none
SCCM 2012 OSD - Application Installation using local administrator account instead of SYSTEM account

    Question

  • I sometimes have problems to install applications using the default SYSTEM credentials that SCCM OSD uses. In my tests I have seen that the vendor supplied installation package does in fact support an unattended installation and it works perfectly when installed using a typical user that has membership in the Administrators group. However some packages will not install properly using the SYSTEM account for whatever reason. Granted I could argue and attempt to push the vendor to deal with the shortcoming OR repackage the application completely but I have situations where either of these solutions require large amounts of effort. We aren’t talking about your typical software packages with a single MSI file that just needs a transform or slight modification; this is more like a huge suite of products that takes 30 minutes to install.

    I do prefer to keep these software packages as Applications in SCCM rather than Packages because of the extra features that come along with it.

    I would like to consider doing something like a “RUN AS” during my SCCM OSD task sequence. If I create a local user, add the user to the local Administrators group then I could maybe do something like:

    “PsExec.exe –accepteula –u AdminUser –p AdminPassword C:\Temp\AppToInstall\Setup.exe /commandlineswitch1 /commandlineswitch2”

    My thought process is that this would allow the application to install under an administrators credentials, just not the SYSTEM account DURING the OSD deployment process.

    I understand that this is not ideal but it may be a compromise that some administrators would be willing to live with on specific situations.

    Has anyone attempted to have an SCCM application install during a task sequence while running under an account other than SYSTEM? If so how did you achieve it? Would love to hear comments and input from the community about how this might be achievable AND/OR how the problem about software not installing under the SYSTEM credentials has been solved.

    Thanks in advance for any help!!

    Thursday, February 06, 2014 3:20 AM

Answers

  • Hi,

    I normally use the "Run Command Line" step instead as you have the option to run the command line using a user account. Then I use a domain service account which can be added to the local administrators group using a step before like "net localgroup administrators contoso\user1 /add "

    Then you don't have any usernames/passwords stored in clear text in the SCCM log files as well.

    It have used this in many scenarios, it works great.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    • Proposed as answer by dekac99 Thursday, February 06, 2014 7:58 AM
    • Marked as answer by Joyce LModerator Monday, February 17, 2014 8:29 AM
    Thursday, February 06, 2014 7:19 AM

All replies

  • Hi,

    I normally use the "Run Command Line" step instead as you have the option to run the command line using a user account. Then I use a domain service account which can be added to the local administrators group using a step before like "net localgroup administrators contoso\user1 /add "

    Then you don't have any usernames/passwords stored in clear text in the SCCM log files as well.

    It have used this in many scenarios, it works great.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    • Proposed as answer by dekac99 Thursday, February 06, 2014 7:58 AM
    • Marked as answer by Joyce LModerator Monday, February 17, 2014 8:29 AM
    Thursday, February 06, 2014 7:19 AM
  • gotcha on the creation of the domain user and adding it to the local administrators group .... do you find any functional difference between a temporary local user and a domain service account for this purpose? my thought was that I would create a local user, install the software, then delete the user.

    I have considered going this direction but this would require using Packages instead of Applications. It also means I couldnt deploy a single software package using the normal "Deploy" functionality in SCCM because the installation would depend on a command line task sequence step. 

    I really would like to know if anyone has been able to get a "RUNAS" functionality working in a script installer for a SCCM Application?

    Thursday, February 06, 2014 2:59 PM
  • Hello!

    I've made this with psexec and a prerequisite. I created a post on this site here:

    http://www.bewi.at/?p=1173

    Maybe it is usefull for you. I've tested it and in my environment it works.


    Monday, September 22, 2014 12:37 PM