Re: Install program from logonscript - what credentials do I use?
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 28 Mar 2008 11:24:49 -0500
"Johan" <Johan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:018D5BDD-79B5-4390-9A83-F750A707E6A3@xxxxxxxxxxxxxxxx
Thanks Richard, very useful information for me.
Do you know anyway to have a vbs run with "Administrator doing Run as" ?
I am not allowed to apply gpo's, I can only administer our logonscripts
and
I guess
that's my only chance to have this folder created on many pc's.
I see another problem. Even if I would manage to get the folder created
and
file copied to Program Files as Administrator, it would be necessary that
the user logging on is member of Administrators.
Otherwise it's not just the rightclick-elevate that must be done via
script.
One would also have to supply username\password since the user isn't
Admin,
right?
As you indicate, one solution would be to use alternate credentials, where
you specify the admin username and password in the script. However, this
exposes the admin password and is not recommended. Also, it might not work
on Vista for reasons given below.
Another alternative might be to use a third party tool like psexec from
SysInternals. This allows you to install the application yourself remotely.
The application must install silently with no user interaction and no GUI.
However, it might have the same issue on Vista clients, where someone must
acknowledge permission to add a folder to Program Files, even though you
have supplied Administrator credentials. This is a feature of UAC (User
Access Control).
In fact, I have an example VBScript program that deploys executables to
remote computers linked here:
http://www.rlmueller.net/Deploy.htm
This program copies the executable (an *.exe, *.vbs, or even *.bat) to the
remote computer, runs it, waits for it to finish, then deletes it. You just
must be a member of the "Domain Admins" group, which by default is a member
of the local Administrators group on all computers joined to the domain. I
have tested this on all clients (that have WMI) except Vista. I suspect you
could run any executable on Vista except one that requires acknowledging the
prompt from UAC. You get this prompt when you attempt to modify anything in
"Program Files".
I suspect there is no way to get my program to circumvent the UAC (short of
disabling it, which is not recommended). If there were, it would be a major
security problem. Anyone with the Administrator password could do nasty harm
with my program, or a tool like psexec.
Assuming I am correct, the only solution is Group Policy. You may need to
post a question in a Vista newsgroup dealing with the technical issues of
installing applications in a network.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
.
- References:
- Install program from logonscript - what credentials do I use?
- From: Johan
- Re: Install program from logonscript - what credentials do I use?
- From: Pegasus \(MVP\)
- Re: Install program from logonscript - what credentials do I use?
- From: Johan
- Re: Install program from logonscript - what credentials do I use?
- From: Richard Mueller [MVP]
- Re: Install program from logonscript - what credentials do I use?
- From: Johan
- Install program from logonscript - what credentials do I use?
- Prev by Date: Retrieving the DNS Suffix Search Order
- Next by Date: File Server Sessions
- Previous by thread: Re: Install program from logonscript - what credentials do I use?
- Next by thread: Mass changing security groups to distribution groups
- Index(es):
Relevant Pages
|
