• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1115
  • Last Modified:

Installing MSI file using script and admin rights?

I have a .MSI file available on shared folder accessible by all, assume it's: \\Share\A\File.msi

I wanna install this msi package on many machines all in one OU in active directory, I want to build a script for that however i'm not able to supply an admin user name and password, Yes file is accessible but installation is not allowed for user thats why I wanna give the script an admin rights,

How to completely the script will be?

  • 3
  • 3
  • 2
  • +1
2 Solutions
Steve KnightIT ConsultancyCommented:
Have you tried using group policy to do it?  You can either roll it out to computers or users, sounds like computers for you:

Is pretty easy to put in place like that and installs as the computer automatically on next startup not the user so admin rights aren't an issue then.

Here is MS's take on how to do it, can elaborate if needed, not necessarily the best guide!


You'd need the bit:
Create a Group Policy Object
and Assign a Package

You may need to amend share permissions or ntfs permissions on the files but give it a go....

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

it-infraAuthor Commented:
I tried computer policies software settings assigned applications with no luck, software wont be installed on the machines due to restriction I guess, how to force admin rights when installing?

I'm not familiar with VB scripts, what would I need among these commands?

msiexec -i \\ShareFolder\File.msi ALLUSERS=1
I tried this one, it didnt help.
Steve KnightIT ConsultancyCommented:
cyborgd suggestion involved setting the elevated privelgies registry key, can be bit of a securioty hazard.

The group policy issue should install fine if as suggested allocated to the computers.  check the event log for why it didn't work as this is nice really powerful facility.  It may just be your share/ntfs permissions on the share and possibly setting it as a null session share (is this still needed, hmm?).  Try temporarily putting the install set in netlogon share on a dc.

it-infraAuthor Commented:

Forget about my question, i'm running psexec now and it's fine however i'm using computer names in a text file, it working:
psexec @computers7.txt -c -f -s -d -u domain\user -p password \\server\folder\file.bat

However, i'm looking to work on subnets (vLAN), how shall I change my command there? I found many ways but couldnt get anyone running !
Steve KnightIT ConsultancyCommented:
Good, though did you not try the options we all gave?!

I'm confused now - what are you asking re: working on subnets exactly?  Is this related or should it be a new question if not perhaps... you can always make it a "related question" and then the people already here will be notified.

If you are saying you want different subnets to get different apps, or from different servers easiest method is to use AD to do it using dfs for storing the files to get the nearest server to them, or assigning applications based on site in AD.

Other than that mind reading not working very well today.

First, dragon-it is right about pretty much any solution other than GPO's, including what I will show show you here with a VBScript solution - they are certainly not secure.  I rely on a couple of things to maintain some separation between users with limited permissions and elevated permissions.

1. I use a hidden share (I know it's not a lot, but at least as far as my users are concerned, it doesn't exist.)
2. I use an account that is only a local admin for the purposes of installing or managing the workstations.

If you don't know how to create a hidden share, you create them the same way as any other, but you add a "$" at the end of the share name.  That makes it hidden.  I also use a folder that user's can't get to other than through the hidden share, meaning the hidden share is not part of a tree of folders that they have access to otherwise.  And I set read-write permissions on this folder for users.  And I use these kinds of folders almost exclusively for reporting or gathering of information, such as semaphore files or results from scripts.  In this case, you can place the VBScript example shown below in a folder under a hidden share and run it from the login script, or manually if necessary.

Call the VBScript using the hidden share path with a command such as:

wscript "\\TheServerName\TheHiddenShare$\TheVBScriptFile.vbs"

Open in new window

The script to run the MSI with elevated permissions relies on CPAU.  You'll see in the script below that CPAU is referenced from some common location, which itself does not need to be secured.  The script below has comments in it to explain what is going on.  You really only need the one CPAU line, but this is how I create these types of scripts to be flexible enough to reuse or expand, and to automatically log when something like an installation has been executed.  The subroutine HasBeenUpdated() serves the purpose of recording essentially a do-nothing semaphore file to indicate the process was executed (or rather, that it was attempted to be executed.  It's not smart enough to know that what I'm executing finished successfully, which is a limitation of this process, but it is sufficient for me.)

strCmd1 = "msiexec /i \\ServerName\ShareName\NameOfInstallation.MSI /qn"
strUser = "domain\UserWithLocalAdminPriveledges"
strPassword = "Pa$$word" 'give the password here - this is why this process is a risk.

Set objShell = CreateObject("Wscript.Shell")
strComputerName = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
strTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%")

If HasBeenUpdated(strComputerName, "InstallThisMSI")=0 then
	Return1 = objShell.run("\\Server\LocationOfCPAU\cpau -u " & strUser & " -p " & strPassword & " -cwd " & strTempFolder & " -ex " & chr(34) & strCmd1 & chr(34) & " -wait -profile", , True)
End if

Set objShell  = nothing

Function HasBeenUpdated(tEntityName, tEventName)
'Purpose: 	To record when a process has been run on a given workstation or for a 
'		certain user on a workstation, so that it does not run more than once.
'Parameter: 	tEntityName = Name of computer (or computer-user) being checked
'		Note: tEventName is Event name that will be the folder for the log file being checked.
'		It must already exist.
'Example Call:	ret=HasBeenUpdated("WKS245","FlashPlayerInstall")
'Returns: 	0 = File Did not previously exist, so the Entity *had not* been updated.
'	  	1 = File Did previously exist, so the Entity *had* been updated.
'		If the Entity had not been updated, this routine assumes the calling routine
'		will be performing the update and creates the LOG file to indicate the update was performed.

	Dim fso
	Dim strFilename
	Dim filetext
	Dim strFileServer
	Dim strReportInstallationFolder

	Set fso = CreateObject("Scripting.FileSystemObject")

	strFileServer = "\\TheServername"
	strReportInstallationFolder = "\TheHiddenShare$"

	strFilename = strFileServer & strReportInstallationFolder & "\" & tEventName & "\" & tEntityName & ".LOG"

	iF fso.FileExists(strFilename) then
		'MsgBox "File Exists - " & strFilename
		HasBeenUpdated = 1
		Set filetext = fso.CreateTextFile(strFilename, True)
		'MsgBox "File does not exist - " & strFilename
		HasBeenUpdated = 0
	End if

End Function

Open in new window

it-infra, I started my last comment before yours, but got sidetracked and didn't know you went another path.  Well, it's food for thought anyway.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now