locked
How do I have an exe in a logon script run as a different user (either a domain admin or even the local system account) RRS feed

  • Question

  • So, I'm having some problems getting a logon script to work.  I need a way to deploy the agent that we use via login/startup scripts and what I have works fine if the user has admin rights, or if UAC is disabled.  I've tried to convert the .exe to an .msi to make it easier, but the .msi never works and it's only distributed as an .exe.  We deploy this to different clients, I can't disable UAC in their environment unless they specifically tell us to.  Can anyone think of a way around this?  I've been searching for days and I'm just lost.  If we could execute the file as the system account, or connect to shares using a startup script instead of logon, that would be perfect.  Basically what it does is check to see if the process for the agent is running (agentmon.exe) so we don't attempt to install it if it is already installed, if it's not, then it calls on a different agent installer depending on the IP address of the system (for clients that have more than one location).  Here's what I've got written that works for me in my test environment:

    Const strAgent1 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup1.exe"
    Const strAgent2 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup2.exe"
    Const strAgent3 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup3.exe"
    Const strFolder = "C:\Temp\"
    Const Overwrite = True
    dim objFSO, objNIC1, arrNIC, strIP, strMask, objShell, objWMIService
    dim

    'Checks for Kaseya agent process, AgentMon.exe, exits if running
    Set objWMIService = GetObject ("winmgmts:")
    Set proc = objWMIService.ExecQuery("select * from Win32_Process Where Name='agentmon.exe'")
    If proc.count > 0 Then
        WScript.Quit
    End If


    'Instantiate a NIC configuration object
    Set objNIC1 = GetObject("winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")


    'Instantiate a shell object
    Set objShell = CreateObject("wscript.shell")
    Set objFSO = CreateObject("Scripting.FileSystemObject")

    'Create Temp Dir if it doesn't exist
    If Not objFSO.FolderExists(strFolder) Then
        objFSO.CreateFolder strFolder
    End If

    For Each arrNIC in objNIC1
        if arrNIC.IPEnabled then
            StrIP = arrNIC.IPAddress(i)
            strMask = arrNIC.IPSubnet(i)
            Set WshNetwork = WScript.CreateObject("WScript.Network")
        end if
    next

    Function NetworkID(Address, Mask)
        Dim AddressOctets, MaskOctets, Result, N
        AddressOctets = Split(Address, ".")
        MaskOctets = Split(Mask, ".")
        ReDim Result(UBound(AddressOctets))
        For N = 0 To UBound(AddressOctets)
            Result(N) = AddressOctets(N) And MaskOctets(N)
        Next
        NetworkID = Join(Result, ".")
    End Function


    Select Case NetworkID(strIP,strMask)
        Case "192.168.0.0"
        ' Kaseya install commands for 192.168.0.0 subnet
        objFSO.CopyFile strAgent1, strFolder, Overwrite
        Wscript.Sleep 1*60*1000
        objShell.run "C:\Temp\Test-KcsSetup1.exe"
                   
        Case "192.168.1.0"
        ' Kaseya install commands for 192.168.1.0 subnet
        objFSO.CopyFile strAgent2, strFolder, Overwrite
        Wscript.Sleep 1*60*1000
        objShell.run "C:\Temp\Test-KcsSetup2.exe"
                    
        Case "192.168.2.0"
        ' Kaseya install commands for 192.168.2.0 subnet
        objFSO.CopyFile strAgent3, strFolder, Overwrite
        Wscript.Sleep 1*60*1000
        objShell.run "C:\Temp\Test-KcsSetup3.exe"
        
        Case Else
        ' Some sort of error checking. Maybe a BLAT SMTP command to send an email
    End Select

    Set objWMIService = Nothing
    Set objNIC1 = Nothing
    Set objShell = Nothing
    Set WshNetwork = Nothing
    Wscript.quit

    Friday, July 18, 2014 9:35 PM

Answers

  • The answer is not to try to use a logon script to do this, because a logon script runs as the user that's logging on.

    You cannot bypass the UAC prompt, and this is by design.

