Problem running batch file through GPO
Hello,
I am working with group policy and I am trying to launch a script that connects to a share (on a file server that is a member of the domain) and execute a setup program.
The script is launched through group policy at :
Computer Configuration->Policies->w
The script does execute, but I am getting an error when it tries to connect to an active domain share, indicating wrong username or password.
The share does allow everyone read only (which is the correct access level rights) and security rights allow everyone to read / list/ execute. Domain users are allow allowed to read /list / execute.
Is there a way to run the program on the share without the system prompting for username / password?
Thanks!
I am working with group policy and I am trying to launch a script that connects to a share (on a file server that is a member of the domain) and execute a setup program.
The script is launched through group policy at :
Computer Configuration->Policies->w
The script does execute, but I am getting an error when it tries to connect to an active domain share, indicating wrong username or password.
The share does allow everyone read only (which is the correct access level rights) and security rights allow everyone to read / list/ execute. Domain users are allow allowed to read /list / execute.
Is there a way to run the program on the share without the system prompting for username / password?
Thanks!
McKnife
You need to allow the group "domain computers" to access the share at NTFS and share level.
Are you willing to share the batch file? There are probably better ways to do it than a running a batch
ASKER
Here is the original command provided by the vendor (Sophos)
\\computer-name.domain.com
I would like to be able to do the same command without providing a user name and password:
\\computer-name.domain.com
Interestingly enough, this vendor, Sophos, has a tool for active directory sync. The tool is supposed to automatically deploy the client when discovered as a new machine (server) in AD. Discovery works fine, but automatic installation fails.
The requirements for a successful install is that 3 services need to be started:
Windows task manager
Windows Installer
remote registry
By default, windows installer is set to manual (and it looks like setting cannot be changed)
remote registry is set to "trigger start"
Task manager is started (set to automatic
Deploy of client is to servers w2k08 /w2k12 / w2k16, which Sophos says is not supported for automatic deployment:
https://community.sophos.com/kb/en-us/47894
This makes no sense to me, because I have another application from a different vendor, which uses their own active directory Sync tool, that connects to a share and deploys flawlessly (on the same servers that I want to deploy with Sophos)
Ideally I would like to use the Sophos AD tool, but it does not work.
Therefore Sophos suggests using a batch script defined in Group policy:
https://community.sophos.com/kb/en-us/13090
which is the batch file that I am using.
Reboot of servers is not easy either, so forcing a reboot to launch installation is less than ideal.
There must be a way to resolve this easy, especially since I have another vendor that does this function correctly without issue.
\\computer-name.domain.com
I would like to be able to do the same command without providing a user name and password:
\\computer-name.domain.com
Interestingly enough, this vendor, Sophos, has a tool for active directory sync. The tool is supposed to automatically deploy the client when discovered as a new machine (server) in AD. Discovery works fine, but automatic installation fails.
The requirements for a successful install is that 3 services need to be started:
Windows task manager
Windows Installer
remote registry
By default, windows installer is set to manual (and it looks like setting cannot be changed)
remote registry is set to "trigger start"
Task manager is started (set to automatic
Deploy of client is to servers w2k08 /w2k12 / w2k16, which Sophos says is not supported for automatic deployment:
https://community.sophos.com/kb/en-us/47894
This makes no sense to me, because I have another application from a different vendor, which uses their own active directory Sync tool, that connects to a share and deploys flawlessly (on the same servers that I want to deploy with Sophos)
Ideally I would like to use the Sophos AD tool, but it does not work.
Therefore Sophos suggests using a batch script defined in Group policy:
https://community.sophos.com/kb/en-us/13090
which is the batch file that I am using.
Reboot of servers is not easy either, so forcing a reboot to launch installation is less than ideal.
There must be a way to resolve this easy, especially since I have another vendor that does this function correctly without issue.
Please don't leave my suggestion uncommented as if it wasn't made :-)
ASKER
McKnife,
I would never ignore your comment. I just posted what I thought was a better explanation of my requirements as there was a request to post the batch file.
I am currently in the process of testing your solution and hopefully it will resolve the problem that I am facing.
Thanks for the input!
:)
I would never ignore your comment. I just posted what I thought was a better explanation of my requirements as there was a request to post the batch file.
I am currently in the process of testing your solution and hopefully it will resolve the problem that I am facing.
Thanks for the input!
:)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well added the rights for the computer group did not work
Sophos is expecting a username / password combination
I cannot pass this information in clear text.
They have an encryption utility but it does not work.
Sophos answer is that they do not support their own encryption utility because development of this utility was out-sourced.
I have the misfortune of dealing with a level one tech who puts me on hold for every single question I ask. Amazing, no?
In any case, I cannot get automatic deployment to work.
Any suggestions?
Sophos is expecting a username / password combination
I cannot pass this information in clear text.
They have an encryption utility but it does not work.
Sophos answer is that they do not support their own encryption utility because development of this utility was out-sourced.
I have the misfortune of dealing with a level one tech who puts me on hold for every single question I ask. Amazing, no?
In any case, I cannot get automatic deployment to work.
Any suggestions?
see if the setup.exe /? have options that could be used to centrally deploy.
Look if it has an option to use an answer file ....
Look if it has an option to use an answer file ....
ASKER
Answer file will not work because it is expecting a usernsme and password as input
Look at software deployment, can you create an msi file that does the quite install and can be built through an enterprise console if any.
Can the app be remotely pushed/deployed?
Can the app be remotely pushed/deployed?
"Sophos is expecting a username / password combination" - I see! So you would like to use a start script (which runs as system account) and that start script of yours would use different credentials. That is not possible for the system account, since it cannot impersonate other users.
To verify what I just told you, please take a test machine, download psexec from the microsoft pstools, start cmd as system account (on an elevated command prompt, run psexec -s -i cmd) and on that new cmd shell which appears, launch your script - you will see all errors, now.
To verify what I just told you, please take a test machine, download psexec from the microsoft pstools, start cmd as system account (on an elevated command prompt, run psexec -s -i cmd) and on that new cmd shell which appears, launch your script - you will see all errors, now.
I am not familiar with Sophos but the fact it requires the MSI installer would lead me to believe the Setup.exe actually extracts and MSI file to a temp folder then runs the install. H ave you tried to start the installer on a test machine then kill the install to see if a MSI file is placed in a temp folder. Regarding their command line switch I do not see an extract option listed outright.
https://community.sophos.com/kb/en-us/12570
https://community.sophos.com/kb/en-us/12570
To see if an MSI, follow the suggestion by compdigit, but do not kill, look in %TEMP% for a newly created directory where the msi file might be
Note the %TEMP% is relative to the user whose credentials are used to elevate rights to allow the install.
Note the %TEMP% is relative to the user whose credentials are used to elevate rights to allow the install.
ASKER
I do not know how to convert Sophos' setup and configuration (which requires a username and password) to an MSI. The account used for the setup would always be the same - a service account.
Sophos has provided an utility that encrypts the user name and password, values which I can send via the initial .bat file set up script. I have tested and this works. It seems that this is the best solution.
Sophos does not require an MSI installer. Instead, I would prefer an MSI installer as I would able to properly deploy the client through group policy.
Sophos has provided an utility that encrypts the user name and password, values which I can send via the initial .bat file set up script. I have tested and this works. It seems that this is the best solution.
Sophos does not require an MSI installer. Instead, I would prefer an MSI installer as I would able to properly deploy the client through group policy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your assistance