Temporary admin rights while app is being run.
Hello,
We have to deploy an application to over 200 machines.
The problem is that this very badly designed application needs to be run under the user's account while the user is an administrator! That is ridiculous but we don't have a choice.
I have made a batch file that checks if the application is installed, if it isn't, it'll install it.
I have made a batch file that will copy this file to all computers' startup folder.
The problem is that I need the batch file to run the installation file of the application under the user's name (no runas allowed) but they need to be admins.
Is there any way to make the user an admin temporarily? Their username needs to stay the same, it can't change.
Thank you.
We have to deploy an application to over 200 machines.
The problem is that this very badly designed application needs to be run under the user's account while the user is an administrator! That is ridiculous but we don't have a choice.
I have made a batch file that checks if the application is installed, if it isn't, it'll install it.
I have made a batch file that will copy this file to all computers' startup folder.
The problem is that I need the batch file to run the installation file of the application under the user's name (no runas allowed) but they need to be admins.
Is there any way to make the user an admin temporarily? Their username needs to stay the same, it can't change.
Thank you.
0 Comments
[ + ] Show comments
Answers (3)
Please log in to answer
Posted by:
craig16229
18 years ago
PowerCat,
If you have a list of the machines and you have copied the binary files to them, you might be able to use SysInternal's PsExec tool to run the executable on those machines, and specify to run the install in the context of a domain admin account.
I suppose that option depends on if the software installs in a "per user" fashion, and is not be visible to the intended user. Is this the problem, or is it that the program needs to be run once as an administrator to function properly?
Craig --<>.
If you have a list of the machines and you have copied the binary files to them, you might be able to use SysInternal's PsExec tool to run the executable on those machines, and specify to run the install in the context of a domain admin account.
I suppose that option depends on if the software installs in a "per user" fashion, and is not be visible to the intended user. Is this the problem, or is it that the program needs to be run once as an administrator to function properly?
Craig --<>.
Posted by:
Dr. Soup
18 years ago
Are you sure you actually need to be an administrator, or do you just need modify permissions on certain files or folders? You can troubleshoot most permissions issues with Filemon and Regmon from www.sysinternals.com. They might be the two most useful tools I have ever come across.
Granting users modify permissions over a specific folder would be much more secure than actually promoting the user to an administrator to use one program.
Granting users modify permissions over a specific folder would be much more secure than actually promoting the user to an administrator to use one program.
Posted by:
Robb Thomas
18 years ago
If you 'really' need to do this or something like this?
- I've been able to re-package the user level.
- This is really ugly, check and recheck that you really wanna do this!
About the only time I needed anything like this was with my MDAC 2.x install.
In certain cases, regular non administrative users cannot sign on after MDAC is installed. An administrative user must log on at least once after MDAC is deployed. *UGLY*.
What we did back then is:
- Use the window resource kit's addusers.exe to create a new interactive user with admin rights to the desktop via
AddUsers /c c:\file.txt /p:e where file.txt contains:
----- cut here ----
Users]
NSUinstaller,NSU Software Install User,complextpasswordhere,,,,,
[Global]
[Local]
Administrators,Administrators have complete and unrestricted access to the computer/domain,NSUinstaller
--- End cut here ----
- Keep password complex enough as having simple passwords can be in conflict with domain password reqs.
- Next using edit registry (preserve any existing values)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = NSUinstaller
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword = complexpasswordhere
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = computername
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UndoAdminLog = C:\xxx\UndoProg.exe
- You need to be able automatically UNDO the above, so I created an undo program (using older wise) that can reset the above changes, and in your case run the install. I point to this undo program with the last key.
Once all the changes are in place, all you need to do is reboot. The workstation will reboot and watch the desktop automatically log on as NSUInstaller, and then do the install, and then it would reset the above registry keys back exactly where they were. In my case I used older wise install scripts to do all this, and because it creates log files, the resetting of the keys back was simply a matter of running unwise.
Bottom line, it worked for us, but this is pretty ugly, and you might not wanna do this. Are there any alternatives? I heard something about a 3rd party AD extension that allows administrators to grant programs administrative rights.
Regards,
---- Robb ----
- I've been able to re-package the user level.
- This is really ugly, check and recheck that you really wanna do this!
About the only time I needed anything like this was with my MDAC 2.x install.
In certain cases, regular non administrative users cannot sign on after MDAC is installed. An administrative user must log on at least once after MDAC is deployed. *UGLY*.
What we did back then is:
- Use the window resource kit's addusers.exe to create a new interactive user with admin rights to the desktop via
AddUsers /c c:\file.txt /p:e where file.txt contains:
----- cut here ----
Users]
NSUinstaller,NSU Software Install User,complextpasswordhere,,,,,
[Global]
[Local]
Administrators,Administrators have complete and unrestricted access to the computer/domain,NSUinstaller
--- End cut here ----
- Keep password complex enough as having simple passwords can be in conflict with domain password reqs.
- Next using edit registry (preserve any existing values)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = NSUinstaller
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword = complexpasswordhere
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = computername
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UndoAdminLog = C:\xxx\UndoProg.exe
- You need to be able automatically UNDO the above, so I created an undo program (using older wise) that can reset the above changes, and in your case run the install. I point to this undo program with the last key.
Once all the changes are in place, all you need to do is reboot. The workstation will reboot and watch the desktop automatically log on as NSUInstaller, and then do the install, and then it would reset the above registry keys back exactly where they were. In my case I used older wise install scripts to do all this, and because it creates log files, the resetting of the keys back was simply a matter of running unwise.
Bottom line, it worked for us, but this is pretty ugly, and you might not wanna do this. Are there any alternatives? I heard something about a 3rd party AD extension that allows administrators to grant programs administrative rights.
Regards,
---- Robb ----
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.