Scripting question
I have a group of XP machines that are public facing terminals. Because of that, they use windowssteady state. I need to run a command against the machines to insure that disk protection gets turned on. I have steadystate itself as a MI, after the MI completes, I need to run a command against the machine to turn on disk protection. Steadystate itself will not allow you to turn on the disk protection in the same batch/executeable file that did the install. The restricted user does not have access to registry run once keys. What would be the best way to accomplish this? Anyway I can make a script run AFTER a MI? I could do groups and stuff, but that would require a lot of check ins. And I need this to happen in a fairly timely manner.
0 Comments
[ + ] Show comments
Answers (10)
Please log in to answer
Posted by:
airwolf
14 years ago
You can easily configure a script to perform the modification for machines that have a specific MI installed. However, I don't know of any way to trigger such a script immediately after the MI itself. You could write your own custom wrapper in AutoIT to accomplish this - the wrapper would install the application and then perform a RunAs for the post-installation modifications.
Posted by:
sdickenson
14 years ago
Use a batch file for the MI, rather than the SS MSI, and dump the command in the HKLM RunOnce key and force a reboot.
Something along the lines of..
You could get sophisticated and add ERRORLEVEL checking and such to return the right value to the KBOX, but it's up to you.
Something along the lines of..
start /wait msiexec /i SS.msi /qn /norestart
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /v SSOn /t REG_SZ /d "SSon.bat" /f
shutdown -t 15 -r -fYou could get sophisticated and add ERRORLEVEL checking and such to return the right value to the KBOX, but it's up to you.
Posted by:
airwolf
14 years ago
Ah yes, nice suggestion. If you use a batch file alongside the msi and zip them up, it should work nicely. The KBOX agent runs everything with local SYSTEM rights.
Posted by:
lindsamw
14 years ago
ya I had all ready tried that. The problem is, the steady state environment restricts the run once registry key. So it doesn't run, unless I login as a different user. By GPO these machines auto login as the restricted user. I will probably submit a ticket with Kace for a way to force running of a scripting task.
Posted by:
airwolf
14 years ago
What I suggested should still work. Sdickenson suggested using RunOnce, but you don't need to do that. Setup the installation package for the KBOX as a Zip file containing two files: 1. A batch file that calls your MSI and runs the command you need to run afterward, and 2. the MSI itself. Then setup your Deployment to run the batch file inside the Zip file. The KBOX agents will all pull the Zip file down, unzip it, and then run the batch file which will: 1. install the MSI, and 2. enable the disk protection using the SYSTEM account (since that is the account the batch file is run under).
Posted by:
GillySpy
14 years ago
Steadystate itself will not allow you to turn on the disk protection in the same batch/executeable file that did the install.
If this is true then I suggest that you have:
1. an MI that will install steadystate
2. a filter label "X" that represents machines with steady state installed. (ie a machine filter that detects the existence of steady state software)
3. a script that is deployed to label X
3.1 the verify of the script will check if diskprotection flag has not been set
3.2 the success portion (ie flag not set) will turn on disk protection and set the flag (ie custom reg value in HKLM\Software\KACE\)
If your check-in interval is 2 hours then this process will take 2-4 hours to complete (ie up to 2x the interval frequency).
Posted by:
airwolf
14 years ago
I thought about suggesting that, Gerald. However, the OP seems to want the script to run immediately after the installation. What you have suggested is exactly how I would've set something like this up in my environment.
Posted by:
lindsamw
14 years ago
Yes, I would like it to run immediately after the software is installed. Part of the problem on my end is, the machine is auto logging in as the restricted user as soon as it joins the domain. The restricted account is hampering some things I try to run against it.
Posted by:
airwolf
14 years ago
Anything you run from the KBOX agent will be run as local SYSTEM. The restricted account should have no effect.
Posted by:
lindsamw
14 years ago
Ya that normally holds true, but its obviously effecting something :) I assume it has to do with steadystate restrictions on the computer itself. Any other user I run this on, works great. My original package was just like you guys had suggested. Was an autoit compiled exe, called the setup, after setup, it would create a new admin user, run the command to enable disk protection, then delete the new admin user. (Was something I had learned, SteadyState will not allow you to turn on disk protection from the same user context that just installed it.) If I turn off my auto login of the restricted user, works great. So I will have to play with my joinad and remove the autologin from it, and just let the staff at the location log the machine in at least once for it to get the autologin policy.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.