Installing MSI file using script and admin rights?

Posted on 2011-10-31
Medium Priority
Last Modified: 2013-11-13
I have a .MSI file available on shared folder accessible by all, assume it's: \\Share\A\File.msi

I wanna install this msi package on many machines all in one OU in active directory, I want to build a script for that however i'm not able to supply an admin user name and password, Yes file is accessible but installation is not allowed for user thats why I wanna give the script an admin rights,

How to completely the script will be?

Question by:it-infra
  • 3
  • 3
  • 2
  • +1
LVL 43

Accepted Solution

Steve Knight earned 1000 total points
ID: 37055499
Have you tried using group policy to do it?  You can either roll it out to computers or users, sounds like computers for you:

Is pretty easy to put in place like that and installs as the computer automatically on next startup not the user so admin rights aren't an issue then.

Here is MS's take on how to do it, can elaborate if needed, not necessarily the best guide!


You'd need the bit:
Create a Group Policy Object
and Assign a Package

You may need to amend share permissions or ntfs permissions on the files but give it a go....


Expert Comment

ID: 37055528
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 37055724
I tried computer policies software settings assigned applications with no luck, software wont be installed on the machines due to restriction I guess, how to force admin rights when installing?

I'm not familiar with VB scripts, what would I need among these commands?

msiexec -i \\ShareFolder\File.msi ALLUSERS=1
I tried this one, it didnt help.
LVL 43

Expert Comment

by:Steve Knight
ID: 37055743
cyborgd suggestion involved setting the elevated privelgies registry key, can be bit of a securioty hazard.

The group policy issue should install fine if as suggested allocated to the computers.  check the event log for why it didn't work as this is nice really powerful facility.  It may just be your share/ntfs permissions on the share and possibly setting it as a null session share (is this still needed, hmm?).  Try temporarily putting the install set in netlogon share on a dc.


Author Comment

ID: 37061783

Forget about my question, i'm running psexec now and it's fine however i'm using computer names in a text file, it working:
psexec @computers7.txt -c -f -s -d -u domain\user -p password \\server\folder\file.bat

However, i'm looking to work on subnets (vLAN), how shall I change my command there? I found many ways but couldnt get anyone running !
LVL 43

Expert Comment

by:Steve Knight
ID: 37061834
Good, though did you not try the options we all gave?!

I'm confused now - what are you asking re: working on subnets exactly?  Is this related or should it be a new question if not perhaps... you can always make it a "related question" and then the people already here will be notified.

If you are saying you want different subnets to get different apps, or from different servers easiest method is to use AD to do it using dfs for storing the files to get the nearest server to them, or assigning applications based on site in AD.

Other than that mind reading not working very well today.

LVL 11

Assisted Solution

kbirecki earned 1000 total points
ID: 37061857
First, dragon-it is right about pretty much any solution other than GPO's, including what I will show show you here with a VBScript solution - they are certainly not secure.  I rely on a couple of things to maintain some separation between users with limited permissions and elevated permissions.

1. I use a hidden share (I know it's not a lot, but at least as far as my users are concerned, it doesn't exist.)
2. I use an account that is only a local admin for the purposes of installing or managing the workstations.

If you don't know how to create a hidden share, you create them the same way as any other, but you add a "$" at the end of the share name.  That makes it hidden.  I also use a folder that user's can't get to other than through the hidden share, meaning the hidden share is not part of a tree of folders that they have access to otherwise.  And I set read-write permissions on this folder for users.  And I use these kinds of folders almost exclusively for reporting or gathering of information, such as semaphore files or results from scripts.  In this case, you can place the VBScript example shown below in a folder under a hidden share and run it from the login script, or manually if necessary.

Call the VBScript using the hidden share path with a command such as:

wscript "\\TheServerName\TheHiddenShare$\TheVBScriptFile.vbs"

Open in new window

The script to run the MSI with elevated permissions relies on CPAU.  You'll see in the script below that CPAU is referenced from some common location, which itself does not need to be secured.  The script below has comments in it to explain what is going on.  You really only need the one CPAU line, but this is how I create these types of scripts to be flexible enough to reuse or expand, and to automatically log when something like an installation has been executed.  The subroutine HasBeenUpdated() serves the purpose of recording essentially a do-nothing semaphore file to indicate the process was executed (or rather, that it was attempted to be executed.  It's not smart enough to know that what I'm executing finished successfully, which is a limitation of this process, but it is sufficient for me.)

strCmd1 = "msiexec /i \\ServerName\ShareName\NameOfInstallation.MSI /qn"
strUser = "domain\UserWithLocalAdminPriveledges"
strPassword = "Pa$$word" 'give the password here - this is why this process is a risk.

Set objShell = CreateObject("Wscript.Shell")
strComputerName = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
strTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%")

If HasBeenUpdated(strComputerName, "InstallThisMSI")=0 then
	Return1 = objShell.run("\\Server\LocationOfCPAU\cpau -u " & strUser & " -p " & strPassword & " -cwd " & strTempFolder & " -ex " & chr(34) & strCmd1 & chr(34) & " -wait -profile", , True)
End if

Set objShell  = nothing

Function HasBeenUpdated(tEntityName, tEventName)
'Purpose: 	To record when a process has been run on a given workstation or for a 
'		certain user on a workstation, so that it does not run more than once.
'Parameter: 	tEntityName = Name of computer (or computer-user) being checked
'		Note: tEventName is Event name that will be the folder for the log file being checked.
'		It must already exist.
'Example Call:	ret=HasBeenUpdated("WKS245","FlashPlayerInstall")
'Returns: 	0 = File Did not previously exist, so the Entity *had not* been updated.
'	  	1 = File Did previously exist, so the Entity *had* been updated.
'		If the Entity had not been updated, this routine assumes the calling routine
'		will be performing the update and creates the LOG file to indicate the update was performed.

	Dim fso
	Dim strFilename
	Dim filetext
	Dim strFileServer
	Dim strReportInstallationFolder

	Set fso = CreateObject("Scripting.FileSystemObject")

	strFileServer = "\\TheServername"
	strReportInstallationFolder = "\TheHiddenShare$"

	strFilename = strFileServer & strReportInstallationFolder & "\" & tEventName & "\" & tEntityName & ".LOG"

	iF fso.FileExists(strFilename) then
		'MsgBox "File Exists - " & strFilename
		HasBeenUpdated = 1
		Set filetext = fso.CreateTextFile(strFilename, True)
		'MsgBox "File does not exist - " & strFilename
		HasBeenUpdated = 0
	End if

End Function

Open in new window

LVL 11

Expert Comment

ID: 37061875
it-infra, I started my last comment before yours, but got sidetracked and didn't know you went another path.  Well, it's food for thought anyway.

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question