Hi All, I access Task Sequence Variables in a running SCCM Task Sequence with the script providedin http://msdn.microsoft.com/en-us/library/cc145669.aspx. It works all the time except for one specific case which is: - The script is executed from RunCommandLine step that has a RunAs set on user which ismember of local administrators group. The error it gives is "Permission Denied". Havewe missed something? In advance, thanks for the replies. Regards, Chirag

Hi Chraig Have you tried to run the script without the RunAs set?? I mean, running stuff from within the TS should already make use of the local administrator account I could be wrong here, but I do think this is the default way SCCM works, as you are not able to run packages within your TS unless they are set to run as local administrator. Just a thought Michael

Thanks for the quick reply Michael. We (Chirag and I) need to use RunAs because the task has to have rights to create a database on a remote SQL Server instance. I don't think that can be done from just the Local System account?

Daniel Turley wrote: Thanks for the quick reply Michael. We (Chirag and I) need to use RunAs because the task has to have rights to create a database on a remote SQL Server instance. I don't think that can be done from just the Local System account? I assume that you have R2, and that you havea "Run Command Line" step, and that you have specified the "Run this step as the following account" option, then the following reasons could explain the failure: 1. The script is on a network share and the machine account of the client has no rights to access that share. 2. The script is a .net application that is on a network share, and the run-time settings on the client forbids the execution of .net apps from the network. 3. The account specified for the 'Run Command Line' step does not have rights to the SQL server. Try logging on using that account and then connect to the SQL server. 4. Thepassword specified for the 'Run Command Line' stepis incorrect. Try specifyng the password again.

Sorry, let me try explaining our situation better. I have boiled it down to the following test using a very simple script. The script is simply the code from here <http://blogs.technet.com/deploymentguys/archive/2008/08/29/outputting-all-the-configuration-manager-task-sequence-variables.aspx> that accesses task sequence variables. The line in the code that fails is the for each loop. It seems that calling GetVariables in step 5 below throws an access denied error, but calling that same method in steps 1, 2, and 4 works perfectly. Task sequence is started while logged into an existing OS 1. Run command line without runas, succeeds 2. Run command line with runas, succeeds 3. Restart into default OS (same OS where Istarted the task sequence) 4. Run command line without runas, succeeds 5. Run command line with runas, fails Each run command line executes the exact same command line (the exact same script). The package the script is in is set to download locally. The runasaccount specified in thesteps 2 and 4 is the same accountand it is in the Administrators group and UAC is turned off. I can run this exact TS again and again on the same OS on the same machine and get the same result. After the reboot in step 3, step 5 always fails, and if I just start the TS again, step 2 will succeed. What's the difference between running step 2 before a restart and running step 5 after a restart? This looks to me like a serious bug in SCCM's OSD.

Daniel Turley wrote: Sorry, let me try explaining our situation better. I have boiled it down to the following test using a very simple script. The script is simply the code from here <http://blogs.technet.com/deploymentguys/archive/2008/08/29/outputting-all-the-configuration-manager-task-sequence-variables.aspx> that accesses task sequence variables. The line in the code that fails is the for each loop. It seems that calling GetVariables in step 5 below throws an access denied error, but calling that same method in steps 1, 2, and 4 works perfectly. Task sequence is started while logged into an existing OS 1. Run command line without runas, succeeds 2. Run command line with runas, succeeds 3. Restart into default OS (same OS where Istarted the task sequence) 4. Run command line without runas, succeeds 5. Run command line with runas, fails Each run command line executes the exact same command line (the exact same script). The package the script is in is set to download locally. The runasaccount specified in thesteps 2 and 4 is the same accountand it is in the Administrators group and UAC is turned off. I can run this exact TS again and again on the same OS on the same machine and get the same result. After the reboot in step 3, step 5 always fails, and if I just start the TS again, step 2 will succeed. What's the difference between running step 2 before a restart and running step 5 after a restart? This looks to me like a serious bug in SCCM's OSD. Sorry that I misunderstood the question. If step (2) and step (4) are identical, and that the OS environment is identical, thenthose twoshould behave the same way. Perhaps, those two steps are not identical after all. You may have to re-enter the password for step (4). It may be incorrect.

I used the copy and paste feature in the task sequence editor when creating this test. Does that remove the data from password fields?

Daniel Turley wrote: I used the copy and paste feature in the task sequence editor when creating this test. Does that remove the data from password fields? Yes, the copy action removes the values from the "secret" fields (like the password in the Run-As option). So, when you do the 'paste', the step does not have the password. This is the same thing that happens when you export a TS to an XML file - the 'secret' fields are not extracted. Theseare alldone for security reasons (the clipboard isnot a safeplace to hold passwords).

