Trying out new 9.5.5 "Run As Specified User" capability

@AlanM, @Aram

I’ve looked into it last real quick last week, but didn’t get it to work.

I’ve tried the following:

But in the log I have following error:

Command failed (Override value is unknown for this keyword.) override RunAs=localuser (action:8088)

I’v also tried RunAs=user@domain.com, but same error… (except that =localuser is changed by user@domain.com in the error)

Is there an example available on how to use it?

The message seem to indicate the value “localuser” for keyword RunAs is not recognized. Are you sure you are using 9.5.5?

Also, I believe keyword Password is required for Windows. (When I ran the same override with 9.5.5.193 FixletDebbuger, I got the message “RunAsLocalUser in Windows requires the keyword 'password' to be speicifed.”)

1 Like

Hi @akira

Can you post that part of your script? Maybe i’m missing something…

The version that matters is the version of Agent, not Console.
From 9.5.5.193 Agent, I got following in the log:

At 17:53:09 +0900 - actionsite (http://mycompany.test.local:52311/cgi-bin/bfgathe
r.exe/actionsite)
   Command succeeded override wait (action:40)
   Command succeeded override hidden=true (action:40)
   Command succeeded override RunAs=localuser (action:40)
   Command succeeded override user=aaa@bbb (action:40)
   Command succeeded override completion=job (action:40)
   Command failed (RunAsLocalUser in Windows requires the keyword 'password' to be specified.) wait test.bat (action:40)
1 Like

@akira

Yes, ofcourse… didn’t think of that, didn’t upgrade the agent yet :slight_smile:

edit: is there no upgrade fixlet for the client? latest I see is 9.5.4?

I can see client deployment tool 9.5.5, but isn’t there one for the client?

Hi @steini44
Unfortunately 9.5.5 client is not available right now but hopefully available again soon. Please check following thread:

Thanks for the update, missed that one :slight_smile: i’ll install the client manually for my test machine, i’ll let you know if it works.

1 Like

The agent update worked and it can read, but I still have an error:

   Command failed (LogonUser() failed) wait (action:8094)

This is my action:

I’ve tried following things for user:
user=user@domain.com
user=user
user=Domain\user

But no luck… Any idea?

1 Like

Somehow I thought domain account is supported, but I realized that https://developer.bigfix.com/action-script/reference/execution/override.html says "username specified must be either local or listed in local accounts."
So I suppose domain account is not supported.

Well, that was my original question :slight_smile:

The domain account should be supported but the statement should reflect that the user needs to have logged onto the machine at some point. So if the domain user has never logged onto the endpoint it wouldn’t have a registry hive local to the machine.

2 Likes

Hmmm… Then that’s not very handy, is it? So even if I’m creating a service account for software deployment, that would mean that I need to log in on 18k devices first so that I can use that account? Are there any plans to change this so that it just looks in the Local Groups (like Administrator) and see if it’s there?

Where will I find documentation of the “Run As Specified User” capability? Site search and Google search have failed me.

Sincerely,

David

Developer.BigFix.com appears to be the premier reference location.

You can find out more about this feature here: https://developer.bigfix.com/action-script/reference/execution/override.html

2 Likes

I do see how this is an issue:

but, I am curious:

  • What is your use case?
  • You have software that fails to install when run under the System account, but succeeds when installed as a service account?
  • Does the software require admin rights to install?

You might be able to get an account to show up as having logged in by using something like PSExec or similar on the machines through bigfix if the account is not in the list. I’m not sure what is required to appear on that list. RDP should work, but still not a good solution.

Another option might be to have BigFix create a local admin user with a randomized password and then use it and delete it. Definitely not an elegant option.

We are working to remove the requirement for the user to have previously logged in for a future release along with some privilege escalation capabilities that should help.

1 Like

Steve, is there an ETA when this will be available? So many of us Administrators out there need this fixed and we’ve been waiting for this for so long. I’m faced with having to manually do an install for 800 machines, but if you and your team perfected this you would be lifesavers!

Thanks.

Many of us would like to use this, can someone post simple examples of how to use this new feature?
Thanks!

Hi James - Some use cases that we have are programs that are Profile specific. For example, WebEx Productivity Tools. If installed as System, they appear in Control Panel > Programs, but no where else. The user would have to located the EXE in the file system and open it for it to work.

Running as user works great if UAC is disabled, but UAC isn’t disabled on all of our endpoints, so it would be hit or miss.

OneDrive would be another example of a Profile specific installer.

The enhancements I mentioned are coming in 9.5.7 around the end of Sept. They should also help with the UAC issues AlexaVonTess described.