PDGPA
asked on
Run GPO Logon Script as another user / admin / elevated permission
Hello all,
We have a massive upgrade happening to one of our servers and it is causing us to have to uninstall all java versions from all of our machines (~1200) and then install a new version. Now I have a script to uninstall the old versions but I am having issues running it with permissions.
I cannot run this as a startup script because of network issues, this needs to be run though the logon script area. The script I have works if an admin logs in, however it does not work if a normal domain user logs in. Is there any way to run a logon script with elevated permissions? I see that I can add parameters to my GPO and powershell scripts, but I do not know what syntax I would use.
Any thoughts welcome, thanks!
We have a massive upgrade happening to one of our servers and it is causing us to have to uninstall all java versions from all of our machines (~1200) and then install a new version. Now I have a script to uninstall the old versions but I am having issues running it with permissions.
I cannot run this as a startup script because of network issues, this needs to be run though the logon script area. The script I have works if an admin logs in, however it does not work if a normal domain user logs in. Is there any way to run a logon script with elevated permissions? I see that I can add parameters to my GPO and powershell scripts, but I do not know what syntax I would use.
Any thoughts welcome, thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are your permissions on the share correct ?
ASKER
Yes I set the folder to full access for everyone. Again my issue is that the user that is logging in is not an admin. I want to execute these scripts as an admin without using the Startup script folder.
See error below
"Action start 13:04:50: LaunchConditions.
MSI (s) (94:D8) [13:04:50:082]: Product: Java 7 Update 65 -- This account does not have sufficient privileges to install Java. Please login to an account with administrative permissions.
This account does not have sufficient privileges to install Java. Please login to an account with administrative permissions.
Action ended 13:04:50: LaunchConditions. Return value 3."
See error below
"Action start 13:04:50: LaunchConditions.
MSI (s) (94:D8) [13:04:50:082]: Product: Java 7 Update 65 -- This account does not have sufficient privileges to install Java. Please login to an account with administrative permissions.
This account does not have sufficient privileges to install Java. Please login to an account with administrative permissions.
Action ended 13:04:50: LaunchConditions. Return value 3."
Is that when being run as a "Login Script" ??
Is that from the script I posted ?? <<< Did you run it as a "Startup" script ??
Is that from the script I posted ?? <<< Did you run it as a "Startup" script ??
ASKER
Yes that is the log when run as a "Login Script"
Yes this is the script you posted. Again I CANNOT user start-up scripts. I know that would make this much easier but this network we are on and the state of our GPO makes us unable to handle start-up scripts. I could go into the long explanation as to exactly why we cannot but the short version is that we inherited this infrastructure and now need to maintain it while we build a new one in the background.
Any idea how I can run this script with admin privileges? Or even just a hard coded Domain admin account? This is not permanent it is a one time upgrade.
Yes this is the script you posted. Again I CANNOT user start-up scripts. I know that would make this much easier but this network we are on and the state of our GPO makes us unable to handle start-up scripts. I could go into the long explanation as to exactly why we cannot but the short version is that we inherited this infrastructure and now need to maintain it while we build a new one in the background.
Any idea how I can run this script with admin privileges? Or even just a hard coded Domain admin account? This is not permanent it is a one time upgrade.
Well then I suggest you create a share and deploy with software distribution(MSI)
http://www.java.com/en/download/help/msi_install.xml
Or you could (I have done it this way) use psexec.exe. By first creating a .BAT that points to the .VBS file
like "\\server\javashare\update java.vbs" without quotes.
Then open a cmd prompt and run psexec \\* -c -f -s -d \\server\javashare\updatej ava.bat
"*" << wildcard for all pc's in the domain (Easiest way)
-c << Copies file to the remote pc
-f << Force copy in case it already existed(like a earlier version)
-s << Run as system context << you want this
-d << Dont wait before moving onto the next pc
http://www.java.com/en/download/help/msi_install.xml
Or you could (I have done it this way) use psexec.exe. By first creating a .BAT that points to the .VBS file
like "\\server\javashare\update
Then open a cmd prompt and run psexec \\* -c -f -s -d \\server\javashare\updatej
"*" << wildcard for all pc's in the domain (Easiest way)
-c << Copies file to the remote pc
-f << Force copy in case it already existed(like a earlier version)
-s << Run as system context << you want this
-d << Dont wait before moving onto the next pc
ASKER
Is there anyway to hard-code a domain admin into this script?
For example could I have the script run-as me? This is only a one-time use case and will be done after hours so I am un-concerned about hard-coding a temp password into our GPO.
I am trying to do some searching but I am very unfamiliar with VBS. Any more assistance would be great, I do like this script!
For example could I have the script run-as me? This is only a one-time use case and will be done after hours so I am un-concerned about hard-coding a temp password into our GPO.
I am trying to do some searching but I am very unfamiliar with VBS. Any more assistance would be great, I do like this script!
Since it's like you say a "One time"..use the Psexec method I described above. I have done it many times that way
ASKER
I cannot seem to find a working version of PSEXEC online - all the downloads I find are corrupt. Do you have a perma-link?
ASKER
Hey Dstewartjr,
I got it all setup but I am still getting "access denied" - I am not sure how I am denied, I am using a domain admin account with the tool, and the file shares are shared to everyone at full access.
Is there something I am missing here?
I got it all setup but I am still getting "access denied" - I am not sure how I am denied, I am using a domain admin account with the tool, and the file shares are shared to everyone at full access.
Is there something I am missing here?
ASKER
I am still getting "Access Denied" when running this script from startup scripts area. Listed as a login script this works fine, however I would like to do this over a weekend on machines that will not have a user logging into it.
I have tried adding "Everyone", "System" & "Domain Computers" to full access to my network share and still psexec comes back with "Access Denied". I checked the UAC, firewalls and all network access and cannot see why the machines are not able to run this script.
Any assistance would be appreciated!
I have tried adding "Everyone", "System" & "Domain Computers" to full access to my network share and still psexec comes back with "Access Denied". I checked the UAC, firewalls and all network access and cannot see why the machines are not able to run this script.
Any assistance would be appreciated!
Are you running the command prompt as either "Another User" (Hold shift down and right click) or as "Run as administrator" ??
are you using all four switches "-c -f -s -d " ??
are you using the .bat to call the script ??? <<<You must
are you using all four switches "-c -f -s -d " ??
are you using the .bat to call the script ??? <<<You must
ASKER
I appreciate this script, it worked well however our deployment was messy. This was partially due to Java, partially our network and partially the IE plugins.
Either way I appreciate all the effort!
Either way I appreciate all the effort!
ASKER
Looked into the log files and it states "Needs permissions" So how can I elevate the permissions / run as admin with this script? Its a nice script but I have the same issue as my script