Lets cut short our discussion and problemto asimple question: Canwe make the contents in script belowwork in a RunAs withRunCommandLineStep after the OS install's "Setup Windows and Config Mgr" step of OSD TS? Code Snippet Sub UseTaskSequenceVariables() dim osd: set env = CreateObject("Microsoft.SMS.TSEnvironment") dim logPath ' You can query the environment to get an existing variable. logPath = env("_SMSTSLogPath") wscript.echo logPath ' You can also set a variable in the Operating System Deployment environment. env("MyCustomVariable") = "My Custom Value" ' Set the OSDPartitions(0) Bootable array member to 0. env("OSDPartitions0Bootable") = "true"End Sub I am not able to make it workeven after resetting and recheckingpasswords for each RunAs step. Kerwin, it will be great and really helpfulif youcan please takeout some time andcheck the scenario quickly, since weguys are heading nowheredue tothis SCCM bug/issue? Thanks & Regards, Chirag

Chirag (CG) wrote: Lets cut short our discussion and problemto asimple question: Canwe make the contents in script belowwork in a RunAs withRunCommandLineStep after the OS install's "Setup Windows and Config Mgr" step of OSD TS? Code Snippet Sub UseTaskSequenceVariables() dim osd: set env = CreateObject("Microsoft.SMS.TSEnvironment") dim logPath ' You can query the environment to get an existing variable. logPath = env("_SMSTSLogPath") wscript.echo logPath ' You can also set a variable in the Operating System Deployment environment. env("MyCustomVariable") = "My Custom Value" ' Set the OSDPartitions(0) Bootable array member to 0. env("OSDPartitions0Bootable") = "true"End Sub I am not able to make it workeven after resetting and recheckingpasswords for each RunAs step. Kerwin, it will be great and really helpfulif youcan please takeout some time andcheck the scenario quickly, since weguys are heading nowheredue tothis SCCM bug/issue? Thanks & Regards, Chirag I don't have access to a site at the moment. I would have to ask someone else to do the test, and we could get a result early next week. In the mean time, can you please look at the SMSTS.log file to see what the actual failure is? There are two things that could fail: 1. Before the TS engine starts the script, it does a "logon as user" procedure using the username/password that is given to thestep. If this fails, it means that the OS rejected the credentials. It could be that the machine is not yet joined to the domain and you are specifying a domain name/password. 2. The script itself failed. This means that the credentials don't have rights to the TS environment object.

Hi Kerwin, Thanks fortaking it up to verify. Would really appreciate the results early next week. We have been checking SMSTS.log from the very start. Answer to your queries are: 1. TS starts executing the scripts.So, we are 150% sure that "logon as user" passes correctly. 2. Errorwegetis"Permission Denied" at the line "env("MyCustomVariable") = "My Custom Value"" of vbscript asshown in the smsts.log file. By the way, we would like to knowon howto verify if this account has rights to TS Environment object and how to grant it. Though I do not see that as happening because, I can remotely program (using SCCM SDK) pretty mucheverything with the same account. Extra piece of information we've found is that, Aprevious line "logPath = env("_SMSTSLogPath")" does not give an error, butValue of "logPath" is empty -which is incorrect. The scriptdoes not have any errorson "dim osd: set env = CreateObject("Microsoft.SMS.TSEnvironment")" line also. To reproduce this problem, please make sure that the RunAs (different user account) RunCommandLine step - Runsafter OS installationfor e.g.post the "Setup Windows and ConfigMgr" step; - Executes the vbscript which acceses/writes SCCM variables. We shall await the results from you. Thanks again. BestRegards, Chirag Goradia

