RunAs

jsnyder213 · April 30, 2015

I am new...so please execuse me in this process.

I am trying to run a MSI file with switchs as an admin account. Basically, I am deploying a software package to users on the domain, and I need them to be able to click on the .exe I created. They will need admin rights to run the .exe, which in turn installs the MSI files.

So far I have created a .exe file that runs the MSI file. Using the following code

Runwait('msiexec /i CiscoJabberSetup.msi /qn ALLUSERS=2 CLEAR=1 SERVICES_DOMAIN=sitedomain')
RunWait('msiexec /i ptools.msi /qn ALLUSERS=2 SITEURL="siteURL" OI=1 OC=1 OFFICE=1 FIREFOX=1 RMENU=1')
RunWait('msiexec /i atmcie.msi /qn ALLUSERS=2')

This works.

So now I need to give my .exe admin rights, so I have tried this:

$sUserName = 'adminname'
$sPassword = 'adminpassword'
$sDomain = 'domain'

RunAs("$sUserName", "$sDomain", "$sPassword", 2, "CiscoJabberSetup", @SystemDir, @SW_HIDE)
Runwait('msiexec /i CiscoJabberSetup.msi /qn ALLUSERS=2 CLEAR=1 SERVICES_DOMAIN=sitedomain')

1. If I remove the switches /qn ALLUSERS ... I can run the .exe as I should, but the install is not silent and the user has to interact with it. - this is a no go.

2. If I leave it as it is, I can see the msi execute in taskmanager... but it instantly closes. - thus it does not work.

So, my question is. What am I missing?

Thanks for any help!

jguinch · April 30, 2015

In you RunAs call, what is CiscoJabberSetup ?

Also, you should use RunAsWait for msiexec, no ?

RunAsWait($sUserName, $sDomain, $sPassword, 2, 'msiexec /i CiscoJabberSetup.msi /qn ALLUSERS=2 CLEAR=1 SERVICES_DOMAIN=sitedomain', @SystemDir, @SW_HIDE)

Edit : and quotes are not needed around variables

Edited April 30, 2015 by jguinch

water · April 30, 2015

Cisco Jabber "lets you access presence, instant messaging (IM), voice, video, voice messaging, desktop sharing, and conferencing."

JLogan3o13 · April 30, 2015

Jabber is an IM product, as Water mentions. You have my sympathy for having to deploy it

Personally, when I do MSI installs (which is a lot), I will resort to two scripts. One that has just the MSI piece in it, and another (the "Setup") to call the install with the credentials I want to supply (most of my customers have non-admin users, so we often install as System). I can then use the "Setup" script to run the MSI from a network share against a remote machine, if necessary. Works a lot better than trying to do RunAsWait against msiexec, in my experience.

jguinch · April 30, 2015

@water & JLogan3o13 : when I asked what is CiscoJabberSetup, I wanted to know why he used RunAs with CiscoJabberSetup and just Run with the MSI. I thought that CiscoJabberSetup was the AutoIt script name...

jsnyder213 · April 30, 2015

‌@jguinch

Honestly, I was just trying to replicate the script as the "example" showed in the helpfile for RunAs. It just had the "program name" in that location, so I tried to duplicate what I thought that meant. as well as a combination of various Forum postings about RunAS.

Do you have to specifically use RunAsWait with MSI's?

My understanding was that the "Wait", just delayed the script until the MSI (exe, bat, whatever) opened... am I wrong in my understanding?

So in your provided code... are you suggesting I Change it to "RunAsWait" and then fill it in with my line ('msiexec /i CiscoJabberSetup.msi /qn ALLUSERS=2 CLEAR=1 SERVICES_DOMAIN=sitedomain')... and avoid the second line with the "RunWait"

The only reason I ask for clarification is based on a post I read, that showed the RunAS basically giving the credentials and then RunWait actually executing the install file.

Also, Thanks for the edit on the variables...

jsnyder213 · April 30, 2015

Jabber is an IM product, as Water mentions. You have my sympathy for having to deploy it
Personally, when I do MSI installs (which is a lot), I will resort to two scripts. One that has just the MSI piece in it, and another (the "Setup") to call the install with the credentials I want to supply (most of my customers have non-admin users, so we often install as System). I can then use the "Setup" script to run the MSI from a network share against a remote machine, if necessary. Works a lot better than trying to do RunAsWait against msiexec, in my experience.

