Problem running batch file through GPO


I am working with group policy and I am trying to launch a script that connects to a share (on a file server that is a member of the domain) and execute a setup program.

The script is launched through group policy at :

Computer Configuration->Policies->windows Settings->Scripts->start up

The script does execute, but I am getting an error when it tries to connect to an active domain share, indicating wrong username or password.

The share does allow everyone read only (which is the correct access level rights) and security rights allow everyone to read / list/ execute. Domain users are allow allowed to read /list / execute.

Is there a way to run the program on the share without the system prompting for username / password?

Who is Participating?
McKnifeConnect With a Mentor Commented:
Please be aware that password encryption is not secure. It will be decrypted and dumped to a temporary file that can eventually be undeleted by users that know about this process. (just a note, I know that this will not be likely to happen).
You need to allow the group "domain computers" to access the share at NTFS and share level.
Shaun VermaakTechnical Specialist/DeveloperCommented:
Are you willing to share the batch file? There are probably better ways to do it than a running a batch
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

mbudmanAuthor Commented:
Here is the original command provided by the vendor (Sophos)

\\\SophosUpdate\CIDs\SXXX\SAVSCFXP\Setup.exe -updp "\\\SophosUpdate\CIDs\SXXX\SAVSCFXP" -u <<USERNAME>> -p <<PASSWORD>> -mng yes

I would like to be able to do the same command without providing a user name and password:

\\\SophosUpdate\CIDs\SXXX\SAVSCFXP\Setup.exe -updp "\\\SophosUpdate\CIDs\SXXX\SAVSCFXP" -mng yes

Interestingly enough, this vendor, Sophos, has a tool for active directory sync. The tool is supposed to automatically deploy the client when discovered as a new machine (server)  in AD. Discovery works fine, but automatic  installation fails.

The requirements for a successful install is that 3 services need to be started:

Windows task manager
Windows Installer
remote registry

By default, windows installer is set to manual (and it looks like setting cannot be changed)
remote registry is set to "trigger start"
Task manager is started (set to automatic

Deploy of client is to servers w2k08 /w2k12 / w2k16, which Sophos says is not supported for automatic deployment:

This makes no sense to me, because I have another application from a different vendor, which uses their own active directory Sync tool, that connects to a share and deploys flawlessly (on the same servers that I want to deploy with Sophos)

Ideally I would like to use the Sophos AD tool, but it does not work.

Therefore Sophos suggests using a batch script defined in Group policy:

which is the batch file that  I am using.

Reboot of servers is not easy either, so forcing a reboot to launch installation is less than ideal.

There must be a way to resolve this easy, especially since I have another vendor that does this function correctly without issue.
Please don't leave my suggestion uncommented as if it wasn't made :-)
mbudmanAuthor Commented:

I would never ignore your comment. I just posted what I thought was a better explanation of my requirements as there was a request to post the batch file.

I am currently in the process of testing your solution and hopefully it will resolve the problem that I am facing.

Thanks for the input!
arnoldConnect With a Mentor Commented:
for an exe you need to have a wrapper and requires that your startup script execution waits for the network to be setup before running.
using software deployment is likely a better approach that running it as a startup as it may as noted not be ready to run...
Look at sophos and see if you have an option to use an MSI versus an exe to deploy the application...
mbudmanAuthor Commented:
Well added the rights for the computer group did not work

Sophos is expecting a username / password combination

I cannot pass this information in clear text.

They have an encryption utility but it does not work.

Sophos answer is that they do not support their own encryption utility because development of this utility was out-sourced.

I have the misfortune of dealing with a level one tech who puts me on hold for every single question I ask. Amazing, no?

In any case, I cannot get automatic deployment to work.

Any suggestions?
see if the setup.exe /? have options that could be used to centrally deploy.

Look if it has an option to use an answer file ....
mbudmanAuthor Commented:
Answer file will not work because it is expecting a usernsme and password as input
Look at software deployment, can you create an msi file that does the quite install and can be built through an enterprise console if any.

Can the app be remotely pushed/deployed?
"Sophos is expecting a username / password combination" - I see! So you would like to use a start script (which runs as system account) and that start script of yours would use different credentials. That is not possible for the system account, since it cannot impersonate other users.
To verify what I just told you, please take a test machine, download psexec from the microsoft pstools, start cmd as system account (on an elevated command prompt, run psexec -s -i cmd) and on that new cmd shell which appears, launch your script - you will see all errors, now.
I am not familiar with Sophos but the fact it requires the MSI installer would lead me to believe the Setup.exe actually extracts and MSI file to a temp folder then runs the install.  H ave you tried to start the installer on a test machine then kill the install to see if a MSI file is placed in a temp folder. Regarding their command line switch I do not see an extract option listed outright.
To see if an MSI, follow the suggestion by compdigit, but do not kill, look in %TEMP% for a newly created directory where the msi file might be
Note the %TEMP% is relative to the user whose credentials are used to elevate rights to allow the install.
mbudmanAuthor Commented:
I do not know how to convert Sophos' setup and configuration (which requires a username and password) to an MSI. The account used for the setup would always be the same - a service account.

Sophos has provided an utility that encrypts the user name and password, values which I can send via the initial .bat file set up script. I have tested and this works. It seems that this is the best solution.

Sophos does not require an MSI installer. Instead, I would prefer an MSI installer as I would able to properly deploy the client through group policy.
mbudmanAuthor Commented:
Thank you for your assistance
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.