We have a ActionScript which invokes one of our windows bat file using waithidden construct, which in turn invokes ps1 script. In this ps1 script, we add few powershell snapins. (e.g. SQL PS snapins)
Now, When we run our batch file manually, our script execution is successful, since its run from a regular account. When we run it from BigFix client, we see that powershell snapins could not be added error, and this is because BigFix client (which runs the batch file) runs with “LOCAL SYSTEM” account.
We were always told that BigFix client has all the permissions, but that does not seem to be the case.
We would like to know how we can run the windows batch file from ActionScript successfully.
Are there some windows settings that needs to be enabled or some specific way to get it to run?
The client does have a lot of permissions but as it runs as LOCAL SYSTEM it does have some limitations. Many things can have issues as they require a user context. This can be done if there is a user logged in, and in some cases when there is no user logged in, via an override for a wait command. There are a lot of examples on the forum of this but the reference is at:
I’d add that this issue is not specific to BigFix but common to all system management tools that run in SYSTEM context. The same kind of thing occurs in SCCM, KACE, and Group Policy. So if you find a solution for your particular use case with any of these other tools, it’ll usually work with BigFix as well.
Easiest way to test interactively is using PSExec to open a window in SYSTEM context, via psexec -i -s cmd.exe
Thanks Alan for providing some insights. Based on reference link shared by you, I believe if I use below text, then it will be able to run our bat file with current logged user.
Can you please confirm if my understanding is correct or suggest with an example, where we can run with superuser/admin, without need to specify a password, since we want our actionscript to run in background without any user interaction.
Further, Is ther, our bat file
Thanks Jason. Yes, Piotr from BigFix Inventory team has helped us in understanding the issue due to limitation of “LOCAL SYSTEM” account and we have confirmed our script execution failure with psexec. We need a way out of it.
Its a TADDM usecase, where we would like to capture the details about the software (e.g. SQL server, Exchange server) by utilizing the powershell snapins provided by SQL/Exchange.
i.e., We would like to get the windows bat script (and embedded ps1) executed successfully, so that it will generate execution results, which we can copy over to BES server. But ,Right now, we are not able to run it due to “Local System” account restriction.
Check that the SYSTEM account has logon rights to SQL and Exchange (also with PSExec, using SQL Management Studio and whatever client you are trying with Exchange).
Also you can check in the forum for “override wait” and “runas=” options to run the action under a user account; but I think that requires someone with rights to be logged on at the endpoint.
We are invoking ActionScript Execution using BigFix REST API, and there won’t be any user that will be logged onto the endpoint manually, hence It seems “override wait” and “runas” options won’t work for us.
So, Does it mean, only option will be to give “LOCAL SYSTEM” account permissions for SQL and Exchange server?
Override has functions for running as a user that is not logged in but you have to be on a newer level of the platform to use them. That may be sufficient for your usage.
Also the fact that you are using REST to create an action vs the console doesn’t matter here.
Thanks Alan. Do you have some sample ActionScript snippet to use for override, because we tried few override options (like currentuser, localuser) in our ActionScript (invoked from REST API) and it didn’t work.
Sorry, but we were trying out the “override” etc. earlier. Yes, We are running a bat file which embeds powershell script, which again invokes another powershell script (that tries to add powershell snapins)
We were able to resolve the problem today based on suggestion to compare the environment, since we were able to run our scripts successfully with “PsExec -i -s” (i.e. Systems account), but BigFix Agent was not able to run our scripts successfully, even though it was also running with Systems Account.
We compared the Environment variables used by “PsExec -i -s” and IBM BigFix Agent, when our scripts gets executed and noted that “Program Files” variable were different. Both “Program Files” and “Program Files (x86)” was pointing to “Program Files(x86)”, i.e. 32-bit program.
Problem was occuring because “BESClient” was executing as a 32 bit process on a 64 bit Windows OS and SQL was 64 bit. Thus, When BESClient was trying to load the powershell snapins (when it executed sensor scripts), it was trying to load 32 bit snapins, whereas they were 64 bit based (as per SQL server) and hence failed.
We identified the fix as follows:
Adding below line above our script execution inside the BigFix ActionScript:
action uses wow64 redirection {not x64 of operating system}