JLogan3o13... Would this work on a disc? I have the package deployed through a package pushing solution (deployed over the network to connected users)... I am trying to figure out a solution for users who would not get the package install via the network. AKA manually shipping them a disc with the install files on it. The only thing is they ar enot local admins, so I have to use network credentials to install the package.

And of course make it as easy for them as possible!

AdamUL · April 30, 2015

For your remote users, are you going to store the network credentials in the install script? Also, RunAs does not give you full admin rights (Admin Token), even if the user has admin right on the PC. You have to use a workaround of re-execution. Here is an example script.

Global $sAdminUser = "USERNAME"
Global $sAdminPassword = "PASSWORD"
Global $sDomain = "AD"
Global $iLogOnFlag = 0
Global $sParameters = ""

;Elevate with the Admin account.
If @UserName <> $sAdminUser And Not IsAdmin() Then
    $sParameters = ""
    If Not @Compiled Then
        $sParameters = ' "' & @ScriptFullPath & '"'
    EndIf

    If RunAs($sAdminUser, $sDomain, $sAdminPassword, $iLogOnFlag, @AutoItExe & $sParameters) Then
        Exit
    Else
        Exit MsgBox(16 + 262144, "ERROR!", "Unable to run under administrator account.")
    EndIf
EndIf

;Run with Admin Token in Windows Vista and Higher.
If @UserName = $sAdminUser And Not IsAdmin() And Not StringRegExp(@OSVersion, "_(XP|200(0|3))") Then
    $sParameters = ""
    If Not @Compiled Then
        $sParameters = '"' & @ScriptFullPath & '"'
    EndIf

    If ShellExecute(@AutoItExe, $sParameters, "", "runas") Then
        Exit
    Else
        Exit MsgBox(16 + 262144, "ERROR!", "Unable to elevate to Admin due to UAC.")
    EndIf
EndIf

;Put rest of the script here.

MsgBox(16, $sAdminUser, IsAdmin()) ;Example

Adam

JLogan3o13 · April 30, 2015

jsnyder, what do you use for your delivery system (SCCM, Altiris, etc.)?

If they are not connected to the network so you can push the package to them, how are you going to use network credentials to authenticate? Better to use a local administrator account if you have a uniform account on all machines.

jsnyder213 · May 1, 2015

jsnyder, what do you use for your delivery system (SCCM, Altiris, etc.)?
If they are not connected to the network so you can push the package to them, how are you going to use network credentials to authenticate? Better to use a local administrator account if you have a uniform account on all machines.

We use Altiris.

They are not connected to the network, because they work from home. They have the ability to connect to the network via VPN, but their connection speed is terrible (rural areas, and even some cell phone wireless cards). using VPN I could use Altiris to push the package... but depending on their connection we have had issues with time outs. They ultimately could come into a local office (depending on where they are located, this could be a 2 hour drive) to connect to the network...and thus get the push from Altiris

All our machines have been imaged with the same image, and all have a local department admin account. I am wanting to basically create a script, with that admin account (because it works universally on all computers, even if they are not connected to the network at that very moment) so the user can run it under that account. The every day user is not set up as a local admin, so without the elevated privileges, they can not install the package.

Long story short. I have the package working. I just need to create a simple .exe file with elevated privileges that points to the MSI and uses the switches needed... put it on a disc and send it to some one and say "double click on "INSTALL.exe" and you will have the package".

jsnyder213 · May 1, 2015

For your remote users, are you going to store the network credentials in the install script? Also, RunAs does not give you full admin rights (Admin Token), even if the user has admin right on the PC. You have to use a workaround of re-execution. Here is an example script.

