JoeH82 Absent Member.
Absent Member.
6566 views

Dynamic Administrator account and batch files / scripts

I have a batch file on a network share, \\myserver\share\file.bat, that I am trying to run as the dynamic administrator. The batch file registers dll's on the local client machine. Which works when I run it from the network location, so that is not the issue. When I run it from ZCM as the dynamic administrator, it shows the bundle as being completed. However, when I open Task Manager and look at the processes tab, I see cmd.exe stuck in memory. It never completes. I tried converting the batch file into a vbscript and I get the same result just with wscript.exe hanging in the task manager. I am able to run this logged into the workstation as an administrator, and in ZCM selecting run as logged in user. Problem is my user's will not be Admins so this is not a solution.

I believe there is an issue with dynamic administrator not allowing applications to interact with the logged in user. I am also having an issue with launching .msi files that I want to install from a network share that the user needs to interact with the install.

Workstation: Windows 7 SP1
ZCM: 11.1 w/ Agent update 1 for Zen 11.1

I did open an enhancement request to see if this is a feature that is missing or a bug in the system. I know this feature works in Zen 4 on Windows XP. I would hope with ZCM 11.1, this feature would not be lost.
Labels (2)
0 Likes
7 Replies
shaunpond Absent Member.
Absent Member.

Re: Dynamic Administrator account and batch files / scripts

JoeH82,

Dynamic Administrators don't have access to the desktop...

--

Shaun Pond


0 Likes
Popopinsel Absent Member.
Absent Member.

Re: Dynamic Administrator account and batch files / scripts

JoeH82;2145991 wrote:
I believe there is an issue with dynamic administrator not allowing applications to interact with the logged in user.


That's right but it also has been mentioned a dozen times that this is a design decision of Windows Vista/7 and not ZENworks' fault.

Anyway, did you correctly set up the credential vault to access the network share?
What exactly does your script do?
Does it use any environment variables from other or the logged in user?
Did you correctly suppress error and/or confirmation messages from the commands used (e.g. /Q, /F, /Y, >NUL, >NUL 2>&1)?
0 Likes
JoeH82 Absent Member.
Absent Member.

Re: Dynamic Administrator account and batch files / scripts

Thanks for the replies. I apologize for my frustration and short description of the problem. I left out a few details.

To help rule out my scripting and batch file writing flaws, I will try a standard exe install for QuickTime Player that I downloaded from Apple. I am only using QuickTime as an example for other applications that I need to have my users run as an Administrator and configure themselves.

In a new bundle under the launch tab, I selected, Launch Executable. In the general tab for command I browsed to \\server\share\folder\apple\quicktime\QuickTimeInstaller7.6.9.exe.

Here is what I get from the different security levels I try and run it as. I am logged into a Windows 7 SP1 workstation using a domain account that is an Administrator on the local machine in each test. Not sure if it matters but my file server is a Windows Server 2008 R2 using regular file shares and not DFS.

Run As Logged in user, (Logged into workstation as an Administrator): The Application launches and I get the QuickTime install screen.

Run As secure system user, “Error launching \\server\share\folder\apple\quicktime\QuickTimeInstaller7.6.9.exe . Windows error: The directory name is invalid. There was an error that occurred during an action for the bundle (bundle name). Would you like to automatically verify this bundle and attempt the action again?”

Run As Dynamic administrator, using credentials from the Credential Vault as a domain account that has full control over the file share, I get the Interactive Services Detection popup and view the screen and see the install for QuickTime.

So my question is, is there a way to run this install from ZCM as an Administrator, and allow the user to interact with it? I do not want my users to all have local administrator rights on the machines so the option Run As Logged in user is out.
0 Likes
pitcherj Absent Member.
Absent Member.

Re: Dynamic Administrator account and batch files / scripts

JoeH82,

Unfortunately, no.

If you run something as a Dynamic Administrator on XP, you'll see that it runs on the currently-logged-in user's-session (because XP allows session-0-spawned processes to appear on the currently-logged-in-user's session).

Windows Vista and Windows 7 changed the paradigm - Session-0-spawned stuff has to show up in a session-0-workspace, and thus the ui0detect service is involved and is what throws up the "Interactive Services Detection" dialog.

One thing you could try is to make the domain account that has full control over the share a domain administrator so that it has local admin privileges on the workstation(s), and then launch a "runas" command through an AutoIT script, launch executable action, or run script action, and have that runas command launch whichever executable you're running.

Just an idea.

Jacob
0 Likes
Popopinsel Absent Member.
Absent Member.

Re: Dynamic Administrator account and batch files / scripts

Another idea comes to my mind but it requires UAC to be disabled or at least configured to elevate administrators without prompting (ConsentPromptBehaviorAdmin = 0):

You can create yourself a little agent program, e.g. with AutoIt, that is running inside the current users session and resides in the notification area. This agent polls specific registry values which contain the program path and credentials for the user account you wish your application to run with. This could be:

[HKEY_LOCAL_MACHINE\Software\Agent]
"Program"=""
"User"=""
"Password"=""

Your ZENworks bundle would then, if needed, copy the necessary setup files on the client machine and fill in the above mentioned information:

[HKEY_LOCAL_MACHINE\Software\Agent]
"Program"="%WINDIR%\Temp\App\setup.exe"
"User"="admin"
"Password"="abc123"

Because your AutoIt Agent is constantly polling these values for data it recognizes the changes and uses this data to launch the specified application with the desired credentials. In theory, since your launching application (AutoIt Agent) is running inside the users session, the elevated setup process should show up with a GUI. The only thing that could mess up the whole thing up is the UAC (if on and unconfigured) I guess...
0 Likes
JoeH82 Absent Member.
Absent Member.

Re: Dynamic Administrator account and batch files / scripts

Thanks for suggesting AutoIT. This seems like a useful utility. I was not expecting to have to learn another program when ZCM 11.1 is cumbersome enough. I was expecting ZCM to have the same functionality as our current version of Zen which is Zen 4. Bummer that Windows 7 and ZCM 11.1 have changed so much in functionality and security. It seems like this is a move backwards for us in maintaining our environment. Wish I would have known the limitations of ZCM before the Novell sales guy was here and sold us on the upgrade to ZCM. But then again when he sold it to us Windows 7 was not supported. Should have waited.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Dynamic Administrator account and batch files / scripts

One Key issue with Using ZCM is to Not Try to Make it ZDM.
It's not and never will be.

Rather, you need to look at how you are doing things and do them in a
way to match a different toolset.

For Example - You can Define your batch file directly in the bundle.
No need to run it against a network share. ZCM will create it on the fly.

For Application installs, There is the Content-Repo which will help
devices find the closest source automatically, provide automatic
failover, assist with load balancing, and even limit redundant files.



On 10/19/2011 12:36 PM, JoeH82 wrote:
>
> Thanks for suggesting AutoIT. This seems like a useful utility. I was
> not expecting to have to learn another program when ZCM 11.1 is
> cumbersome enough. I was expecting ZCM to have the same functionality as
> our current version of Zen which is Zen 4. Bummer that Windows 7 and ZCM
> 11.1 have changed so much in functionality and security. It seems like
> this is a move backwards for us in maintaining our environment. Wish I
> would have known the limitations of ZCM before the Novell sales guy was
> here and sold us on the upgrade to ZCM. But then again when he sold it
> to us Windows 7 was not supported. Should have waited.
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.