UAC and running NETLOGON script/app with elevated permission RRS feed

  • Question

  • First, I apologize if this is in the wrong forum.

    So here's our problem. We are a 150+ company with only 3 members on our IT crew. We have a mix of Vista and Win7 in our environment with UAC enabled. The only issue we're having with this is that we occasionally push out packages during log on that require admin rights. I'm wondering if there is a way to run an installer (both MSI and EXE) or applications with elevated permissions so that we do not need to go desk to desk / state to state. Whether it be purchased, scripted or programed, we're looking for some kind of solution.

    Any help or suggestions are all ways appreciated.

    Friday, January 29, 2010 2:14 AM

All replies

  • The easy answer is to deploy the applications and run scripts under the computer configuration > "start up scripts" (or software installation) in a group policy object.
    Sunday, January 31, 2010 7:27 PM
  • Thanks Andreas for the suggestion. I'll give this a shot tomorrow morning.

    Monday, February 1, 2010 6:19 AM
  • How did it go? Do you have any further questions?
    Thursday, February 4, 2010 9:40 AM
  • Andreas,

    Unfortunately no. At least I haven't gotten it to work. Basically what I have setup for the test is a folder under Netlogon and in that folder I have my application that requires admin rights to run. I haven't bee able to get the Startup/Login scripts to run the app with out the UAC Prompt.

    Tuesday, February 9, 2010 11:11 PM
  • What runs in the startup script is run as system and before even possible to login and should therefore not even be able to give you a UAC prompt. This will on the other hand be the case if you put the installation in the user part of the GPO, i.e. under software installation in User Configuration or in the login section.

    Also there is no need for the installation files to be located under NETLOGON, you can place the installation files anywhere as long as it is reachable via UNC (\\server\share\application\setup.exe for instance).

    Can you give exactly what you place in the script?
    Thursday, February 11, 2010 8:40 AM
  • Just want to verify. Startup as in GPO\Computer Configuration\Policies\Windows Settings Scripts (Startup/Shutdown) ?
    Monday, February 15, 2010 11:42 PM
  • Just want to verify. Startup as in GPO\Computer Configuration\Policies\Windows Settings Scripts (Startup/Shutdown) ?

    Yes, that is correct!
    Tuesday, February 23, 2010 7:41 AM
  • Hi,
    I'm experiencing a similar issue. I'm trying to run an executable on Windows 7 from a GPO startup script and it won't run (while I checked it is a available). When running it while logged in as an administrator UAC prompts me if I want to allow the program to run, and after that, it runs just fine...

    Here's what I've been doing:

    I created a computer policy (Group Policy Object > Computer Settings) with a Startup script called "netsetup.bat", as decribed above. The netsetup.bat looks as follows:

    echo %date% > C:\Temp\Netsetup.log
    if exist "C:\Program Files\Progress Software Corporation" echo %time% "C:\Program Files\Progress Software Corporation" already exists >> C:\Temp\Netsetup.log
    if not exist "C:\Program Files\Progress Software Corporation" echo %time% "C:\Program Files\Progress Software Corporation" doesn't exist >> C:\Temp\Netsetup.log
    if exist "\\servername\sharename\Progress\Dlc101c\netsetup\setup.exe" echo %time%  "
    \\servername\sharename\Progress\ Dlc101c\netsetup\setup.exe" is available >> C:\Temp\Netsetup.log
    if not exist "
    \\servername\sharename\Progress\ Dlc101c\netsetup\setup.exe" echo %time% " \\servername\sharename\Progress\ Dlc101c\netsetup\setup.exe" is not available >> C:\Temp\Netsetup.log
    echo %time% Starting "
    \\servername\sharename\Progress\ Dlc101c\netsetup\setup.exe" -psclogC:\Temp -s >> C:\Temp\Netsetup.log
    if not exist "C:\Program Files\Progress Software Corporation" "
    \\servername\sharename\Progress\ Dlc101c\netsetup\setup.exe" -psclogC:\Temp -s
    echo %time% Finished >> C:\Temp\Netsetup.log

    Setup.exe is a Macrovision Corporation installer for OpenEdge 10.1C Shared Network Installation software from Progress (PSC). It has an outdated certificate (by Thawte Code Signing CA), if that matters at all? (Valid from 10-2-2006 to 21-2-2008.)

    When I start the computer and log in afterwards (as an administrator), the file C:\Temp\Netsetup.log looks like this:

    wo 24-02-2010
    18:41:03,16 "C:\Program Files\Progress Software Corporation" doesn't exist
    18:41:03,67  "
    \\servername\sharename\Progress\Dlc101c\netsetup\setup.exe" is available
    18:41:04,18 Starting "
    \\servername\sharename\Progress\Dlc101c\netsetup\setup.exe" -psclogC:\Temp -s
    18:41:08,44 Finished

    However, the program (Progress) is not installed.
    When I run the same batchfile (netsetup.bat) manually (as an administrator), I get prompted by UAC (User Account Control) and after confirmation the program installs just fine! UAC is set to Default - Notify me only when programs try to make changes to my computer; don't notify when I make changes to Windows settings).

    Not sure if this should help, but I tried adding the certificate to the Trusted Publishers certificate store (and even to the Trusted Root Certificate Authorities certificate store for testing) through the same computer settings GPO. But I did not see any change.

    Thanks in advance,

    Wednesday, February 24, 2010 6:05 PM
  • As r.w. stated it doesn't look like the applications runs. However I do notice that in the Task Manager I do see an instance of the application running.

    I went ahead and create a new powershell script to run an Adobe 7 update. Something basic and simple but requires admin rights (for testing). I only have have one line of code in the script:

    [System.Diagnostics.Process]::Start("\\FileShare01\applications$\Adobe Standard\Adobe Updates\AcroStdUpd710_all.exe");

    This script is being launched from the Startup Scripts in my GPO. Now while logged in as a standard user I don't see the installer but it is listed in the process list. Same thing if I run while logged in as my self (Domain Admin). So it does "run" under SYSTEM, there's just no desktop interaction.
    Thursday, February 25, 2010 5:02 PM
  • Did you ever get an answer to this, I have the exact same issue right now.
    Wednesday, April 20, 2011 6:06 PM