Global $sAdminUser = "USERNAME"
Global $sAdminPassword = "PASSWORD"
Global $sDomain = "AD"
Global $iLogOnFlag = 0
Global $sParameters = ""

;Elevate with the Admin account.
If @UserName <> $sAdminUser And Not IsAdmin() Then
    $sParameters = ""
    If Not @Compiled Then
        $sParameters = ' "' & @ScriptFullPath & '"'
    EndIf

    If RunAs($sAdminUser, $sDomain, $sAdminPassword, $iLogOnFlag, @AutoItExe & $sParameters) Then
        Exit
    Else
        Exit MsgBox(16 + 262144, "ERROR!", "Unable to run under administrator account.")
    EndIf
EndIf

;Run with Admin Token in Windows Vista and Higher.
If @UserName = $sAdminUser And Not IsAdmin() And Not StringRegExp(@OSVersion, "_(XP|200(0|3))") Then
    $sParameters = ""
    If Not @Compiled Then
        $sParameters = '"' & @ScriptFullPath & '"'
    EndIf

    If ShellExecute(@AutoItExe, $sParameters, "", "runas") Then
        Exit
    Else
        Exit MsgBox(16 + 262144, "ERROR!", "Unable to elevate to Admin due to UAC.")
    EndIf
EndIf

;Put rest of the script here.

MsgBox(16, $sAdminUser, IsAdmin()) ;Example

Adam

whoa. this is intense.

I was hoping to store the local admin in the .exe. The users that will be getting this deployment, do not have local admin rights to their machine... so they are prevented from installing anything on their machines. I need a package that stores the local admin account, and runs the MSI files (preferably silent) to install the software.

AdamUL · May 1, 2015

Change the domain to

Global $sDomain = @ComputerName

for a local admin account. This will allow a normal user to run the script with full admin rights using the local admin account. Use RunWait or ShellExecuteWait commands to run the MSI's silently after the code I posted. You can replace the MsgBox calls with what ever error catching you would like. You might want to put in a progress box (See functions ProgressOn, ProgressSet, and ProgressOff.), so the user knows what is installing and the script is running, or call each MSI with the "/qb-" switch.

Adam

jsnyder213 · May 1, 2015

Change the domain to
Global $sDomain = @ComputerName
for a local admin account. This will allow a normal user to run the script with full admin rights using the local admin account. Use RunWait or ShellExecuteWait commands to run the MSI's silently after the code I posted. You can replace the MsgBox calls with what ever error catching you would like. You might want to put in a progress box (See functions ProgressOn, ProgressSet, and ProgressOff.), so the user knows what is installing and the script is running, or call each MSI with the "/qb-" switch.

Adam

So... I tried your example, added the MSI at the end of the script and it worked perfectly!! Thanks so much!!

Now, in an attempt to learn. Can you (in simple terms) explain what/why your example worked better than what I had? Techincally, I had my script working... if I removed the extra switches on the Runwait('msiexec /i CiscoJabberSetup.msi /qn ALLUSERS=2 CLEAR=1 SERVICES_DOMAIN=mdc.mo.gov') (Part in bold)... The MSI would open, but Users would have to interact (which is not what we want). So I guess my script worked like 50%??

What is it about your given script that allows the MSI to work with all the needed switches?

jsnyder213 · May 1, 2015

OK, so Thanks to @‌AdamnUL, I have my script working for a user that does nto have admin rights to the machine. They can double click on the .exe file and the MSI's run as needed. However, now, if I put it on a CD/DVD I get the error stating that the MSI can not be found.

Code:

Global $sAdminUser = "ADMIN"
Global $sAdminPassword = "PASSWORD"
Global $sDomain = @ComputerName
Global $iLogOnFlag = 0
Global $sParameters = ""

;Elevate with Admin account.
If @UserName <> $sAdminUser And Not IsAdmin() Then
   $sParameters = ""
   If Not @Compiled Then
      $sParameters = ' "' & @ScriptFullPath & '"'
   EndIf

If RunAs($sAdminUser, $sDomain, $sAdminPassword, $iLogOnFlag, @AutoItExe & $sParameters) Then
Exit

   Else
      Exit MsgBox(16 + 262144, "ERROR!", "Unable to run under administrator account.")
   EndIf
   EndIf

   ; Run with Admin Token in Windows Vista and Higher.
   If @UserName = $sAdminUser And Not IsAdmin() And Not StringRegExp(@OSVersion, "_(XP|200(0|3))") Then
   $sParameters = ""
   If Not @Compiled Then
   $sParameters = '"' & @ScriptFullPath & '"'
   EndIf

   If ShellExecute(@AutoITExe, $sParameters, "", "runas") Then
   Exit
   Else
   Exit MsgBox(16+262144, "ERROR!", "Unable to elevate to Admin due to UAC.")
   EndIf
   EndIf

   ; Script for MSI
   Runwait('msiexec /i CiscoJabberSetup.msi /qb ALLUSERS=2 CLEAR=1 SERVICES_DOMAIN=DOMAIN')
   MsgBox(0, "Complete", "You are done! Click OK")

I converted this file to an .exe and saved it to a disc. When I run it, it can't find the file path. I can do Nameofdrive\subfolder\CiscoJabberSetup... (and it works!) but not every machine is going to have the CD drive as the same drive letter (machine I burned it on was E:\ but test machine's CD drive is D:\... so this won't work).

