Technology Tips and News
Hello
We have a task sequence for the replacing of the OS. Only the local 1 level support should available do run this task sequence when he is logged on.
When I advertise the task sequence to this usergroupe the task sequence fails because task sequences can only be advertised to Computers.
How can I secure the task sequence that only a limited group of Users can run the task sequence?
minou
You have to get creative...because like you said, you cannot advertise it to users...
So, you could add a "Run Command line" step to your TS and have that step call a script that you write which can determine the credentials of the logged on user...and if that user is not in the proper group...then you can throw an error and exit the TS.
Or you could do the same thing and ask for a password in an HTA type file...and if people don't know the right password...again you throw an error and then exit out of the Task Sequence.
HI Mike
Thank you for your answer. that was also my first idea, but the TS run in the rights of the system and not with the rights of the logged on user.
Also the Way with the Password dont Work because the Dialogbox is not shown do the User
minou
Why only allow a specific group of users to perform a refresh of a computer? Delegate rights i SCCM or AD to add the computers to a group that you advertise the TS to. Then only first level support technicians can "allow" the computer to perform a refresh, however the user can choose when to do it. Or, make it a mandatory assignment if the user "shouldn't be bothered".Hello
We have a task sequence for the replacing of the OS. Only the local 1 level support should available do run this task sequence when he is logged on.
When I advertise the task sequence to this usergroupe the task sequence fails because task sequences can only be advertised to Computers.
How can I secure the task sequence that only a limited group of Users can run the task sequence?
minou
Also the Way with the Password dont Work because the Dialogbox is not shown do the User
Something is wrong then... Certainly the dialog should be shown to the user otherwise things like the Modena OS deployment process could never work...and it does work...
You absolutely can create a "front end" for a Task sequence and then prompt for all sorts of stuff before the process continues.
Both risc and Mike are correct here. If you are WinPE, then you can run a script or application that displays a UI. If you are in the deployed OS, then you have to do lots of detailed API "stuff" which is what ServiceUI in UDI does.
You could thus move your password HTA/UI to after the first reboot to PE task. This will be disruptive but not destructive to the user who does not know the password.
Here are some examples to get you going if you want to use ServiceUI to display your frontend in Full-Windows. Looks like different versions of ServiceUI.exe either parses arguments differently or do/don't honour the Path variable.
These are the best ones i've come up with so far (without starting ServiceUI from vbscript) that doesn't require you to hardcode paths. It uses the SCCM working directory with %CD%, but it might not work with run from DP.
Modena RC2 version:
cmd /c ServiceUI.exe -process:tsprogressui.exe mshta.exe %CD%\DeploymentWizard.hta
MDT 2010 Update 1 Beta 1 version:
cmd /c ServiceUI.exe -process:tsprogressui.exe %SYSTEMROOT%\System32\mshta.exe %CD%\DeploymentWizard.hta
Put ServiceUI.exe and your HTA in the package that you reference in your Run Commandline Task.
Here are some examples to get you going if you want to use ServiceUI to display your frontend in Full-Windows. Looks like different versions of ServiceUI.exe either parses arguments differently or do/don't honour the Path variable.
These are the best ones i've come up with so far (without starting ServiceUI from vbscript) that doesn't require you to hardcode paths. It uses the SCCM working directory with %CD%, but it might not work with run from DP.
Modena RC2 version:
cmd /c ServiceUI.exe -process:tsprogressui.exe mshta.exe %CD%\DeploymentWizard.hta
MDT 2010 Update 1 Beta 1 version:
cmd /c ServiceUI.exe -process:tsprogressui.exe %SYSTEMROOT%\System32\mshta.exe %CD%\DeploymentWizard.hta
Put ServiceUI.exe and your HTA in the package that you reference in your Run Commandline Task.
Here are some examples to get you going if you want to use ServiceUI to display your frontend in Full-Windows. Looks like different versions of ServiceUI.exe either parses arguments differently or do/don't honour the Path variable.
These are the best ones i've come up with so far (without starting ServiceUI from vbscript) that doesn't require you to hardcode paths. It uses the SCCM working directory with %CD%, but it might not work with run from DP.
Modena RC2 version:
cmd /c ServiceUI.exe -process:tsprogressui.exe mshta.exe %CD%\DeploymentWizard.hta
MDT 2010 Update 1 Beta 1 version:
cmd /c ServiceUI.exe -process:tsprogressui.exe %SYSTEMROOT%\System32\mshta.exe %CD%\DeploymentWizard.hta
Put ServiceUI.exe and your HTA in the package that you reference in your Run Commandline Task.
Here are some examples to get you going if you want to use ServiceUI to display your frontend in Full-Windows. Looks like different versions of ServiceUI.exe either parses arguments differently or do/don't honour the Path variable.
