Link to home
Create AccountLog in
Avatar of Jeremy Cunningham
Jeremy Cunningham

asked on

Install UAC Programs on Domain Computers Windows server 2016

Hello Fellas,

I am a brand new network admin fresh out of college. I have only taken classes on ADDS and am now responsible for the ADDS. I currently want to install a program which has to run as admin ,as it prompts for UAC, on all of my 33 computers within my domain. I could go around and install them manually but that I feel is lame and wont help me learn. So I created a script to install the program with admin credentials. Now not only is this a bad idea as it has my username and password as plain text but it also doesn't work as a run at login script within gpo (Computer config -->Policies-->  windows settings) nor does it work within task scheduler. I am running Windows server 2016. I have tried enabling windows powershell execution and its currently set as allow all scripts. I have also changed it to a user policy on a different gpo on another OU called bullpen user restrictions and it still fails. I ensured that its linked and enforced. Here is my domain forest from a zoomed out perspective:

I have tried some other programs to get around the UAC but all have failed in some way or another. I have tried RUNASGUI, Autoit, converting the exe to an msi and editing it with Orca but no dice. The script will work if I navigate to the share its stored on (yes domain users and computers have permissions) and run the script it works and installs the program successfully. I plan on at least encrypting the credentials but one thing at a time and that is automation. Any help is appreciated and thanks!
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Don't chase a bad idea... And by your own admission, you kniw this is a bad idea. Use a tool meant for software deployment. At the very least, GPS does this for free  though I don't a tally recommend it nor do I find it scalable.

At 30ish computers, SpecOps Deploy or Intune are examples of mid-market management products worth considering. For larger deployments, you start seeing enterprise products like SCCM. But scripting doesn't give you reliable success or failure metrics nor is it scalable for installing product patches, updates, etc. You'll waste more time maintaining it than you'd spend manually touching each machine AND it'd be terribly insecure.
Avatar of Jeremy Cunningham
Jeremy Cunningham

ASKER

I agree that was why I wanted to put it up for you guys to give me some current advice on. I thank you for your suggestions! I am going to check out GPS the  free solution for now. I appreciate it. Let me know if there are any other free solutions.
Blame autocorrect. GPSI, not GPS. Group Policy Software Installation. Required the installer to he a valid and working MSI file. But for very small networks it is doable.
To add to other 3rd party deploy tools mentioned, I like to use PDQ Deploy by adminarsenals. It's reasonably priced and very easy to use. https://www.pdq.com/pdq-deploy/
I do have an msi file but it isnt silent and requires admin credentials which is not desirable for automation. @NVIT have you used PDQ Deploy on msi files that require UAC? Does it work?

Thanks Cliff I will look into GPSI to see if it can take away the UAC issue.
I haven't had UAC issues as yet.
SOLUTION
Avatar of NVIT
NVIT
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Most installers require admin privileges. Which is where deployment tools such as GPSI come in. They do run in the system context so installs without user intervention or requiring user admin privileges.
Hey Cliff, For some reason I cant find GPSI. Is that a program? Or is it in Add roles and features somewhere? Do you have a link to download it? Thanks!
It's a part of group policy.
Hello All here is an update! GPSI or Group Policy Software installation Extension will only install programs that do not require admin credentials or User Access Control(UAC). PDQ deploy can get around this and I thought that this would work however the exe needs t run silently. It will not work if there is a user interface (UI). So I guess I am stuck because the exe file that I want to install requires UAC and has a UI and even though I created a script with Autoit  that will mouse click through the installation process when I use this via PDQ Deploy it fails because PDQ Deploy requires the msi or exe to be silent. So I am stuck, I even opened the msi file with orca in order change the msi file and disable the UI. But when I do this with msiexec.exe /i programname /quiet it fails to run. I work for PIA and asked if a silent installer can be created by the devs but they have other things on their plate atm. The program I am attempting to install on all computers in my domain is the private internet access application which is a virtual private network. If anyone has any other ideas please let me know and as always thank you for your suggestions they have helped me learn and grow.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Ok so this can be closed I misunderstood the GPO Software installation extension, I thought that it couldn't install admin credential programs but the reason it wouldn't install is due to the UI. That is why it wouldn't install, Using PDQ deploy would very well fix the issue but it costs money and I decided that installing a VPN would only cause disconnections from my ADDS server causing me grief and more problems such as roaming profiles not updating. Thank you for the education you guys have been awesome!
Both of these gents are great! Cliff educated me on GPSI and NVIT showed me a work around to UI programs.
I'm glad to help, Jeremy...