UAC and running NETLOGON script/app with elevated permission
First, I apologize if this is in the wrong forum. So here's our problem. We are a 150+ company with only 3 members on our IT crew. We have a mix of Vista and Win7 in our environment with UAC enabled. The only issue we're having with this is that we occasionally push out packages during log on that require admin rights. I'm wondering if there is a way to run an installer (both MSI and EXE) or applications with elevated permissions so that we do not need to go desk to desk / state to state. Whether it be purchased, scripted or programed, we're looking for some kind of solution. Any help or suggestions are all ways appreciated. Thanks, Travis
January 28th, 2010 9:14pm

The easy answer is to deploy the applications and run scripts under the computer configuration > "start up scripts" (or software installation) in a group policy object.
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2010 2:27pm

Thanks Andreas for the suggestion. I'll give this a shot tomorrow morning. Travis
February 1st, 2010 1:19am

How did it go? Do you have any further questions?
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2010 4:40am

Andreas,Unfortunately no. At least I haven't gotten it to work. Basically what I have setup for the test is a folder under Netlogon and in that folder I have my application that requires admin rights to run. I haven't bee able to get the Startup/Login scripts to run the app with out the UAC Prompt.Travis
February 9th, 2010 6:11pm

What runs in the startup script is run as system and before even possible to login and should therefore not even be able to give you a UAC prompt. This will on the other hand be the case if you put the installation in the user part of the GPO, i.e. under software installation in User Configuration or in the login section. Also there is no need for the installation files to be located under NETLOGON, you can place the installation files anywhere as long as it is reachable via UNC (\\server\share\application\setup.exe for instance). Can you give exactly what you place in the script?
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2010 3:40am

Just want to verify. Startup as in GPO\Computer Configuration\Policies\Windows Settings Scripts (Startup/Shutdown) ?
February 15th, 2010 6:42pm

Just want to verify. Startup as in GPO\Computer Configuration\Policies\Windows Settings Scripts (Startup/Shutdown) ? Yes, that is correct!
Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2010 2:41am

Hi, I'm experiencing a similar issue. I'm trying to run an executable on Windows 7 from a GPO startup script and it won't run (while I checked it is a available). When running it while logged in as an administrator UAC prompts me if I want to allow the program to run, and after that, it runs just fine... Here's what I've been doing: I created a computer policy (Group Policy Object > Computer Settings) with a Startup script called "netsetup.bat", as decribed above. The netsetup.bat looks as follows: echo %date% > C:\Temp\Netsetup.log if exist "C:\Program Files\Progress Software Corporation" echo %time% "C:\Program Files\Progress Software Corporation" already exists >> C:\Temp\Netsetup.log if not exist "C:\Program Files\Progress Software Corporation" echo %time% "C:\Program Files\Progress Software Corporation" doesn't exist >> C:\Temp\Netsetup.log if exist "\\servername\sharename\Progress\Dlc101c\netsetup\setup.exe" echo %time% " \\servername\sharename\Progress\ Dlc101c\netsetup\setup.exe" is available >> C:\Temp\Netsetup.log if not exist " \\servername\sharename\Progress\ Dlc101c\netsetup\setup.exe" echo %time% " \\servername\sharename\Progress\ Dlc101c\netsetup\setup.exe" is not available >> C:\Temp\Netsetup.log echo %time% Starting " \\servername\sharename\Progress\ Dlc101c\netsetup\setup.exe" -psclogC:\Temp -s >> C:\Temp\Netsetup.log if not exist "C:\Program Files\Progress Software Corporation" " \\servername\sharename\Progress\ Dlc101c\netsetup\setup.exe" -psclogC:\Temp -s echo %time% Finished >> C:\Temp\Netsetup.log Setup.exe is a Macrovision Corporation installer for OpenEdge 10.1C Shared Network Installation software from Progress (PSC). It has an outdated certificate (by Thawte Code Signing CA), if that matters at all? (Valid from 10-2-2006 to 21-2-2008.) When I start the computer and log in afterwards (as an administrator), the file C:\Temp\Netsetup.log looks like this: wo 24-02-2010 18:41:03,16 "C:\Program Files\Progress Software Corporation" doesn't exist 18:41:03,67 " \\servername\sharename\Progress\Dlc101c\netsetup\setup.exe" is available 18:41:04,18 Starting " \\servername\sharename\Progress\Dlc101c\netsetup\setup.exe" -psclogC:\Temp -s 18:41:08,44 Finished However, the program (Progress) is not installed. When I run the same batchfile (netsetup.bat) manually (as an administrator), I get prompted by UAC (User Account Control) and after confirmation the program installs just fine! UAC is set to Default - Notify me only when programs try to make changes to my computer; don't notify when I make changes to Windows settings). Not sure if this should help, but I tried adding the certificate to the Trusted Publishers certificate store (and even to the Trusted Root Certificate Authorities certificate store for testing) through the same computer settings GPO. But I did not see any change. Thanks in advance, Rogier
February 24th, 2010 1:05pm

As r.w. stated it doesn't look like the applications runs. However I do notice that in the Task Manager I do see an instance of the application running. I went ahead and create a new powershell script to run an Adobe 7 update. Something basic and simple but requires admin rights (for testing). I only have have one line of code in the script: [System.Diagnostics.Process]::Start("\\FileShare01\applications$\Adobe Standard\Adobe Updates\AcroStdUpd710_all.exe"); This script is being launched from the Startup Scripts in my GPO. Now while logged in as a standard user I don't see the installer but it is listed in the process list. Same thing if I run while logged in as my self (Domain Admin). So it does "run" under SYSTEM, there's just no desktop interaction.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2010 12:02pm

Did you ever get an answer to this, I have the exact same issue right now.
April 20th, 2011 2:06pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics