Problem running batch file through GPO


I am working with group policy and I am trying to launch a script that connects to a share (on a file server that is a member of the domain) and execute a setup program.

The script is launched through group policy at :

Computer Configuration->Policies->windows Settings->Scripts->start up

The script does execute, but I am getting an error when it tries to connect to an active domain share, indicating wrong username or password.

The share does allow everyone read only (which is the correct access level rights) and security rights allow everyone to read / list/ execute. Domain users are allow allowed to read /list / execute.

Is there a way to run the program on the share without the system prompting for username / password?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You need to allow the group "domain computers" to access the share at NTFS and share level.
Shaun VermaakTechnical Specialist IVCommented:
Are you willing to share the batch file? There are probably better ways to do it than a running a batch
mbudmanAuthor Commented:
Here is the original command provided by the vendor (Sophos)

\\\SophosUpdate\CIDs\SXXX\SAVSCFXP\Setup.exe -updp "\\\SophosUpdate\CIDs\SXXX\SAVSCFXP" -u <<USERNAME>> -p <<PASSWORD>> -mng yes

I would like to be able to do the same command without providing a user name and password:

\\\SophosUpdate\CIDs\SXXX\SAVSCFXP\Setup.exe -updp "\\\SophosUpdate\CIDs\SXXX\SAVSCFXP" -mng yes

Interestingly enough, this vendor, Sophos, has a tool for active directory sync. The tool is supposed to automatically deploy the client when discovered as a new machine (server)  in AD. Discovery works fine, but automatic  installation fails.

The requirements for a successful install is that 3 services need to be started:

Windows task manager
Windows Installer
remote registry

By default, windows installer is set to manual (and it looks like setting cannot be changed)
remote registry is set to "trigger start"
Task manager is started (set to automatic

Deploy of client is to servers w2k08 /w2k12 / w2k16, which Sophos says is not supported for automatic deployment:

This makes no sense to me, because I have another application from a different vendor, which uses their own active directory Sync tool, that connects to a share and deploys flawlessly (on the same servers that I want to deploy with Sophos)

Ideally I would like to use the Sophos AD tool, but it does not work.

Therefore Sophos suggests using a batch script defined in Group policy:

which is the batch file that  I am using.

Reboot of servers is not easy either, so forcing a reboot to launch installation is less than ideal.

There must be a way to resolve this easy, especially since I have another vendor that does this function correctly without issue.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Please don't leave my suggestion uncommented as if it wasn't made :-)
mbudmanAuthor Commented:

I would never ignore your comment. I just posted what I thought was a better explanation of my requirements as there was a request to post the batch file.

I am currently in the process of testing your solution and hopefully it will resolve the problem that I am facing.

Thanks for the input!
for an exe you need to have a wrapper and requires that your startup script execution waits for the network to be setup before running.
using software deployment is likely a better approach that running it as a startup as it may as noted not be ready to run...
Look at sophos and see if you have an option to use an MSI versus an exe to deploy the application...
mbudmanAuthor Commented:
Well added the rights for the computer group did not work

Sophos is expecting a username / password combination

I cannot pass this information in clear text.

They have an encryption utility but it does not work.

Sophos answer is that they do not support their own encryption utility because development of this utility was out-sourced.

I have the misfortune of dealing with a level one tech who puts me on hold for every single question I ask. Amazing, no?

In any case, I cannot get automatic deployment to work.

Any suggestions?
see if the setup.exe /? have options that could be used to centrally deploy.

Look if it has an option to use an answer file ....
mbudmanAuthor Commented:
Answer file will not work because it is expecting a usernsme and password as input
Look at software deployment, can you create an msi file that does the quite install and can be built through an enterprise console if any.

Can the app be remotely pushed/deployed?
"Sophos is expecting a username / password combination" - I see! So you would like to use a start script (which runs as system account) and that start script of yours would use different credentials. That is not possible for the system account, since it cannot impersonate other users.
To verify what I just told you, please take a test machine, download psexec from the microsoft pstools, start cmd as system account (on an elevated command prompt, run psexec -s -i cmd) and on that new cmd shell which appears, launch your script - you will see all errors, now.
I am not familiar with Sophos but the fact it requires the MSI installer would lead me to believe the Setup.exe actually extracts and MSI file to a temp folder then runs the install.  H ave you tried to start the installer on a test machine then kill the install to see if a MSI file is placed in a temp folder. Regarding their command line switch I do not see an extract option listed outright.
To see if an MSI, follow the suggestion by compdigit, but do not kill, look in %TEMP% for a newly created directory where the msi file might be
Note the %TEMP% is relative to the user whose credentials are used to elevate rights to allow the install.
mbudmanAuthor Commented:
I do not know how to convert Sophos' setup and configuration (which requires a username and password) to an MSI. The account used for the setup would always be the same - a service account.

Sophos has provided an utility that encrypts the user name and password, values which I can send via the initial .bat file set up script. I have tested and this works. It seems that this is the best solution.

Sophos does not require an MSI installer. Instead, I would prefer an MSI installer as I would able to properly deploy the client through group policy.
Please be aware that password encryption is not secure. It will be decrypted and dumped to a temporary file that can eventually be undeleted by users that know about this process. (just a note, I know that this will not be likely to happen).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mbudmanAuthor Commented:
Thank you for your assistance
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.