?
Solved

Run GPO Logon Script as another user / admin / elevated permission

Posted on 2014-08-21
15
Medium Priority
?
2,735 Views
Last Modified: 2014-10-01
Hello all,

We have a massive upgrade happening to one of our servers and it is causing us to have to uninstall all java versions from all of our machines (~1200) and then install a new version.  Now I have a script to uninstall the old versions but I am having issues running it with permissions.

I cannot run this as a startup script because of network issues, this needs to be run though the logon script area.  The script I have works if an admin logs in, however it does not work if a normal domain user logs in.  Is there any way to run a logon script with elevated permissions?  I see that I can add parameters to my GPO and powershell scripts, but I do not know what syntax I would use.

Any thoughts welcome, thanks!
0
Comment
Question by:PDGPA
  • 8
  • 7
15 Comments
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 2000 total points
ID: 40277053
Try this script as startup script VBS be sure to modify the paths to the share

 


'# Galen Dobbs - 13:20 23/03/2009
'# Uninstalls all but the chosen version of Java Runtime.
'# If the current version is not installed, it installs it from the specified path.
'# Based on a script by 'Daz' from Appdeploy.com message boards.
'# http://www.appdeploy.com/messageboards/tm.asp?m=29809


Option Explicit

Dim wshShell, fso, strLogFile, ts, strTempDir, strTempISS, strUnString, tsIn
Dim strUninstLine, CLSID, search5, search6, search7, strJRE1, strDisplayName, strDisplayVersion
Dim strPublisher, strUninstallString, strJREUninstallString, strJREDisplayName
Dim search1, search2, search3, search4, strJREUninstallStringNEW, ret, strUninstCMD
Dim tsISS, strSetupexe, qVal, strComputername, strCurrentVersion, strInstallMST
Dim searchCurVer, CurVerFound, strArrayCount, strLogPath, strInstallCMD, strInstallMSI, strInstallLog

Dim arrayJREDisplayName()
Dim arrayJREUninstallString()

'# Change this to match the version that you don't want to have it uninstall
strCurrentVersion = "Java 7 Update 25"

'# Set these to the desired log path and current version installer location
strLogPath = "\\yourserver\JAVALOG\"
strInstallMSI = "\\yourserver\java\jre1.7.0_25\jre1.7.0_25-c.msi"
strInstallMST = "\\\\yourserver\java\jre1.7.0_25\sp1033.mst"

qVal = 0
strArrayCount = 0
ReDim arrayJREDisplayName(strArrayCount)
ReDim arrayJREUninstallString(strArrayCount)

Set wshShell = CreateObject("WScript.Shell") 
Set fso = CreateObject("Scripting.FileSystemObject") 

strComputername = wshShell.ExpandEnvironmentStrings("%COMPUTERNAME%")

'# Set this to the appropriate command line settings to do a silent MSI install
strInstallLog = strLogPath & "Java_Install_" & strComputername & ".log"
strInstallCMD = "msiexec /I """ & strInstallMSI & """ /t """ & strInstallMST & """ /QN /Lime """ & strInstallLog & """"

If Not fso.FolderExists(strLogPath) Then fso.CreateFolder(strLogPath)
strLogFile = strLogPath & "Java_Uninstall_" & strComputername & ".log"
Set ts = fso.OpenTextFile(strLogFile, 8, True)

ts.WriteLine String(120, "_") 
ts.WriteLine String(120, "¯") 
ts.WriteLine Now() & " - Java Runtime(s) uninstallation started..."
ts.WriteLine String(120, "_") & vbCrlf

'# Generate Registry extracts from 'Uninstall' keys.
PreFlight()

'# Kill Java Processes
KillProc()

strTempDir = wshShell.ExpandEnvironmentStrings("%temp%")
strTempISS = strTempDir & "\iss" 
strUnString = " -s -a /s /f1" 
Set tsIn = fso.OpenTextFile(strTempDir & "\uninstall.tmp", 1) 

If Not fso.FolderExists(strTempISS) Then fso.CreateFolder(strTempISS)

