Windows 7 UAC and Systems Administrators

[Graywalker]

This is a question for Systems Administrators of all kinds - those who manage software on a domain where users have restricted rights - and who have Windows 7 computers in their domain.

How do you get around UAC to install Software or Certificates remotely and without user intervention? ... and without being logged in to the computer. ( There is no such thing as "right click and.." answers. We have over 3000 computers! )

I've tried scheduled tasks (schtasks.exe) with the /RL HIGHEST switch - no good.

I've even looked into PowerShell 2.0 - but it is not what I need.

Even with UAC disabled, some things still need the "Run As Administrator" privileges to actually install properly.

Has Microsoft completely screwed Systems Administrators with this UAC ??

[AdamUL]

It has not been a problem where I work, you just have to have the Win 7 PC setup correctly, RPC services, Remote Registry Service, etc. Some of these is turned off by default, and I have wrote in our imaging script to turn the services on when we finish image a PC. Also, make sure that you have the correct Security Groups under the local Administrator's group, this is also done by the imaging script.

For remote software installations, I usually have it scripted out and use PsExec or BeyondExec to execute it remotely. Almost all my installations are silent. If you have the correct services turned on, and you are a local admin on the PC, your remote process is elevated without issue. I still use ExecutionLevel requireAdministrator on my compiled scripts executed remotely to be on the safe side.

Also, look (#8) for additional info on AutoIt and UAC.

Adam

[Graywalker]

Without using third-party or non-native utilities, there is not much of anything one can do to get around UAC - even when UAC is disabled there are stills some issues.

I have found one sure way using schtasks in Windows 7, but it requires providing a user name and password that is in the Administrators group. Using /U and /P would wait until that user was logged in. Probably need to have Secondary Logon enabled and starting automatically. I copy the program I want to run down to the endpoint first.

; $CommandLine = program to run
; $TName = a name for the task
; $time must be ##:## format. (24hr) 1:03 will give an error. 01:03 is good.
; /SC ONCE rules out using /Z for some reason
$Command = 'schtasks /Create /S ' & $strPCName & ' /RU ' & $UserName & ' /RP ' & $Paswrd & ' /SC ONCE /TN ' & $TName & ' /TR "' & $CommandLine & '" /ST ' & $time & ' /RL HIGHEST /F' ;/ST ' & $time & ' /ET ' & $et & ' /RI 599940
   $runAt = Run(@ComSpec & ' /c "' & $Command & '"', "", @SW_HIDE, $STDOUT_CHILD)
   While 1
    $Line = StdoutRead($runAt)
    If @error Then ExitLoop
    If $Line <> "" Then
     $Results = $Results & " " & $Line
    EndIf
   WEnd
   FileWriteLine($LogFile, $strPCName & "," & $time & "," & $Results)

[jazzyjeff]

We encountered a similar issue at the school district I work for. To get around installing software on student machines here (we can't give them admin rights), we created a service (as an admin) that launches an exe in Interactive Services mode. This then opens another GUI that puts the user in an isolated envrionment as an admin and they access to what we call an "App Store" (kids are familiar with that term). They can then install updates to all the software needed.

You do need admin rights on the machine in the first place to install the service though, and it is best if this is created on the image. That doesn't sound like a good option for you right now as you have 3000+ machines to work with.