Trying out new 9.5.5 "Run As Specified User" capability

fermt · March 29, 2017, 2:56pm

Where is the documentation for this new feature?

Originally posted here: BigFix 9.5 Patch 5 is now available - #5 by steini44

Waldemar · March 29, 2017, 3:20pm

That is a good question!!

Aram · March 29, 2017, 4:11pm

Please see the ‘runas=localuser’ override option: https://developer.bigfix.com/action-script/reference/execution/override.html

steini44 · March 30, 2017, 5:25am

RunAs=localuser specifies a user different from the logged on user.

user=<username> or {relevance to describe the username} where the username specified must be either local or listed in local accounts.

So from the documentation, this is not possible with domain accounts? You need to create a local user first with Administrator rights (because I think this will be most of the time the case why we want a “specified user” to run an action → Admin on the pc, but not system account)? Or if they are in a Group on the computer (like Administrator Group or User group), will that be ok too?

Can you clarify please?

Aram · March 30, 2017, 12:39pm

I believe you should be able to specify a domain user using the following format: user@domain.com (but I will test to verify).

steini44 · March 30, 2017, 1:06pm

Ok, perfect. I’ll test also tomorrow in my test environment.

Thanks!

AlanM · March 31, 2017, 9:14pm

That was the intent with the feature that domain accounts should be usable. What was your testing able to show?

steini44 · April 3, 2017, 6:04am

@AlanM, @Aram

I’ve looked into it last real quick last week, but didn’t get it to work.

I’ve tried the following:

But in the log I have following error:

Command failed (Override value is unknown for this keyword.) override RunAs=localuser (action:8088)

I’v also tried RunAs=user@domain.com, but same error… (except that =localuser is changed by user@domain.com in the error)

Is there an example available on how to use it?

akira · April 3, 2017, 8:37am

The message seem to indicate the value “localuser” for keyword RunAs is not recognized. Are you sure you are using 9.5.5?

Also, I believe keyword Password is required for Windows. (When I ran the same override with 9.5.5.193 FixletDebbuger, I got the message “RunAsLocalUser in Windows requires the keyword 'password' to be speicifed.”)

steini44 · April 3, 2017, 8:49am

Hi @akira

Can you post that part of your script? Maybe i’m missing something…

akira · April 3, 2017, 9:02am

The version that matters is the version of Agent, not Console.
From 9.5.5.193 Agent, I got following in the log:

At 17:53:09 +0900 - actionsite (http://mycompany.test.local:52311/cgi-bin/bfgathe
r.exe/actionsite)
   Command succeeded override wait (action:40)
   Command succeeded override hidden=true (action:40)
   Command succeeded override RunAs=localuser (action:40)
   Command succeeded override user=aaa@bbb (action:40)
   Command succeeded override completion=job (action:40)
   Command failed (RunAsLocalUser in Windows requires the keyword 'password' to be specified.) wait test.bat (action:40)

steini44 · April 3, 2017, 9:16am

@akira

Yes, ofcourse… didn’t think of that, didn’t upgrade the agent yet

edit: is there no upgrade fixlet for the client? latest I see is 9.5.4?

I can see client deployment tool 9.5.5, but isn’t there one for the client?

akira · April 3, 2017, 9:27am

Hi @steini44
Unfortunately 9.5.5 client is not available right now but hopefully available again soon. Please check following thread:

steini44 · April 3, 2017, 9:30am

Thanks for the update, missed that one i’ll install the client manually for my test machine, i’ll let you know if it works.

steini44 · April 3, 2017, 10:41am

The agent update worked and it can read, but I still have an error:

   Command failed (LogonUser() failed) wait (action:8094)

This is my action:

I’ve tried following things for user:
user=user@domain.com
user=user
user=Domain\user

But no luck… Any idea?

akira · April 3, 2017, 12:28pm

Somehow I thought domain account is supported, but I realized that https://developer.bigfix.com/action-script/reference/execution/override.html says "username specified must be either local or listed in local accounts."
So I suppose domain account is not supported.

steini44 · April 3, 2017, 12:29pm

Well, that was my original question

AlanM · April 3, 2017, 3:57pm

The domain account should be supported but the statement should reflect that the user needs to have logged onto the machine at some point. So if the domain user has never logged onto the endpoint it wouldn’t have a registry hive local to the machine.

steini44 · April 4, 2017, 5:20am

Hmmm… Then that’s not very handy, is it? So even if I’m creating a service account for software deployment, that would mean that I need to log in on 18k devices first so that I can use that account? Are there any plans to change this so that it just looks in the Local Groups (like Administrator) and see if it’s there?

DavidWFranklin · May 12, 2017, 9:26pm

Where will I find documentation of the “Run As Specified User” capability? Site search and Google search have failed me.

Sincerely,

David