Do While Not tsIn.AtEndOfStream
   strUninstLine = tsIn.ReadLine 
   CLSID = Mid(strUninstLine, 73, 38) 
   search5 = Instr(strUninstLine, "JRE 1") 
   search6 = Instr(strUninstLine, "]") 
   If search5 > 0 AND search6 > 0 Then 
       strJRE1 = Replace(Mid(strUninstLine, search5, search6),"]","")   
   End If 

   On Error Resume Next

   strDisplayName = wshShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & CLSID & "\DisplayName") 
   strDisplayVersion = wshShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & CLSID & "\DisplayVersion") 
   strPublisher = wshShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & CLSID & "\Publisher") 
   strUninstallString = wshShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & CLSID & "\UninstallString") 

   strJREUninstallString = wshShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & strJRE1 & "\UninstallString") 
   strJREDisplayName = wshShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & strJRE1 & "\DisplayName") 

   On Error Goto 0

   'Search for presence of Java and Sun in DisplayName and Publisher 
   search1 = Instr(1, strDisplayName, "Java", 1) 
   search2 = Instr(1, strPublisher, "Sun", 1) 
   search3 = Instr(1, strDisplayName, "J2SE", 1) 
   search4 = Instr(1, strUninstallString, "setup.exe", 1)
   search7 = InStr(1, strDisplayName, "Development", 1) + InStr(1, strDisplayName, "Java DB", 1)

   'See if it is the current version
   searchCurVer = InStr(1, strDisplayName, strCurrentVersion, 1)

   'If it is, Show that the current version is found
   If searchCurVer > 0 Then
   CurVerFound = True

   ElseIf strJREUninstallString <> "" Then
       '# JRE 1 found
       strJREUninstallStringNEW = Replace(strJREUninstallString," -f"," -s -a /s /f") 
   redim Preserve arrayJREDisplayName(strArrayCount)
   redim Preserve arrayJREUninstallString(strArrayCount)
       arrayJREDisplayName(strArrayCount) = " - Found Old JRE: " & strDisplayName & "  - Version: " & strDisplayVersion & ", Uninstalling..."
   arrayJREUninstallString(strArrayCount) = strJREUninstallStringNEW 
   strArrayCount = strArrayCount + 1

   ElseIf search7 = 0 And search1 > 0 Or search3 > 0 And search2 > 0 Then
       strUninstCMD = "msiexec.exe /x " & CLSID & " /norestart /qn"

       If search4 > 0 Then
           '# Old InstallShield setup found
           Set tsISS = fso.OpenTextFile(strTempISS & "\" & CLSID & ".iss", 2, True)
 
           'Create Response file for any Java Version 
           tsISS.WriteLine "[InstallShield Silent]" 
           tsISS.WriteLine "Version=v6.00.000" 
           tsISS.WriteLine "File=Response File" 
           tsISS.WriteLine "[File Transfer]" 
           tsISS.WriteLine "OverwrittenReadOnly=NoToAll" 
           tsISS.WriteLine "[" & CLSID & "-DlgOrder]" 
           tsISS.WriteLine "Dlg0=" & CLSID & "-SprintfBox-0" 
           tsISS.WriteLine "Count=2" 
           tsISS.WriteLine "Dlg1=" & CLSID & "-File Transfer" 
           tsISS.WriteLine "[" & CLSID & "-SprintfBox-0]" 
           tsISS.WriteLine "Result=1" 
           tsISS.WriteLine "[Application]" 
           tsISS.WriteLine "Name=Java 2 Runtime Environment, SE v1.4.0_01"
           tsISS.WriteLine "Version=1.4.0_01"
           tsISS.WriteLine "Company=JavaSoft"
           tsISS.WriteLine "Lang=0009"
           tsISS.WriteLine "[" & CLSID & "-File Transfer]"
           tsISS.WriteLine "SharedFile=YesToAll"
           tsISS.Close

           strSetupexe = Left(strUninstallString, search4 + 9) 
           strUninstCMD =  strSetupexe & strUnString & Chr(34) & strTempISS & "\" & CLSID & ".iss" & Chr(34) 
       End If

   redim Preserve arrayJREDisplayName(strArrayCount)
   redim Preserve arrayJREUninstallString(strArrayCount)
   arrayJREDisplayName(strArrayCount) = " - Found Old JRE: " & strDisplayName & "    - Version: " & strDisplayVersion & ", Uninstalling..."
   arrayJREUninstallString(strArrayCount) = strUninstCMD
   strArrayCount = strArrayCount + 1
       