Chirag (CG) wrote: Hi Kerwin, Thanks fortaking it up to verify. Would really appreciate the results early next week. We have been checking SMSTS.log from the very start. Answer to your queries are: 1. TS starts executing the scripts.So, we are 150% sure that "logon as user" passes correctly. 2. Errorwegetis"Permission Denied" at the line "env("MyCustomVariable") = "My Custom Value"" of vbscript asshown in the smsts.log file. By the way, we would like to knowon howto verify if this account has rights to TS Environment object and how to grant it. Though I do not see that as happening because, I can remotely program (using SCCM SDK) pretty mucheverything with the same account. Extra piece of information we've found is that, Aprevious line "logPath = env("_SMSTSLogPath")" does not give an error, butValue of "logPath" is empty -which is incorrect. The scriptdoes not have any errorson "dim osd: set env = CreateObject("Microsoft.SMS.TSEnvironment")" line also. To reproduce this problem, please make sure that the RunAs (different user account) RunCommandLine step - Runsafter OS installationfor e.g.post the "Setup Windows and ConfigMgr" step; - Executes the vbscript which acceses/writes SCCM variables. We shall await the results from you. Thanks again. BestRegards, Chirag Goradia We ran that same sequence here, and it all worked well. It is basically: 1. Run the script. 2.Apply OS. 3. Setup Windows and ConfigMgr 4. Run the script. The TS Environment object is ACL'ed for the all-access for the built-in Local Admins group. In your case, it may be possible that the user account is not a member of the Local Admins group. You may have to verify that at the time that the script runs.

Hi Kerwin, Two queries for the sequence you mentioned: 1. Did both the "Run the script" steps were able to Either write to any SCCM environment variable Or output correct SCCM environment variable value? 2.We do not useUnattend filesin Apply OS task step.So, we use the command"net localgroup Administrators TestDomainNetbios\TestUserAccount /ADD"where the user TestUserAccount on domain TestDomainNetbios as Netbios namewillbe added to local Administrators group. Is this correct way to do it, so that TestUserAccount has an access to SCCM task sequence variables? Thanks for sharing the details of your test. Just wondering what wedid incorrectly. Regards, Chirag

Hi Kerwin, Again I tried to access (read/write) SCCM variables from a RunAsstep (usinglocal Administrator account). It stilldoes notwork. Can you please share your exportedtask sequence group for RunAs and VBScript which tries to access (read/write)the SCCM vars? OR Can you please help identifying the mistake in below scripts/task sequence group. Here arethe two exact scripts which do not work: CGTestVars1.vbs Option Explicit Dim fso, objFile, oTSEnv, oVar Set fso = CreateObject("Scripting.FileSystemObject")Set objFile = fso.CreateTextFile(WScript.Arguments(0), True)Set oTSEnv = CreateObject("Microsoft.SMS.TSEnvironment") For Each oVar In oTSEnv.GetVariables objFile.WriteLine oVar & "=" & oTSEnv(oVar)Next objFile.CloseSet objFile = NothingSet fso = Nothing CGTestVars2.vbs Option Explicit Dim fso, objFile, oTSEnv, oVar, logPath, myCustomVar Set fso = CreateObject("Scripting.FileSystemObject")Set objFile = fso.CreateTextFile(WScript.Arguments(0), True)Set oTSEnv = CreateObject("Microsoft.SMS.TSEnvironment") logPath = oTSEnv("_SMSTSLogPath")objFile.WriteLine "_SMSTSLogPath" & "=" & logPath oTSEnv("MyCustomVariable") = "My Custom Value"myCustomVar = oTSEnv("MyCustomVariable")objFile.WriteLine "MyCustomVariable" & "=" & myCustomVar objFile.CloseSet objFile = NothingSet fso = Nothing Here is an extract of task group (from task sequence) which does not work: Task Sequence Group which does not work for RunAs trying to access SCCM vars from VBScript. RunAs account is the LocalMachineName's Administrator <group name="Test RunAs2 RunCommandLine" description=""> <step type="SMS_TaskSequence_RunCommandLineAction" name="Run As 2 Command Line 1" description="" continueOnError="true" runIn="WinPEandFullOS" successCodeList="0 3010"> <action>smsswd.exe /run:AVA0003C cscript CGTestVars1.vbs %_SMSTSLogPath%\Test1VarListWithRunAs2.txt</action> <defaultVarList> <variable name="CommandLine" property="CommandLine" hidden="true">cscript CGTestVars1.vbs %_SMSTSLogPath%\Test1VarListWithRunAs2.txt</variable> <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable> <variable name="PackageID" property="PackageID" hidden="true">AVA0003C</variable> <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">true</variable> <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable> <variable name="SMSTSRunCommandLineUserName" property="UserName">localhost\Administrator</variable> <variable name="SMSTSRunCommandLineUserPassword" property="UserPassword"> </variable> </defaultVarList> </step> <step type="SMS_TaskSequence_RunCommandLineAction" name="Run As 2 Command Line 2" description="" continueOnError="true" runIn="WinPEandFullOS" successCodeList="0 3010"> <action>smsswd.exe /run:AVA0003C cscript CGTestVars2.vbs %_SMSTSLogPath%\Test2VarListWithRunAs2.txt</action> <defaultVarList> <variable name="CommandLine" property="CommandLine" hidden="true">cscript CGTestVars2.vbs %_SMSTSLogPath%\Test2VarListWithRunAs2.txt</variable> <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable> <variable name="PackageID" property="PackageID" hidden="true">AVA0003C</variable> <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">true</variable> <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable> <variable name="SMSTSRunCommandLineUserName" property="UserName">localhost\Administrator</variable> <variable name="SMSTSRunCommandLineUserPassword" property="UserPassword"> </variable> </defaultVarList> </step> </group> Thanks & Regards, Chirag Goradia

