How to run an exe installer with admin credentials for users that don't have local admin rights?

[Stan2112]

I'll start with the scenario of what we're trying to accomplish:

We are a managed services provider that just picked up a new client with ~400 remote Win 10 Pro laptops.  These laptops were initially imaged by their internal IT using one of two sets of local admin credentials.  The local users of the laptops do not have local admin rights and ownership would prefer it to stay that way.  We as the MSP need to install a small (10 MB) client piece of software that registers the device in the system and starts the management process behind the scenes.  Ideally, we would package the EXE and the script into a single MSI that the users can just double-click to run after downloading from a SharePoint online library.  Maybe create one for each set of possible credentials so if the first fails, they would just run the second.

Obviously the issue is when the agent EXE runs, it requires local admin rights.  I've been trying to get AutoIt to do this without success.

I've been testing with notepad.  I can get notepad to RunAs using the admin credentials (I have a separate laptop to test with that has separate admin and user accounts), but it won't even truly run as admin since I can't save an edit to the HOSTS file.  As soon as I add the #requireadmin to the script, I get a UAC prompt.

For example, logged in as the user account running this opens Notepad, but it's not really as the admin:

#include <AutoItConstants.au3>
;#RequireAdmin
RunAs($sUsername, @ComputerName, $sPassword, 0, "notepad.exe")

Enabling the #requireadmin hits me with a UAC prompt first.  If I then type the proper admin credentials, notepad opens and I am able to edit the HOSTS file properly.

I must be missing something large here.  Any help?  Is what we're trying to do even possible with AutoIt?

 

[TheXman]

 

[Stan2112]

So I'm clear - what I'm asking to do is possible but forum rules preclude anyone from telling me how.  Is that correct?

[TheXman]

That's correct unless I missed one or more posts that said it is okay to discuss again -- which is very possible.  But if you read the thread I referenced and search the forum, you will see that the question has been asked and answered several times, both directly and indirectly, in the past.

Edited April 7, 2020 by TheXman

[seadoggie01]

As posted in the other thread, however, you can use a scheduled task, and Water does have a UDF to help you get going with it. I would assume that you don't have to install the software immediately, but if you do, you could schedule it to run in 20 seconds or something similar.

Edited April 7, 2020 by seadoggie01
Wrong link

[Subz]

Since NZ is in lockdown we've had a number of users complaining about Office Activation via VPN, (some machines hadn't updated to our new KMS servers before lock down), so I just created a script that writes a custom script for each users computer, we use LAPs for managing local Administrator passwords (i.e. each machine has a different password) fortunately it's only a hand full of staff.

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Example:

;~ Will run as a standard user, without #RequireAdmin
;~ Line below should create a C:\Windows\Temp\Test folder (requires administrator rights).
RunAs("Administrator", @ComputerName, "Password", 0, @ScriptDir & "\PSExec.exe -accepteula -s ' & @ComSpec & ' /c MD ' & @WindowsDir & '\Temp\Test')

The system account doesn't use UAC, which is how products like SCCM perform installations.  With regards to compressing AutoIt scripts into msi, you may encounter issues with AV, if they are left uncompressed, i.e. having the MSI reference the file from the same directory.

As seadoggie01 pointed out you could use Scheduled Tasks as well to also utilize the system account.

;~ Will run as a standard user, without #RequireAdmin
;~ Line below should create a Scheduled Task
;~ Run as System
;~ Run Once at 12:00
;~ Create C:\Windows\Temp\Test folder (requires administrator rights).
;~ Delete Scheduled Task
RunAs("Administrator", @ComputerName, "Password", 0, @ComSpec & ' /c schtasks.exe /RU "SYSTEM" /Create /TN "Run Once Task" /SC ONCE /ST 12:00 /TR "' & @ComSpec & ' /c MD ' & @WindowsDir & '\Temp\Test" /V1 /Z')