These are the best ones i've come up with so far (without starting ServiceUI from vbscript) that doesn't require you to hardcode paths. It uses the SCCM working directory with %CD%, but it might not work with run from DP.
Modena RC2 version:
cmd /c ServiceUI.exe -process:tsprogressui.exe mshta.exe %CD%\DeploymentWizard.hta
MDT 2010 Update 1 Beta 1 version:
cmd /c ServiceUI.exe -process:tsprogressui.exe %SYSTEMROOT%\System32\mshta.exe %CD%\DeploymentWizard.hta
Put ServiceUI.exe and your HTA in the package that you reference in your Run Commandline Task.
Here are some examples to get you going if you want to use ServiceUI to display your frontend in Full-Windows. Looks like different versions of ServiceUI.exe either parses arguments differently or do/don't honour the Path variable.
These are the best ones i've come up with so far (without starting ServiceUI from vbscript) that doesn't require you to hardcode paths. It uses the SCCM working directory with %CD%, but it might not work with run from DP.
Modena RC2 version:
cmd /c ServiceUI.exe -process:tsprogressui.exe mshta.exe %CD%\DeploymentWizard.hta
MDT 2010 Update 1 Beta 1 version:
cmd /c ServiceUI.exe -process:tsprogressui.exe %SYSTEMROOT%\System32\mshta.exe %CD%\DeploymentWizard.hta
Put ServiceUI.exe and your HTA in the package that you reference in your Run Commandline Task.
Have you guys been able to utilize the ServiceUI.exe on Win7 clients? I have been able to successfully call an exe or hta and present to the user when executing ServiceUI.exe on an XP system, but can't make it work on a Win7 client. Trying to prompt a little password dialog to the user and ServiceUI keeps failing with an access denied return code in the smsts.log:
API [CreateProcessAsUser] Error: [5]
I've tried executing ServiceUI.exe directly as well as with cmd.exe /c in the Run Command Line action, but my task sequence continues to fail with a 0xFFFFFFFF error code. I have tried the original ServiceUI.exe that came with Modena RC2 as well as the newer version of the exe that came with MDT 2010 Update 1, same results.
Here's some info I got back from Cameron:
"For one thing make sure that the step is running as system (ServiceUI.exe only works in system). So if he has the “Run this step as the following account” set, make sure that he unselects this. Also how is this being deployed (via standalone media, SMS client etc.)? We would have to take a look at the SMSTS.log that shows ServiceUI.exe running to troubleshoot further. "
I use it in Windows 7 successfully with previously posted commandline.
Are you using applocker or some other security software that do application blocking, perhaps some antivirus-module? I think that some of the stuff that ServiceUI does could be seen as process tampering by such a software.
Here's an excerpt of the smsts.log:
Executing command line: smsswd.exe /run: ServiceUI.exe -process:explorer.exe %SYSTEMROOT%\System32\mshta.exe c:\safefolder\zticonf.hta TSManager 10/20/2010 2:02:06 PM 3824 (0x0EF0)
=======================[ smsswd.exe ] ======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
PackageID = '' InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
BaseVar = '', ContinueOnError='' InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
SwdAction = '0001' InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Command line for extension .exe is "%1" %* InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Set command line: Run command line InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Working dir 'C:\SafeFolder' InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Executing command line: Run command line InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Process completed with exit code 4294967295 InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Matched Processes InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Process Found: [explorer.exe] ID [1744] SESSION [1] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Logon Lookup InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
[winlogon.exe] Session: [1] PID [436] [Target Session [1] = Match] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Launch Process InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Program to launch : [C:\WINDOWS\System32\mshta.exe] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Command line : [C:\WINDOWS\System32\mshta.exe c:\safefolder\zticonf.hta] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
API [CreateProcessAsUser] Error: [5] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Exiting with [-1] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Command line returned 4294967295 InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
Process completed with exit code 4294967295 TSManager 10/20/2010 2:02:06 PM 3824 (0x0EF0)
!--------------------------------------------------------------------------------------------! TSManager 10/20/2010 2:02:06 PM 3824 (0x0EF0)
Failed to run the action: Require Password Input.
Unknown error (Error: FFFFFFFF; Source: Unknown) TSManager 10/20/2010 2:02:06 PM 3824 (0x0EF0)
You want to show your HTA in the same context that tsprogressui.exe runs in.
Use
ServiceUI.exe -process:tsprogressui.exe %SYSTEMROOT%\System32\mshta.exe c:\safefolder\zticonf.hta
Instead of
ServiceUI.exe -process:explorer.exe %SYSTEMROOT%\System32\mshta.exe c:\safefolder\zticonf.hta
If you want to hide the TS ProgressUI while your HTA is shown you can run this in your HTA...
Set ProgressUI = CreateObject("Microsoft.SMS.TsProgressUI")
ProgressUI.CloseProgressDialog
The ProgressUI will automatically become visible on the next Task Sequence Step.