*note: the .exe is in the same subfolder as the MSI files.

What excatly am I missing here?

jguinch · May 1, 2015

Use DriveGetDrive to list all CDROM drives, and check if each of these drives contains the msi file.

jsnyder213 · May 1, 2015

Use DriveGetDrive to list all CDROM drives, and check if each of these drives contains the msi file.

@jguinch

I just looked at this in the helpfile. How would it relate to my issue?

Does it run a check for the name of the CD drive (E:\, D:\, F:\... whatever) and then would input it into my RunWait statement? Therefore allowing the script to find the MSI on the disc and run it as "commanded"?

jguinch · May 1, 2015

Local $sDrive
Local $aCDROM = DriveGetDrive ( "CDROM" )
If NOT @error Then
    For $i = 1 To $aCDROM[0]
        If FileExists($aCDROM[$i] & "\CiscoJabberSetup.msi" Then 
            $sDrive = $aCDROM[$i]
            ExitLoop
        EndIf
    Next
EndIf

If $sDrive <> "" Then Runwait('msiexec /i ' & $sDrive & ' \CiscoJabberSetup.msi /qb ALLUSERS=2 CLEAR=1 SERVICES_DOMAIN=DOMAIN')

jsnyder213 · May 1, 2015

Local $sDrive
Local $aCDROM = DriveGetDrive ( "CDROM" )
If NOT @error Then
    For $i = 1 To $aCDROM[0]
        If FileExists($aCDROM[$i] & "\CiscoJabberSetup.msi" Then 
            $sDrive = $aCDROM[$i]
            ExitLoop
        EndIf
    Next
EndIf

If $sDrive <> "" Then Runwait('msiexec /i ' & $sDrive & ' \CiscoJabberSetup.msi /qb ALLUSERS=2 CLEAR=1 SERVICES_DOMAIN=DOMAIN')

Thanks for this!

It worked, but I had to modify it. where you had

If $sDrive <> "" Then Runwait('msiexec /i ' & $sDrive & ' \CiscoJabberSetup.msi /qb ALLUSERS=2 CLEAR=1 SERVICES_DOMAIN=DOMAIN')

The program was skipping this step... becasue I believe it was comparing it to a blank statment. I removed the "IF/THEN" altogether

RunWait('msiexec /i ' & $sDrive & "\JabberWebEx\CiscoJabberSetup.msi /qb ALLUSERS=2 CLEAR=1 SERVICES_DOMAIN=DOMAIN") I also had to add double quotes around the file path and switches.

You got the ball rolling... so thanks for the input!

jguinch · May 2, 2015

$sDrive is blank when no CDROM media containing CiscoJabberSetup.msi is found. So in this case your code will run the MSI from the script directory (or from a folder defined in the PATH environment variable)

AdamUL · May 4, 2015

jsnyder213,

Sorry for the late reply. Now to answer one of your questions.

What is it about your given script that allows the MSI to work with all the needed switches?

The reason my the script I gave you executes correctly, and your's didn't is due to UAC (User Account Control). A process will not execute with full admin rights unless it is requested from the user executing the process, and that user has to have the rights to request elevation. This is why you see "Run as administrator" in the context menu, when you right click on some file types. In the script, the ShellExecuteWait with the "runas" verb, request the elevation. Since we are running it in a non-admin user context, we have to re-execute the script as the admin user. Now that the script is running by a user that can request elevation, the script re-executes itself again, requesting the admin token. There are other ways of doing this, but for me I believe this is the simplest in turns of scripting.

There is one thing I should of mentioned that may be related to your CD issue. After the script has re-executed itself as a different user, the user that it is running as must have rights to access to the file locations of the other files that may be used in the script. Also, I try to use full paths when calling file, like the MSIs. I'm glad that jguinch was able to help you.

Adam

RunAs

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members