Installing MSI file using script and admin rights?

Posted on 2011-10-31
Last Modified: 2013-11-13
I have a .MSI file available on shared folder accessible by all, assume it's: \\Share\A\File.msi

I wanna install this msi package on many machines all in one OU in active directory, I want to build a script for that however i'm not able to supply an admin user name and password, Yes file is accessible but installation is not allowed for user thats why I wanna give the script an admin rights,

How to completely the script will be?

Question by:it-infra
    LVL 43

    Accepted Solution

    Have you tried using group policy to do it?  You can either roll it out to computers or users, sounds like computers for you:

    Is pretty easy to put in place like that and installs as the computer automatically on next startup not the user so admin rights aren't an issue then.

    Here is MS's take on how to do it, can elaborate if needed, not necessarily the best guide!

    You'd need the bit:
    Create a Group Policy Object
    and Assign a Package

    You may need to amend share permissions or ntfs permissions on the files but give it a go....

    LVL 11

    Expert Comment

    LVL 3

    Expert Comment


    Author Comment

    I tried computer policies software settings assigned applications with no luck, software wont be installed on the machines due to restriction I guess, how to force admin rights when installing?

    I'm not familiar with VB scripts, what would I need among these commands?

    msiexec -i \\ShareFolder\File.msi ALLUSERS=1
    I tried this one, it didnt help.
    LVL 43

    Expert Comment

    by:Steve Knight
    cyborgd suggestion involved setting the elevated privelgies registry key, can be bit of a securioty hazard.

    The group policy issue should install fine if as suggested allocated to the computers.  check the event log for why it didn't work as this is nice really powerful facility.  It may just be your share/ntfs permissions on the share and possibly setting it as a null session share (is this still needed, hmm?).  Try temporarily putting the install set in netlogon share on a dc.


    Author Comment


    Forget about my question, i'm running psexec now and it's fine however i'm using computer names in a text file, it working:
    psexec @computers7.txt -c -f -s -d -u domain\user -p password \\server\folder\file.bat

    However, i'm looking to work on subnets (vLAN), how shall I change my command there? I found many ways but couldnt get anyone running !
    LVL 43

    Expert Comment

    by:Steve Knight
    Good, though did you not try the options we all gave?!

    I'm confused now - what are you asking re: working on subnets exactly?  Is this related or should it be a new question if not perhaps... you can always make it a "related question" and then the people already here will be notified.

    If you are saying you want different subnets to get different apps, or from different servers easiest method is to use AD to do it using dfs for storing the files to get the nearest server to them, or assigning applications based on site in AD.

    Other than that mind reading not working very well today.

    LVL 11

    Assisted Solution

    First, dragon-it is right about pretty much any solution other than GPO's, including what I will show show you here with a VBScript solution - they are certainly not secure.  I rely on a couple of things to maintain some separation between users with limited permissions and elevated permissions.

    1. I use a hidden share (I know it's not a lot, but at least as far as my users are concerned, it doesn't exist.)
    2. I use an account that is only a local admin for the purposes of installing or managing the workstations.

    If you don't know how to create a hidden share, you create them the same way as any other, but you add a "$" at the end of the share name.  That makes it hidden.  I also use a folder that user's can't get to other than through the hidden share, meaning the hidden share is not part of a tree of folders that they have access to otherwise.  And I set read-write permissions on this folder for users.  And I use these kinds of folders almost exclusively for reporting or gathering of information, such as semaphore files or results from scripts.  In this case, you can place the VBScript example shown below in a folder under a hidden share and run it from the login script, or manually if necessary.

    Call the VBScript using the hidden share path with a command such as:

    wscript "\\TheServerName\TheHiddenShare$\TheVBScriptFile.vbs"

    Open in new window

    The script to run the MSI with elevated permissions relies on CPAU.  You'll see in the script below that CPAU is referenced from some common location, which itself does not need to be secured.  The script below has comments in it to explain what is going on.  You really only need the one CPAU line, but this is how I create these types of scripts to be flexible enough to reuse or expand, and to automatically log when something like an installation has been executed.  The subroutine HasBeenUpdated() serves the purpose of recording essentially a do-nothing semaphore file to indicate the process was executed (or rather, that it was attempted to be executed.  It's not smart enough to know that what I'm executing finished successfully, which is a limitation of this process, but it is sufficient for me.)

    strCmd1 = "msiexec /i \\ServerName\ShareName\NameOfInstallation.MSI /qn"
    strUser = "domain\UserWithLocalAdminPriveledges"
    strPassword = "Pa$$word" 'give the password here - this is why this process is a risk.
    Set objShell = CreateObject("Wscript.Shell")
    strComputerName = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
    strTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%")
    If HasBeenUpdated(strComputerName, "InstallThisMSI")=0 then
    	Return1 ="\\Server\LocationOfCPAU\cpau -u " & strUser & " -p " & strPassword & " -cwd " & strTempFolder & " -ex " & chr(34) & strCmd1 & chr(34) & " -wait -profile", , True)
    End if
    Set objShell  = nothing
    Function HasBeenUpdated(tEntityName, tEventName)
    'Purpose: 	To record when a process has been run on a given workstation or for a 
    '		certain user on a workstation, so that it does not run more than once.
    'Parameter: 	tEntityName = Name of computer (or computer-user) being checked
    '		Note: tEventName is Event name that will be the folder for the log file being checked.
    '		It must already exist.
    'Example Call:	ret=HasBeenUpdated("WKS245","FlashPlayerInstall")
    'Returns: 	0 = File Did not previously exist, so the Entity *had not* been updated.
    '	  	1 = File Did previously exist, so the Entity *had* been updated.
    '		If the Entity had not been updated, this routine assumes the calling routine
    '		will be performing the update and creates the LOG file to indicate the update was performed.
    	Dim fso
    	Dim strFilename
    	Dim filetext
    	Dim strFileServer
    	Dim strReportInstallationFolder
    	Set fso = CreateObject("Scripting.FileSystemObject")
    	strFileServer = "\\TheServername"
    	strReportInstallationFolder = "\TheHiddenShare$"
    	strFilename = strFileServer & strReportInstallationFolder & "\" & tEventName & "\" & tEntityName & ".LOG"
    	iF fso.FileExists(strFilename) then
    		'MsgBox "File Exists - " & strFilename
    		HasBeenUpdated = 1
    		Set filetext = fso.CreateTextFile(strFilename, True)
    		'MsgBox "File does not exist - " & strFilename
    		HasBeenUpdated = 0
    	End if
    End Function

    Open in new window

    LVL 11

    Expert Comment

    it-infra, I started my last comment before yours, but got sidetracked and didn't know you went another path.  Well, it's food for thought anyway.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now