   End If 

Loop

tsIn.Close

Dim I
If CurVerFound AND strArrayCount > 0 Then
   ts.Writeline Now() & " - Current Version: " & strCurrentVersion & " found, continuing with uninstalls..."
   For I = LBOUND(arrayJREDisplayName) to UBOUND(arrayJREDisplayName) 
       ts.WriteLine Now() & arrayJREDisplayName(I)
       ts.WriteLine Now() & " - Uninstall String sent: " & arrayJREUninstallString(I)
       ret = wshShell.Run(arrayJREUninstallString(I) , 0, True) 
       ts.WriteLine Now() & " - Return: " & ret
       If ret <> 0 And ret <> 3010 Then qVal = 1
   Next

ElseIf CurVerFound AND strArrayCount = 0 Then
   ts.WriteLine Now() & " - Current version, " & strCurrentVersion & ", found."  
   ts.WriteLine Now() & " - No Old Java Runtime versions are installed."
   qVal = 99

ElseIf Not CurVerFound Then
   
   ts.WriteLine Now() & " - Current Java version, " & strCurrentVersion & ", not found, installing it."
   ts.WriteLine Now() & " - Running Command: " & strInstallCMD
   ret = wshShell.Run(strInstallCMD , 0, True) 
   If ret <> 0 AND ret<> 3010 Then 
       ts.WriteLine Now() & " - Failed to Install Java, see " & strInstallLog & " for more details.  Exiting Script."
       qVal = 1
   ElseIf strArrayCount > 0 Then
       ts.WriteLine Now() & " - Successfully installed " & strCurrentVersion & ", and logged to " & strInstallLog & "." 
       For I = LBOUND(arrayJREDisplayName) to UBOUND(arrayJREDisplayName) 
       ts.WriteLine Now() & arrayJREDisplayName(I)
       ts.WriteLine Now() & " - Uninstall String sent: " & arrayJREUninstallString(I)
       ret = wshShell.Run(arrayJREUninstallString(I) , 0, True) 
       ts.WriteLine Now() & " - Return: " & ret
       If ret <> 0 And ret <> 3010 Then qVal = 1
   Next
   ElseIf strArrayCount = 0 Then
      ts.WriteLine Now() & " - Successfully installed " & strCurrentVersion & ", and logged to " & strInstallLog & "."
   ts.WriteLine Now() & " - No Old Java Runtime versions are installed."
       qVal = 99
   End If
End If

ts.WriteLine String(120, "_") 
ts.WriteLine String(120, "¯") 
ts.Close
fso.DeleteFolder(strTempISS)
fso.DeleteFile(strTempDir & "\uninstall.tmp")

WScript.Quit(qVal)

Sub PreFlight()
   '# Creates temp files containing extracts from registry 'Uninstall' keys.
   Dim wshShell, fso, sTemp
   Set wshShell = CreateObject("WScript.Shell")
   Set fso = CreateObject("Scripting.FileSystemObject")
   sTemp = wshShell.ExpandEnvironmentStrings("%temp%")
   wshShell.Run "REGEDIT /E %temp%\registry.tmp HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\uninstall", 0, True
   wshShell.Run "cmd /c type %temp%\registry.tmp | find /i ""{"" | find /i ""}]"" > %temp%\uninstall.tmp ", 0, True
   wshShell.Run "cmd /c type %temp%\registry.tmp | find /i ""JRE 1"" >> %temp%\uninstall.tmp ", 0, True
   If Not fso.FileExists(sTemp & "\uninstall.tmp") Then
       ts.WriteLine Now() & " - No input - %temp%\uninstall.tmp Reg extract not created."
       ts.WriteLine String(120, "_") 
       ts.WriteLine String(120, "¯") 
       ts.Close
       WScript.Quit(1)
   End If
End Sub

Sub KillProc()
   '# kills jusched.exe and jqs.exe if they are running.  These processes will cause the installer to fail.
   Dim wshShell
   Set wshShell = CreateObject("WScript.Shell")
   wshShell.Run "Taskkill /F /IM jusched.exe /T", 0, True
   wshShell.Run "Taskkill /F /IM jqs.exe /T", 0, True
End Sub