    You will need to use some other means of installing your package.


    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by Bill_Stewart Wednesday, August 6, 2014 10:03 PM
    • Marked as answer by Bill_Stewart Thursday, August 28, 2014 6:41 PM
    Friday, July 18, 2014 10:09 PM

All replies

  • The answer is not to try to use a logon script to do this, because a logon script runs as the user that's logging on.

    You cannot bypass the UAC prompt, and this is by design.

    You will need to use some other means of installing your package.


    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by Bill_Stewart Wednesday, August 6, 2014 10:03 PM
    • Marked as answer by Bill_Stewart Thursday, August 28, 2014 6:41 PM
    Friday, July 18, 2014 10:09 PM
  • You are trying to reii9nvent the wheel without a 10,000 BC engineering degree.

    It is insane to try and deploy software through login scripts.  It can only be made to work by breaking everything in sight.

    YOU can run some installs as a part of a startup script.  It is best ti create ana MSI and use Software distribution.

    If you are installing agents then use the agent push method.  It is the accepted way to install

    Of course you have failed to even say what it is you are installing or if you have asked the vendor for instructions on how to install the agent.

    It would help if you posted your issues to the vendors forum.  There is no way in scripting to get around the issue you have.  This is by design.

    http://help.kaseya.com/webhelp/en/vsa/6010000/index.htm?toc.htm?491.htm

    http://community.kaseya.com/xsp/f/default.aspx


    ¯\_(ツ)_/¯

    Friday, July 18, 2014 10:12 PM
  • Trust me when I say this, even their tech support is useless.  We've had it working before, when we could run the installer straight from the path in sysvol, but with version 6.5 that we currently have it doesn't work correctly that way anymore.  There's a temporary .dat file that is generated which in some environments cannot be found when the installer is run from the network.  There's no reliable, automated way to get it to install on the amount networks that are being managed.  The built-in method of Group Policy installation creates a GPO for each and every system on the network and the discovery method doesn't seem to work either.  Looks like I'm back to the drawing board trying to get it repackaged as an MSI and making it a mandatory application...
    Saturday, July 19, 2014 2:28 AM
  • Trust me!  You need to learn how Group Policy works.  It does not work the way you say it does.

    You cannot solve an issue that iss a result of a vendors system by jsust begging for a script.  Ther eis no scripting adjustment to do what you are asking.

    I recommend hiring a trained and certified consultant who is trained in WIndows technologies to help you sort this out.

    Some software is not compatible with WIndows domians.  It is designed for other environments.  In the case of this software I suspect it is just that you don't want to pay the vendor for support.

    We cannot support third party installations.  THis sia scriping forum and not a vendor help desk.  Please post your issues int he vendor forum I posted the link to.  They will be glad to help you.  Look into their agent push documentation.


    ¯\_(ツ)_/¯

    Saturday, July 19, 2014 2:41 AM
  • By the way - repackaging as an MSI is the easy way to do it.  Just extract the MSI from the EXE and set it using a GPO Software distribution policy.


    ¯\_(ツ)_/¯

    Saturday, July 19, 2014 2:43 AM
  • You need to read the documentation carefully:

    The Deploy Agents install package is created using a Configure Automatic Account Creation wizard. The wizard copies agent settings from an existing machine ID or machine ID template and generates an install package called KcsSetup.All settings and pending agent procedures from the machine ID you copy from—except the machine ID, group ID, and organization ID—are applied to every new machine ID created with the package.

    Including Credentials in Agent Install Packages

    If necessary, an agent install package can be created that includes an administrator credentialto access a customer network. Credentials are only necessary if users are installing packages on machines and do not have administrator access to their network. The administrator credential is encrypted, never available in clear text form, and bound to the install package.


    ¯\_(ツ)_/¯

    Saturday, July 19, 2014 2:45 AM
  • I would add that this is not a support forum for Kaseya's software.

    You will not be able to bypass the UAC prompt to install software from a logon script.


    -- Bill Stewart [Bill_Stewart]

    Saturday, July 19, 2014 4:03 AM