i am seeing a new phenomenon.
whenever i run ANY operation using “runascurrentuser” i am getting “operation succeeded” with exit code -1 and the action never actually takes place.
i am using a copy of an action i ran many times in the past (enforce screen saver for computers not in domain), but for some reason it no longer succeeds.
it is possible that some security software is blocking it, but i also heard from another BES admin that he sees the same behavior.
can any of you confirm runascurrentuser still works? (my environment is 9.5.8 with most clients on 9.5.3)
Runascurrentuser still works, but we now prefer use of the ‘override run’ options to avoid the additional download.
The most common problems I see with running a program as the current user, are trying to run binaries from the __Download folder (standars users don’t have access to the directory); using ‘move’ rather than ‘copy’ to get the binary out of the __Download folder (‘move’ keeps the existing file permissions, which still won’t allow a standard user to read/execute it); or trying to run as current user when there is nobody logged on.
Thanks for your reply Jason,
as i mentioned, i am still on 9.5.3 on most clients so cant use “override run” (requires 9.5.5), i still have relays which are 2003 server so cant upgrade.
i will try to move runascurrentuser, but as i mentioned this is a copy of a task that used to work.
more to come…
Where do you place the module to be run by RunAsCurrentUser?
By default, “current user” has no access to __Download folder of BigFix. If you want to run the dowloaded module, you need to copy the module to some place “current user” has access before running RunAsCurrentUser.
This part works, and now, to the next problem:
as you both mentioned, runascurrentuser runs with the current user privileges, and as a normal user they cant write to the “Policies” branch of their HKCU.
now, i can modify the task to write to the personal registry hive (but then the user is able to change the screensaver), so i see 2 other options:
elevate the use of runascurrentuser.exe somehow
not use runascurrentuser.exe, enumerate the current user’s hive and write directly to the user hive, as local system.
I don’t think you can run elevated as far as you are using RunAsCurrentUser.exe.
If all you need to deal with current user is the registry, how about using current user key of <registry> ?