Powershell - Installing software while passing Admin Credentials
First off, I want to say that I have learned a lot from ITNinja. I started packaging 2 months ago and have come a long way. I do not have much if any experience with PowerShell. I have a couple of years of coding experience with C# so I am starting to understand what I am looking at.
I am currently trying to install an MSI that requires a computer Administrator installation. The System account only has Admin Privileges so will not complete the installation.
I have found some workarounds that I am thinking that will work. I have a PowerShell script that will create an Administrator account on the computer. My intention was to use PSEXEC to install the MSI application by adding the Username and Password into the PSEXEC command; however, the machine that is executing the code is logged in as a standard user and the Code is executing through an account with admin privileges but not elevated. UAC is blocking PSEXEC from running elevated.
As stated, I am learning a few things, I know that using the following command, I can create a text file that can be used to encrypt the password:
read-host -assecurestring | convertfrom-securestring | out-file C:\securestring.txt`
From there, I found the following code which helps setup the credentials for use:
$username = "domain01\admin01" $password = cat C:\securestring.txt | convertto-securestring $cred = new-object -typename System.Management.Automation.PSCredential ` -argumentlist $username, $password
Since, this will be done on a Local Computer, using a local administrator account, I want the $username to use $env:computername\<ADMINACCT>
The part that I am struggling with and hope that someone can assist with is how I take the data captured above into executing the installation of the application using the local admin account.
-
Sounds like you are over egging the solution, why did it fail with system account? Do you have any errors or a log file? - wynnem 7 years ago
Answers (4)
>I am currently trying to install an MSI that requires a computer Administrator installation. The System account only has Admin Privileges so will not complete the installation.
One, all software should be installed by an account with Administrator privileges
Two, you have a seriously screwed build if your System account has insufficient privileges to install software. How do you think any deployment system you can name works?
Three, some (many) vendors - I'm assuming this is a vendor MSI - put checks in for 'Privileged', 'IsAdmin' or 'AdminUser' and so on in the LaunchConditions table. Simply take that check out of the table in your transform.
Good Morning VbScab,
Thank you for your response. Perhaps there is a better solution than what I am proposing.
I agree that all software should be installed with an account with Admin Privileges. Our System account has successfully installed 99.9 percent of the software in our environment. This particular MSI has a driver install included that Windows is unable to verify the publisher of. The driver is signed by a trusted authority (VeriSign). I have tried to self-sign the driver, I have forced the install of the certificate to the Root CA as well as Trusted Publishers prior to the install of the driver. when I am logged on to a computer as a user or an Admin and use a command prompt to runas the system account, the driver will install. However, when I install the package through our delivery system (HP CAE), the installation chokes on this single driver.
Per the vendor website, "A silent installation must be performed by an . A user with administrator privileges does not have sufficient permissions to perform a silent install. If you are not logged on as an Administrator, use an elevated command prompt when you run MSI." Unfortunately, This package does have an option of MSIUSEREALADMINDETECTION. Unless the package identifies that the user is an Admin, the installation will not even begin.
At the end of all of this, I am looking for a way to elevate the installation without a prompt for a user to present administrative credentials for a true silent installation.
Comments:
-
Logged in as an admin does the install work silently using psexec -s switch (running as system) ? Also can you attach a failed install log from the HP CAE deployment? - wynnem 7 years ago
-
If I am logged in the computer as an Admin, and running psexec as the system account, the install works passing the admin account credentials with a -h (elevated) switch. I have not tried the -s. When calling psexec through the managed installation, the service is blocked, even though elevated prompts have been passed. I will try the -s switch though and see what happens. - Ninjawannabe 7 years ago
-
Extract the certificate, push the certificate per GPO out. Then create a driver package extracting the required files from the vendor install and then create an MST for the vendor MSI. That should then be able to run silently... - Pressanykey 7 years ago
-
Good Morning Pressanykey, I actually tried something similar. Our IT department does not manage Trusted Publishers within our environment. I ran the installation by hand on a machine as a local administrator. The installation completed successfully. I extracted the Vendor certificate. It is signed by VeriSign and looks correct. It expires in December. I then copied out the driver files 1 inf, 2 sys files and the cat file.
I installed the cert to the root CA as well as the local Machine trusted Publishers. *Note: in the past, extracting the cert and pushing to localstore was all that was necessary for this package installation.
I also repackaged the driver using a selfsigned certificate. then used dpinst to install the driver. This was successful. When I went to edit the vendor MSI to suppress the virtual adapter driver installation, I found I could suppress the files, but could not find the custom action to suppress the actual installation. So, when the software installed, is still failed the driver installation check and removed the entire package.
My last test was to see exactly what was happening with the driver installation through the system account, but be able to monitor the install. I took all of the silent switches out and pushed the application to install through HP CAE (Radia). When the installation got to the virtual Adapter driver installation, I was kicked out of the user account back to the logon screen. When I logged back in, the driver had removed itself. When pushed through SCCM, I was presented with a prompt "Windows can't verify the publisher of this driver software".
At this point, I have been escalated through the vendor to one of their engineers. Hopefully they an assist with finding out why the installation fails when installing silently. - Ninjawannabe 7 years ago-
Hi,
you should not need to re-sign the driver. It should already be signed. You only need the inf and cat files, plus the files listed in the inf file. Put these down on the system in a directory, and install from there, either using dpinst or the msi pendent. - Pressanykey 7 years ago -
I have tried to do this; however, the MSI has instructions built within that I cannot suppress. The msi will still try to install this driver, even though it is already installed. Because the MSI cannot install the driver, the entire package fails and removes itself. Apparently, according to the vendor looking through the install failure log, the issue is that the Vendor Cert fails to add to the certstore. - Ninjawannabe 7 years ago
-
This is now resolved. I ran a snapshot installation to bypass the driver and certificate install. This is now working. - Ninjawannabe 7 years ago
Top Answer
capturing an MSI is not a good thing to do, unless you *really* know what you are doing. If you have not removed all of the Darwin descriptors, then you are in big trouble.
Regarding the actions that you state the original vendor MSI is doing (i.e. trying to install the river any way) this could be removed using a transform, as I suspect that the vendor is using a custom action to install the drivers (probably DPInst).
just my tuppence,
Phl