Chirag (CG) wrote: Hi Kerwin, Two queries for the sequence you mentioned: 1. Did both the "Run the script" steps were able to Either write to any SCCM environment variable Or output correct SCCM environment variable value? 2.We do not useUnattend filesin Apply OS task step.So, we use the command"net localgroup Administrators TestDomainNetbios\TestUserAccount /ADD"where the user TestUserAccount on domain TestDomainNetbios as Netbios namewillbe added to local Administrators group. Is this correct way to do it, so that TestUserAccount has an access to SCCM task sequence variables? Thanks for sharing the details of your test. Just wondering what wedid incorrectly. Regards, Chirag 1. Yes, both reading and writing to the environment succeeded.2. I believe that account was not added this way. I might be able to have the test re-run.

Chirag (CG) wrote: Hi Kerwin, Again I tried to access (read/write) SCCM variables from a RunAsstep (usinglocal Administrator account). It stilldoes notwork. Can you please share your exportedtask sequence group for RunAs and VBScript which tries to access (read/write)the SCCM vars? OR Can you please help identifying the mistake in below scripts/task sequence group. Here arethe two exact scripts which do not work: CGTestVars1.vbs Option Explicit Dim fso, objFile, oTSEnv, oVar Set fso = CreateObject("Scripting.FileSystemObject")Set objFile = fso.CreateTextFile(WScript.Arguments(0), True)Set oTSEnv = CreateObject("Microsoft.SMS.TSEnvironment") For Each oVar In oTSEnv.GetVariables objFile.WriteLine oVar & "=" & oTSEnv(oVar)Next objFile.CloseSet objFile = NothingSet fso = Nothing CGTestVars2.vbs Option Explicit Dim fso, objFile, oTSEnv, oVar, logPath, myCustomVar Set fso = CreateObject("Scripting.FileSystemObject")Set objFile = fso.CreateTextFile(WScript.Arguments(0), True)Set oTSEnv = CreateObject("Microsoft.SMS.TSEnvironment") logPath = oTSEnv("_SMSTSLogPath")objFile.WriteLine "_SMSTSLogPath" & "=" & logPath oTSEnv("MyCustomVariable") = "My Custom Value"myCustomVar = oTSEnv("MyCustomVariable")objFile.WriteLine "MyCustomVariable" & "=" & myCustomVar objFile.CloseSet objFile = NothingSet fso = Nothing Here is an extract of task group (from task sequence) which does not work: Task Sequence Group which does not work for RunAs trying to access SCCM vars from VBScript. RunAs account is the LocalMachineName's Administrator <group name="Test RunAs2 RunCommandLine" description=""> <step type="SMS_TaskSequence_RunCommandLineAction" name="Run As 2 Command Line 1" description="" continueOnError="true" runIn="WinPEandFullOS" successCodeList="0 3010"> <action>smsswd.exe /run:AVA0003C cscript CGTestVars1.vbs %_SMSTSLogPath%\Test1VarListWithRunAs2.txt</action> <defaultVarList> <variable name="CommandLine" property="CommandLine" hidden="true">cscript CGTestVars1.vbs %_SMSTSLogPath%\Test1VarListWithRunAs2.txt</variable> <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable> <variable name="PackageID" property="PackageID" hidden="true">AVA0003C</variable> <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">true</variable> <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable> <variable name="SMSTSRunCommandLineUserName" property="UserName">localhost\Administrator</variable> <variable name="SMSTSRunCommandLineUserPassword" property="UserPassword"> </variable> </defaultVarList> </step> <step type="SMS_TaskSequence_RunCommandLineAction" name="Run As 2 Command Line 2" description="" continueOnError="true" runIn="WinPEandFullOS" successCodeList="0 3010"> <action>smsswd.exe /run:AVA0003C cscript CGTestVars2.vbs %_SMSTSLogPath%\Test2VarListWithRunAs2.txt</action> <defaultVarList> <variable name="CommandLine" property="CommandLine" hidden="true">cscript CGTestVars2.vbs %_SMSTSLogPath%\Test2VarListWithRunAs2.txt</variable> <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable> <variable name="PackageID" property="PackageID" hidden="true">AVA0003C</variable> <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">true</variable> <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable> <variable name="SMSTSRunCommandLineUserName" property="UserName">localhost\Administrator</variable> <variable name="SMSTSRunCommandLineUserPassword" property="UserPassword"> </variable> </defaultVarList> </step> </group> Thanks & Regards, Chirag Goradia Those are almost identical to the script that was tested here. So, I think the script is fine but the credentials are not.How about trying a domain admin account, just to verify that method works with a proper account?Cheers!

