Trying out new 9.5.5 "Run As Specified User" capability

akira · April 3, 2017, 9:27am

Hi @steini44
Unfortunately 9.5.5 client is not available right now but hopefully available again soon. Please check following thread:

steini44 · April 3, 2017, 9:30am

Thanks for the update, missed that one i’ll install the client manually for my test machine, i’ll let you know if it works.

steini44 · April 3, 2017, 10:41am

The agent update worked and it can read, but I still have an error:

   Command failed (LogonUser() failed) wait (action:8094)

This is my action:

I’ve tried following things for user:
user=user@domain.com
user=user
user=Domain\user

But no luck… Any idea?

akira · April 3, 2017, 12:28pm

Somehow I thought domain account is supported, but I realized that https://developer.bigfix.com/action-script/reference/execution/override.html says "username specified must be either local or listed in local accounts."
So I suppose domain account is not supported.

steini44 · April 3, 2017, 12:29pm

Well, that was my original question

AlanM · April 3, 2017, 3:57pm

The domain account should be supported but the statement should reflect that the user needs to have logged onto the machine at some point. So if the domain user has never logged onto the endpoint it wouldn’t have a registry hive local to the machine.

steini44 · April 4, 2017, 5:20am

Hmmm… Then that’s not very handy, is it? So even if I’m creating a service account for software deployment, that would mean that I need to log in on 18k devices first so that I can use that account? Are there any plans to change this so that it just looks in the Local Groups (like Administrator) and see if it’s there?

DavidWFranklin · May 12, 2017, 9:26pm

Where will I find documentation of the “Run As Specified User” capability? Site search and Google search have failed me.

Sincerely,

David

strawgate · May 12, 2017, 9:27pm

Developer.BigFix.com appears to be the premier reference location.

You can find out more about this feature here: https://developer.bigfix.com/action-script/reference/execution/override.html

jgstew · June 15, 2017, 7:26pm

I do see how this is an issue:

but, I am curious:

What is your use case?
You have software that fails to install when run under the System account, but succeeds when installed as a service account?
Does the software require admin rights to install?

You might be able to get an account to show up as having logged in by using something like PSExec or similar on the machines through bigfix if the account is not in the list. I’m not sure what is required to appear on that list. RDP should work, but still not a good solution.

Another option might be to have BigFix create a local admin user with a randomized password and then use it and delete it. Definitely not an elegant option.

steve · June 19, 2017, 6:34am

We are working to remove the requirement for the user to have previously logged in for a future release along with some privilege escalation capabilities that should help.

Snojack · August 16, 2017, 3:20pm

Steve, is there an ETA when this will be available? So many of us Administrators out there need this fixed and we’ve been waiting for this for so long. I’m faced with having to manually do an install for 800 machines, but if you and your team perfected this you would be lifesavers!

Thanks.

Snojack · August 16, 2017, 4:25pm

Many of us would like to use this, can someone post simple examples of how to use this new feature?
Thanks!

AlexaVonTess · August 17, 2017, 12:17pm

Hi James - Some use cases that we have are programs that are Profile specific. For example, WebEx Productivity Tools. If installed as System, they appear in Control Panel > Programs, but no where else. The user would have to located the EXE in the file system and open it for it to work.

Running as user works great if UAC is disabled, but UAC isn’t disabled on all of our endpoints, so it would be hit or miss.

OneDrive would be another example of a Profile specific installer.

steve · August 23, 2017, 2:24pm

The enhancements I mentioned are coming in 9.5.7 around the end of Sept. They should also help with the UAC issues AlexaVonTess described.

AlexaVonTess · August 23, 2017, 2:35pm

Just an update on the WebEx install… This was corrected using the ALLUSERS=2 switch (ref).

Snojack · October 4, 2017, 4:03pm

Is 9.5.7 available and do you have some sample code? I really need this. Thanks.

jaakkos · October 18, 2017, 6:44am

I have been trying to get this to work with both local and domain users, but only seem to get errors posted above. Here is the latest what I’ve tried:

override wait
hidden=true
RunAs=localuser
user=administrator
password=required
completion=none
wait notepad.exe
Command failed (Cannot find needed SecureParameter ‘action override password’) wait notepad.exe

akira · October 23, 2017, 5:57pm

If you need to use override runas=localuser, without manually log in with the specified user, then you can just use 9.5.7 Agent.
If you want to run program with elevated privilege, there is a sample at the bottom of https://developer.bigfix.com/action-script/reference/execution/override.html (need 9.5.7 Agent).
Also, with 957 Agent, override runas=localuser works with both local and domain account.

akira · October 23, 2017, 6:00pm

If you run the action containing password=required through API, you need to supply password as “action override password” secure parameter as the message indicate.
When you take action from the Console, Console prompts you the password and pass it with the secure parameter.