Open in new window

0
 

Author Comment

by:PDGPA
ID: 40277160
Edited:

Looked into the log files and it states "Needs permissions"  So how can I elevate the permissions / run as admin with this script?  Its a nice script but I have the same issue as my script
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40277240
Are your permissions on the share correct ?
0
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

 

Author Comment

by:PDGPA
ID: 40277263
Yes I set the folder to full access for everyone.  Again my issue is that the user that is logging in is not an admin.  I want to execute these scripts as an admin without using the Startup script folder.

See error below
"Action start 13:04:50: LaunchConditions.
MSI (s) (94:D8) [13:04:50:082]: Product: Java 7 Update 65 -- This account does not have sufficient privileges to install Java.  Please login to an account with administrative permissions.

This account does not have sufficient privileges to install Java.  Please login to an account with administrative permissions.
Action ended 13:04:50: LaunchConditions. Return value 3."
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40278924
Is that when being run as a "Login Script" ??
Is that from the script I posted ?? <<< Did you run it as a "Startup" script ??
0
 

Author Comment

by:PDGPA
ID: 40279307
Yes that is the log when run as a "Login Script"

Yes this is the script you posted.  Again I CANNOT user start-up scripts.  I know that would make this much easier but this network we are on and the state of our GPO makes us unable to handle start-up scripts.  I could go into the long explanation as to exactly why we cannot but the short version is that we inherited this infrastructure and now need to maintain it while we build a new one in the background.

Any idea how I can run this script with admin privileges?  Or even just a hard coded Domain admin account?  This is not permanent it is a one time upgrade.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40279352
Well then I suggest you create a share and deploy with software distribution(MSI)

http://www.java.com/en/download/help/msi_install.xml


Or you could (I have done it this way) use psexec.exe. By first creating a .BAT that points to the .VBS file

like "\\server\javashare\updatejava.vbs" without quotes.

Then open a cmd prompt and run psexec \\* -c -f -s -d \\server\javashare\updatejava.bat

"*" << wildcard for all pc's in the domain (Easiest way)
-c   << Copies file to the remote pc
-f   << Force copy in case it already existed(like a earlier version)
-s  << Run as system context << you want this
-d  << Dont wait before moving onto the next pc
0
 

Author Comment

by:PDGPA
ID: 40285890
Is there anyway to hard-code a domain admin into this script?

For example could I have the script run-as me?  This is only a one-time use case and will be done after hours so I am un-concerned about hard-coding a temp password into our GPO.

I am trying to do some searching but I am very unfamiliar with VBS.  Any more assistance would be great, I do like this script!
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40285969
Since it's like you say a "One time"..use the Psexec method I described above. I have done it many times that way
0
 

Author Comment

by:PDGPA
ID: 40286446
I cannot seem to find a working version of PSEXEC online - all the downloads I find are corrupt.  Do you have a perma-link?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40286544
0
 

Author Comment

by:PDGPA
ID: 40287666
Hey Dstewartjr,

I got it all setup but I am still getting "access denied" - I am not sure how I am denied, I am using a domain admin account with the tool, and the file shares are shared to everyone at full access.

Is there something I am missing here?
0
 

Author Comment

by:PDGPA
ID: 40301388
I am still getting "Access Denied" when running this script from startup scripts area.  Listed as a login script this works fine, however I would like to do this over a weekend on machines that will not have a user logging into it.

I have tried adding "Everyone", "System" & "Domain Computers" to full access to my network share and still psexec comes back with "Access Denied".  I checked the UAC, firewalls and all network access and cannot see why the machines are not able to run this script.

Any assistance would be appreciated!
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40301680
Are you running the command prompt as either "Another User" (Hold shift down and right click) or as "Run as administrator" ??

are you using all four switches "-c -f -s -d " ??

are you using the .bat to call the script ??? <<<You must
0
 

Author Closing Comment

by:PDGPA
ID: 40354646
I appreciate this script, it worked well however our deployment was messy.  This was partially due to Java, partially our network and partially the IE plugins.

Either way I appreciate all the effort!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question