Hi Kerwin, We ran a test where the VBScript executed from RunAs under a Domain User ( and avoided accessing SCCM variables ).This VBScript was expected to: Firstly, create text files on folder in local data drive ( D:\ ) Secondly, copy these text files to UNC share which is accessible to the Domain User and NOT LocalSystem account Result for above test is affirmative ( it worked perfectly fine ). We thus know that the domain user has correct access to UNC share. We also verified that this domain userhad correctlygot added tolocal administrators group. This tells that we just CANNOT access SCCM environment variables from VBScript under RunAs Domain User ( also part of local Administrators group ). What wrong is happening here then for SCCM variables??? Can youEITHER Please provide the code snippet of task step which adds RunAs Domain User to local Administrators?AND/OR Please share results from your test re-run as per "2. I believe that account was not added this way. I might be able to have the test re-run."? We shall wait for your response. Thanks & Regards,Chirag

Any update on this problem ?

Just to share : I have had the exact same issue so as a workaround I dump the needed SCCM variables in a text file while running under the local system account and during the run as step I just read the SCCM variables from this text file. Kind regs Gino D

Just to share: I have had the exact same error. I created a task sequence which simple creates an instance of the TS environment, displays methods a properties to ensure instance is available and set a simple custom variable. I announced this task sequence twice. The script snippet $objTSEnv = New-Object -comObject Microsoft.SMS.TSEnvironment $objTSEnv | Get-Member $objTSEnv.Value("Staging")= "Set Variable" Write-Host $objTSEnv.Value("Staging") 1) RUNAS: no user account defined everything works as expected 2) RUNAS user account with domain admin rights (Full OS Environment <![LOG[Exception "Value": "Access denied(Ausnahme von HRESULT:]LOG]!><time="08:11:11.319+-60" date="12-14-2010" component="InstallSoftware" context="" type="3" thread="3180" file="runcommandline.cpp:40"> <![LOG[ 0x80070005 (E_ACCESSDENIED))"]LOG]!><time="08:11:11.319+-60" date="12-14-2010" component="InstallSoftware" context="" type="3" thread="3180" file="runcommandline.cpp:40"> <![LOG[Bei C:\_SMSTaskSequence\Packages\ZI200014\staging.ps1:230 Zeichen:17]LOG]!><time="08:11:11.319+-60" date="12-14-2010" component="InstallSoftware" context="" type="3" thread="3180" file="runcommandline.cpp:40"> <![LOG[+ $objTSEnv.Value <<<< ($iAPPS)=$row.PackageID + ":" + $row.ProgramName]LOG]!><time="08:11:11.319+-60" date="12-14-2010" component="InstallSoftware" context="" type="3" thread="3180" file="runcommandline.cpp:40"> <![LOG[ + CategoryInfo : NotSpecified: (:) [], SetValueInvocationExceptio ]LOG]!><time="08:11:11.319+-60" date="12-14-2010" component="InstallSoftware" context="" type="3" thread="3180" file="runcommandline.cpp:40"> <![LOG[ n]LOG]!><time="08:11:11.319+-60" date="12-14-2010" component="InstallSoftware" context="" type="3" thread="3180" file="runcommandline.cpp:40"> <![LOG[ + FullyQualifiedErrorId : CatchFromBaseAdapterParameterizedPropertySetValu ]LOG]!><time="08:11:11.319+-60" date="12-14-2010" component="InstallSoftware" context="" type="3" thread="3180" file="runcommandline.cpp:40"> <![LOG[ eTI]LOG]!><time="08:11:11.319+-60" date="12-14-2010" component="InstallSoftware" context="" type="3" thread="3180" file="runcommandline.cpp:40"> <![LOG[ ]LOG]!><time="08:11:11.319+-60" date="12-14-2010" component="InstallSoftware" context="" type="3" thread="3180" file="runcommandline.cpp:40"> Any suggestions are welcome Regards