I have a group of XP machines that are public facing terminals. Because of that, they use windowssteady state. I need to run a command against the machines to insure that disk protection gets turned on. I have steadystate itself as a MI, after the MI completes, I need to run a command against the machine to turn on disk protection. Steadystate itself will not allow you to turn on the disk protection in the same batch/executeable file that did the install. The restricted user does not have access to registry run once keys. What would be the best way to accomplish this? Anyway I can make a script run AFTER a MI? I could do groups and stuff, but that would require a lot of check ins. And I need this to happen in a fairly timely manner.
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
You can easily configure a script to perform the modification for machines that have a specific MI installed. However, I don't know of any way to trigger such a script immediately after the MI itself. You could write your own custom wrapper in AutoIT to accomplish this - the wrapper would install the application and then perform a RunAs for the post-installation modifications.
Answered 01/21/2010 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
Use a batch file for the MI, rather than the SS MSI, and dump the command in the HKLM RunOnce key and force a reboot.

Something along the lines of..


start /wait msiexec /i SS.msi /qn /norestart
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /v SSOn /t REG_SZ /d "SSon.bat" /f
shutdown -t 15 -r -f


You could get sophisticated and add ERRORLEVEL checking and such to return the right value to the KBOX, but it's up to you.
Answered 01/21/2010 by: sdickenson
Senior Yellow Belt

Please log in to comment
0
Ah yes, nice suggestion. If you use a batch file alongside the msi and zip them up, it should work nicely. The KBOX agent runs everything with local SYSTEM rights.
Answered 01/21/2010 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
ya I had all ready tried that. The problem is, the steady state environment restricts the run once registry key. So it doesn't run, unless I login as a different user. By GPO these machines auto login as the restricted user. I will probably submit a ticket with Kace for a way to force running of a scripting task.
Answered 01/25/2010 by: lindsamw
Orange Senior Belt

Please log in to comment
0
What I suggested should still work. Sdickenson suggested using RunOnce, but you don't need to do that. Setup the installation package for the KBOX as a Zip file containing two files: 1. A batch file that calls your MSI and runs the command you need to run afterward, and 2. the MSI itself. Then setup your Deployment to run the batch file inside the Zip file. The KBOX agents will all pull the Zip file down, unzip it, and then run the batch file which will: 1. install the MSI, and 2. enable the disk protection using the SYSTEM account (since that is the account the batch file is run under).
Answered 01/25/2010 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
Steadystate itself will not allow you to turn on the disk protection in the same batch/executeable file that did the install.
If this is true then I suggest that you have:
1. an MI that will install steadystate
2. a filter label "X" that represents machines with steady state installed. (ie a machine filter that detects the existence of steady state software)
3. a script that is deployed to label X
3.1 the verify of the script will check if diskprotection flag has not been set
3.2 the success portion (ie flag not set) will turn on disk protection and set the flag (ie custom reg value in HKLM\Software\KACE\)

If your check-in interval is 2 hours then this process will take 2-4 hours to complete (ie up to 2x the interval frequency).
Answered 01/26/2010 by: GillySpy
Seventh Degree Black Belt

Please log in to comment
0
I thought about suggesting that, Gerald. However, the OP seems to want the script to run immediately after the installation. What you have suggested is exactly how I would've set something like this up in my environment.
Answered 01/26/2010 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
Yes, I would like it to run immediately after the software is installed. Part of the problem on my end is, the machine is auto logging in as the restricted user as soon as it joins the domain. The restricted account is hampering some things I try to run against it.
Answered 01/27/2010 by: lindsamw
Orange Senior Belt

Please log in to comment
0
Anything you run from the KBOX agent will be run as local SYSTEM. The restricted account should have no effect.
Answered 01/27/2010 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
Ya that normally holds true, but its obviously effecting something :) I assume it has to do with steadystate restrictions on the computer itself. Any other user I run this on, works great. My original package was just like you guys had suggested. Was an autoit compiled exe, called the setup, after setup, it would create a new admin user, run the command to enable disk protection, then delete the new admin user. (Was something I had learned, SteadyState will not allow you to turn on disk protection from the same user context that just installed it.) If I turn off my auto login of the restricted user, works great. So I will have to play with my joinad and remove the autologin from it, and just let the staff at the location log the machine in at least once for it to get the autologin policy.
Answered 01/27/2010 by: lindsamw
Orange Senior Belt

Please log in to comment
Answer this question or Comment on this question for clarity