Install UAC Programs on Domain Computers Windows server 2016

Hello Fellas,

I am a brand new network admin fresh out of college. I have only taken classes on ADDS and am now responsible for the ADDS. I currently want to install a program which has to run as admin ,as it prompts for UAC, on all of my 33 computers within my domain. I could go around and install them manually but that I feel is lame and wont help me learn. So I created a script to install the program with admin credentials. Now not only is this a bad idea as it has my username and password as plain text but it also doesn't work as a run at login script within gpo (Computer config -->Policies-->  windows settings) nor does it work within task scheduler. I am running Windows server 2016. I have tried enabling windows powershell execution and its currently set as allow all scripts. I have also changed it to a user policy on a different gpo on another OU called bullpen user restrictions and it still fails. I ensured that its linked and enforced. Here is my domain forest from a zoomed out perspective:

I have tried some other programs to get around the UAC but all have failed in some way or another. I have tried RUNASGUI, Autoit, converting the exe to an msi and editing it with Orca but no dice. The script will work if I navigate to the share its stored on (yes domain users and computers have permissions) and run the script it works and installs the program successfully. I plan on at least encrypting the credentials but one thing at a time and that is automation. Any help is appreciated and thanks!
Jeremy CunninghamNetwork AdministratorAsked:
Who is Participating?
 
Cliff GaliherCommented:
GPSI can absolutely install software that requires admin privileges without giving the user those admin privileges. Not sure where you read otherwise.

If the product does not have any install silent option, no option will get past that though. Since the UI requires some sort of interaction  it can't be scripted or automated. Not even the expensive products can solve that for you.
0
 
Cliff GaliherCommented:
Don't chase a bad idea... And by your own admission, you kniw this is a bad idea. Use a tool meant for software deployment. At the very least, GPS does this for free  though I don't a tally recommend it nor do I find it scalable.

At 30ish computers, SpecOps Deploy or Intune are examples of mid-market management products worth considering. For larger deployments, you start seeing enterprise products like SCCM. But scripting doesn't give you reliable success or failure metrics nor is it scalable for installing product patches, updates, etc. You'll waste more time maintaining it than you'd spend manually touching each machine AND it'd be terribly insecure.
0
 
Jeremy CunninghamNetwork AdministratorAuthor Commented:
I agree that was why I wanted to put it up for you guys to give me some current advice on. I thank you for your suggestions! I am going to check out GPS the  free solution for now. I appreciate it. Let me know if there are any other free solutions.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Cliff GaliherCommented:
Blame autocorrect. GPSI, not GPS. Group Policy Software Installation. Required the installer to he a valid and working MSI file. But for very small networks it is doable.
0
 
NVITCommented:
To add to other 3rd party deploy tools mentioned, I like to use PDQ Deploy by adminarsenals. It's reasonably priced and very easy to use. https://www.pdq.com/pdq-deploy/
0
 
Jeremy CunninghamNetwork AdministratorAuthor Commented:
I do have an msi file but it isnt silent and requires admin credentials which is not desirable for automation. @NVIT have you used PDQ Deploy on msi files that require UAC? Does it work?

Thanks Cliff I will look into GPSI to see if it can take away the UAC issue.
0
 
NVITCommented:
I haven't had UAC issues as yet.
0
 
NVITCommented:
Try their free version to see if it works for you. UAC may need to be turned off "When deploying to targets in child/sub-domains using a domain-specific account, OR to targets in a workgroup" https://support.pdq.com/hc/en-us/articles/220509287-How-It-Works-PDQ-Deploy
0
 
Cliff GaliherCommented:
Most installers require admin privileges. Which is where deployment tools such as GPSI come in. They do run in the system context so installs without user intervention or requiring user admin privileges.
0
 
Jeremy CunninghamNetwork AdministratorAuthor Commented:
Hey Cliff, For some reason I cant find GPSI. Is that a program? Or is it in Add roles and features somewhere? Do you have a link to download it? Thanks!
0
 
Cliff GaliherCommented:
It's a part of group policy.
0
 
Jeremy CunninghamNetwork AdministratorAuthor Commented:
Hello All here is an update! GPSI or Group Policy Software installation Extension will only install programs that do not require admin credentials or User Access Control(UAC). PDQ deploy can get around this and I thought that this would work however the exe needs t run silently. It will not work if there is a user interface (UI). So I guess I am stuck because the exe file that I want to install requires UAC and has a UI and even though I created a script with Autoit  that will mouse click through the installation process when I use this via PDQ Deploy it fails because PDQ Deploy requires the msi or exe to be silent. So I am stuck, I even opened the msi file with orca in order change the msi file and disable the UI. But when I do this with msiexec.exe /i programname /quiet it fails to run. I work for PIA and asked if a silent installer can be created by the devs but they have other things on their plate atm. The program I am attempting to install on all computers in my domain is the private internet access application which is a virtual private network. If anyone has any other ideas please let me know and as always thank you for your suggestions they have helped me learn and grow.
0
 
NVITCommented:
>  PDQ Deploy requires the msi or exe to be silent

Have you tried the PDQ package options:
- Deploy User (Interactive): Executes deployments that include both silent and interactive steps. This setting is the same as Deploy User with one important exception—the Windows process running the deployment is run in an interactive session.

...or

Logged on User: Attempts to run packages in interactive mode as the Logged On User of the target machine
0
 
Jeremy CunninghamNetwork AdministratorAuthor Commented:
Ok so this can be closed I misunderstood the GPO Software installation extension, I thought that it couldn't install admin credential programs but the reason it wouldn't install is due to the UI. That is why it wouldn't install, Using PDQ deploy would very well fix the issue but it costs money and I decided that installing a VPN would only cause disconnections from my ADDS server causing me grief and more problems such as roaming profiles not updating. Thank you for the education you guys have been awesome!
0
 
Jeremy CunninghamNetwork AdministratorAuthor Commented:
Both of these gents are great! Cliff educated me on GPSI and NVIT showed me a work around to UI programs.
0
 
NVITCommented:
I'm glad to help, Jeremy...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.