. – Leigh Feb 15 '17 at 16:59

1 Answers1

6

ColdFusion is only able to access the domain and user account that is used by the ColdFusion service.

If you want to authenticate a username/domain against local system or Windows domain using any version of ColdFusion, consider using the CFX_EXEC tag.

http://adiabata.com/cfx_exec.cfm

<CFX_EXEC
    CMD="NET USER username password /domain"
    USER="Administrator"
    PWD="pass"
    DOMAIN="domain"
    FILE="C:\Users\administrator\Desktop\test.txt">
James Moberg
  • 4,360
  • 1
  • 22
  • 21
  • so this will run the cmd prompt as the user? – David Brierton Feb 16 '17 at 14:26
  • Yes, it is a commercial tag. Anything tag starts with "CFX_", rather than "CF" is a not a core tag. – Leigh Feb 16 '17 at 18:15
  • Yes. CFX_EXEC will run the cmd prompt using a user system credentials. It "starts external processes using the same algorithm, as Windows itself" and it can further interact with the desktop. You don't need to generate & save BAT files either. Additionally it won't not leave "zombie" processes that consume resources of your system due to a timeout (unlike CFExecute). – James Moberg Feb 16 '17 at 19:35
  • 1
    What do you have against zombies James? – Leigh Feb 16 '17 at 22:18
  • Heh. :) I took that from the module homepage. I've logged into ColdFusion servers before, opened Task Manager and have encountered multiple orphaned tasks abandoned/forgotten by CFExecute. The server's performance was impeded as a result until we killed all of the previously spawned/executed tasks. (This doesn't happen w/CFX_EXEC.) NOTE: Adiabata also offers CFX_HTTP5 which I believe is superior to CFHTTP and works consistently across all versions of CF regardless of third-party SSL type. – James Moberg Feb 17 '17 at 15:02
  • Yes, though adding `/c` usually avoids a lot of the "help, I have created an army of zombie processes!" issues ;-) .. cfexecute definitely has its limitation. Sounds like CFX_EXEC is the way to go. Especially since it supports more granular application of permissions. (Running everything in CF under Administrator just for this functionality would be a very bad idea ...) – Leigh Feb 17 '17 at 21:24