Also I don't think that this will work at all if you have disabled "show task sequence progress" in you advertisment. Haven't tried but it could be that the process tsprogressui.exe doesn't start when the setting is disabled.
OK,
I'm out of ideas right now so a long shot...
Are you running Windows 7 x64? in that case are you using the 64 or 32-bit version of ServiceUI. Could that together with or without the TS-option "Disable 64-bit file system redirection" do anything.
I can get it to run a batch file successfully. I'm using the Modena dynamic background switching stuff in one of my task sequences. That executes fine on a Win7 client. When I try to execute an exe with ServiceUI on a Win7 client that's what fails with an access denied error. I tested with a simple little SMS Installer exe and I also get the same error when calling mshta.exe and passing it the name of an HTA. My TS is not specifying any alternate credentials so the ServiceUI.exe command line is definitely executing as SYSTEM. I can see it's identifying the target session properly. It goes through the 'Launch Process' step as seen in the smsts.log but still fails with the CreateProcessAsUser step. I've tested this on a bare Win7 build without any anti-virus software and have the same issue. I can manually execute ServiceUI.exe via psexec.exe -s and all these things execute properly. It's only when calling ServiceUI from the task sequence that it's failing on any exe.
Hi Eric,
I'm attempting to call a batch file using serviceui.exe, but am unable to do so. Can you post the command you're using to get it to function? I'm trying this on a Windows 7 64bit OS, but am using the 32bit version of serviceui.exe and am selecting the option to disable 64 bit redirection.
Any advice appreciated.
Thanks!
AAAAARGGGH!!!!
This thread has been staring me in the face all day as I try to figure out why I'm getting the same "API [CreateProcessAsUser] Error: [5]" when ServiceUI is run from a Task Sequence but works perfectly fine from a scheduled task running as SYSTEM.
20+ task sequence revisions later I'm pretty sure I found the culprit. Uncheck the "Time-out (minutes)" box on the task sequence step. That simple.
I've only run a few tests so far, but it looks like this is the problem. Hope this helps someone else out in the future.
THANK YOU! GOODNIGHT!
AAAAARGGGH!!!!
This thread has been staring me in the face all day as I try to figure out why I'm getting the same "API [CreateProcessAsUser] Error: [5]" when ServiceUI is run from a Task Sequence but works perfectly fine from a scheduled task running as SYSTEM.
20+ task sequence revisions later I'm pretty sure I found the culprit. Uncheck the "Time-out (minutes)" box on the task sequence step. That simple.
I've only run a few tests so far, but it looks like this is the problem. Hope this helps someone else out in the future.
THANK YOU! GOODNIGHT!
AAAAARGGGH!!!!
This thread has been staring me in the face all day as I try to figure out why I'm getting the same "API [CreateProcessAsUser] Error: [5]" when ServiceUI is run from a Task Sequence but works perfectly fine from a scheduled task running as SYSTEM.
20+ task sequence revisions later I'm pretty sure I found the culprit. Uncheck the "Time-out (minutes)" box on the task sequence step. That simple.
I've only run a few tests so far, but it looks like this is the problem. Hope this helps someone else out in the future.
THANK YOU! GOODNIGHT!
AAAAARGGGH!!!!
This thread has been staring me in the face all day as I try to figure out why I'm getting the same "API [CreateProcessAsUser] Error: [5]" when ServiceUI is run from a Task Sequence but works perfectly fine from a scheduled task running as SYSTEM.
20+ task sequence revisions later I'm pretty sure I found the culprit. Uncheck the "Time-out (minutes)" box on the task sequence step. That simple.
I've only run a few tests so far, but it looks like this is the problem. Hope this helps someone else out in the future.
THANK YOU! GOODNIGHT!
AAAAARGGGH!!!!
This thread has been staring me in the face all day as I try to figure out why I'm getting the same "API [CreateProcessAsUser] Error: [5]" when ServiceUI is run from a Task Sequence but works perfectly fine from a scheduled task running as SYSTEM.
20+ task sequence revisions later I'm pretty sure I found the culprit. Uncheck the "Time-out (minutes)" box on the task sequence step. That simple.
I've only run a few tests so far, but it looks like this is the problem. Hope this helps someone else out in the future.
THANK YOU! GOODNIGHT!
Wow. you are a life saver. I can't believe that this was the problem. thank you! it is such a PITA to test task sequences, always having to delete deployments and update packages then re deploy them and force the application deployment updates.... (should be a better testing solution)
Hi All,
This ServiceUI works under Windows 7 x64 but I have a big problem !
I can call my HTA with ServiceUI.exe but the task sequence stops when it launches the HTA. I need to use this as a background info during my deployment.
How can i provide TS to continue after HTA step ?
This topic is archived. No further replies will be accepted.
Other recent topics
Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier