Need assistance configuring GPO assigned script to run with admin privileges under normal domain user account

Raymond Norton
Raymond Norton used Ask the Experts™
on
I am attempting to silently run an uninstall script via a GPO when a normal domain user logs into the device.
My understanding is that anything run at startup uses the system account and therefore the script should work fine but that is not my experience. The files copy over fine and the script runs but not with admin (install) privileges.

Any assistance to resolve this is appreciated

(See attached screenshots)

CMD file being executed:

@echo off
if not exist "C:\Programdata\install_wim_tweak.exe" xcopy "\\maccrayhs\msiapps\uninstall_edge\*.*" "C:\Programdata\"
echo Uninstalling Microsoft Edge...
cd /d "%~dp0"
echo Uninstalling Microsoft Edge...
CLS
C:\Programdata\install_wim_tweak.exe /o /l
C:\Programdata\install_wim_tweak.exe /o /c Microsoft-Windows-Internet-Browser-Package /r
C:\Programdata\install_wim_tweak.exe /h /o /l

Open in new window

Screenshot-from-2018-11-16-09-31-08.png
Screenshot-from-2018-11-16-09-31-35.png
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
If user doesn't have admin rights on machine, then uninstall scripts at logon or logoff will not work

U need to add scripts to system start up script under computer configuration
Raymond NortonWAN Admin

Author

Commented:
Correct, that is what my screenshots show. Do I need to do it differently than what is shown?
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Run those EXEs as a Software Installation using Zap files
https://www.itninja.com/blog/view/use-zap-files-to-publish-non-msi-setups-via-gpo
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Raymond NortonWAN Admin

Author

Commented:
Links are broken and I am hoping to resolve the issue without installing third-party software. Maybe that is not realistic.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Software deployment GPO and zap files are not 3rd party
NVITEnd-user support

Commented:
How do you know the cmd script isn't running? To test, I'd put a line at the top that echo's text to a file. If the file exists, with the text, it works. e.g.

@echo off
ECHO It works>>c:\testscript.txt

if not exist "C:\Programdata\install_wim_tweak.exe" xcopy "\\maccrayhs\msiapps\uninstall_edge\*.*" "C:\Programdata\"
echo Uninstalling Microsoft Edge...
cd /d "%~dp0"
echo Uninstalling Microsoft Edge...
CLS
C:\Programdata\install_wim_tweak.exe /o /l
C:\Programdata\install_wim_tweak.exe /o /c Microsoft-Windows-Internet-Browser-Package /r
C:\Programdata\install_wim_tweak.exe /h /o /l

Open in new window

Raymond NortonWAN Admin

Author

Commented:
It runs but does not execute the program properly. if I choose to run as administrator, it runs and executes properly. That will not work in our environment. I need it to run with elevated privs in startup.
MaheshArchitect
Distinguished Expert 2018

Commented:
have you tried disabling UAC on affected machine and executed script with startup GPO

may be you need to disable user access controls form gpedit.msc on machine instead of control panel
Raymond NortonWAN Admin

Author

Commented:
Really don't want to do that . Tested a gpo, disabling UAC and user got a pop up saying UAC was disabled but needed a reboot.
Raymond NortonWAN Admin

Author

Commented:
Shaun Vermaak, do you have an example of how zap might work executing the .cmd  shown in the original post? I am not finding simple documentation explaining it.
Can that script be run under the computer configuration instead of the user?
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Shaun Vermaak, do you have an example of how zap might work executing the .cmd  shown in the original post? I am not finding simple documentation explaining it.
In the article posted
WAN Admin
Commented:
I couldn't figure out how to get zap to work, so I went with psexec.

I copied necessary files over to each workstation via a gpo startup script and then ran the following command to execute the .cmd file:

psexec -s "@text file of workstation IPs" \\server\share\uninstall.cmd

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial