Trying to run a PowerShell Script in BigFix

Content Authoring
1

Hi, I’m trying to import a powershell module and run a powershell script from a BigFix action script. But the import module part isn’t working. I currently have the module on a network share that runs fine if I run it manually from any server on our network. And, if I import the module using c:>Import-Module \file1\systems\modules\UserRights and then run the BigFix task against that server, the file runs and the local security policy gets changed to how we want it. But importing the module from within the Bigfix actions script isn’t working.

This is what I’m trying to do. Any help or suggestions would be greatly appreciated it.

// Disable wow64 redirection on x64 OSes
action uses wow64 redirection {not x64 of operating system}

delete __createfile

createfile until EOF_EOF_EOF

Import-module \file1\systems\scripts\modules\UserRights
$service = Get-UserRightsGrantedToAccount -account AD_LocalSecurity_LogOnAsAService
$batch = Get-UserRightsGrantedToAccount -account AD_LocalSecurity_LogOnAsBatch

Check to see if 1. AD_LocalSecurity_LogOnAsAService has any rights assigned to it and

2. If it specifically has the SeServiceLogonRight assigned to it.

if (!$service -or “SeServiceLogonRight” -notin $service.right)
{
## Assign the “Log on as a service” right.
grant-userright -right SeServiceLogonRight -account AD_LocalSecurity_LogOnAsAService
}

Check to see if 1. AD_LocalSecurity_LogOnAsBatch has any rights assigned to it and

2. If it specifically has the SeBatchLogonRight assigned to it.

if (!$batch -or “SeBatchLogonRight” -notin $batch.right)
{
grant-userright -right SeBatchLogonRight -account AD_LocalSecurity_LogOnAsBatch
}
EOF_EOF_EOF

delete "c:\javelin.ps1"
copy __createfile “c:\javelin.ps1”

waithidden C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -file “C:\javelin.ps1”

2

A common issue people run into when running PowerShell scripts in BigFix is that you need to escape any { characters in the script with a second {, otherwise BigFix thinks you are trying to do relevance substitution. More info here: https://developer.bigfix.com/action-script/guide/substitution.html

3

It’s also very likely that the LocalSystem computer account cannot reach UNC shares. Computer accounts are not usually allowed to map network drives or see UNC paths (with good reason - it is a security nightmare).

You could post the module on an internal web server and download it in the action, or use the Mamage Software Deployment Dashboard to upload the module and build a task template for you. Just keep the download command for the module and replace the actionscript with your own commands, and sourcing the module from the __Downloads folder instead of from the UNC share.

4

alinder, thank you I’m going to look at that guide now and see if it helps me. I’ll be sure to follow up with a status.

5

Thanks JasonWalker, I’m going to give that a try. I’ll follow up with the status.

6

Setting a GPO for the user rights may be easier (subject to your environment).

Another alternative is to use secedit.

Create an inf file with the appropriate rights. Domain users or groups would show up as a GUID as such:
SeBatchLogonRight = somelocaluser,*S-1-5-21-2761394375-1483249590-49030014-58412,*S-1-5-32-544

wait cmd /C secedit /configure /db secedit.sdb /cfg C:\Temp\UserRights.inf

We’ve used both successfully in our environment depending on the circumstance.

7

If that is true, then wouldn’t deploying LocalGPO with BigFix work just as well?

8

Setting local policy is exactly what the secedit alternative does.

Which method is best/easiest will depend on ones environment. I’ve found occasions to use both methods.

1 Like
9

** This… @jonl is right, apologies I focused on ‘powershell from UNC path’ and didn’t focus on the original intent. This can most easily be handled by ‘secedit’ (which LGPO also uses for all of the ‘Local Security Policy’ things).

1 Like
10

ah, I didn’t realize that about the LGPO utilities, but it makes sense.

11

Hey guys, sorry for the delay. But I was able to get the powershell module running by using the software distribution wizard then extracting, creating a folder, copying the file to the folder, creating the script file and running it via poweshell. Not sure this is the best way. But, the person that gave me this task told me we weren’t able to use GPO for some reason or other. This is what I ran to get it working.

prefetch a7294e1b1f638f84c2dca7505f443935822fc804 sha1:a7294e1b1f638f84c2dca7505f443935822fc804 size:13571 http://172.16.0.32:52311/Uploads/a7294e1b1f638f84c2dca7505f443935822fc804/UserRights.psm1.tmp sha256:747562c3a7b248bf3b781faef0706554e2bb22b707c231432b0059de8ff8dc3c
extract a7294e1b1f638f84c2dca7505f443935822fc804

// Disable wow64 redirection on x64 OSes
action uses wow64 redirection {not x64 of operating system}

// Next three if-then-endif test for existence of needed folders. If does not exist will create. Presumption is C:\Program Files folder exists…

if {not exists folder “C:\Program Files\WindowsPowerShell”}
folder create "C:\Program Files\WindowsPowerShell"
endif

if {not exists folder “C:\Program Files\WindowsPowerShell\Modules”}
folder create "C:\Program Files\WindowsPowerShell\Modules"
endif

if {not exists folder “C:\Program Files\WindowsPowerShell\Modules\UserRights”}
folder create "C:\Program Files\WindowsPowerShell\Modules\UserRights"
endif

// Move the file to needed location.
move __Download\UserRights.psm1 “C:\Program Files\WindowsPowerShell\Modules\UserRights\UserRights.psm1”

delete __createfile

createfile until EOF_EOF_EOF

Import-module UserRights
$service = Get-UserRightsGrantedToAccount -account AD_LocalSecurity_LogOnAsAService
$batch = Get-UserRightsGrantedToAccount -account AD_LocalSecurity_LogOnAsBatch

Check to see if 1. AD_LocalSecurity_LogOnAsAService has any rights assigned to it and

2. If it specifically has the SeServiceLogonRight assigned to it.

if (!$service -or “SeServiceLogonRight” -notin $service.right)
{
## Assign the “Log on as a service” right.
grant-userright -right SeServiceLogonRight -account AD_LocalSecurity_LogOnAsAService
}

Check to see if 1. AD_LocalSecurity_LogOnAsBatch has any rights assigned to it and

2. If it specifically has the SeBatchLogonRight assigned to it.

if (!$batch -or “SeBatchLogonRight” -notin $batch.right)
{
grant-userright -right SeBatchLogonRight -account AD_LocalSecurity_LogOnAsBatch
}
EOF_EOF_EOF

delete "c:\javelin.ps1"
copy __createfile “c:\javelin.ps1”

waithidden C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -file “C:\javelin.ps1”

Thanks guys for your help. I’m new here so it’s nice to know there’s talented folks like you guys willing to lend a hand. Also, I should have taken the robots advice or tutorial on how best to use this site. With replies and all, haha…

1 Like
12

I use the software distribution tool myself
Here’s something typical I toss together

prefetch blah blah blah
extract blah blah blah

//clean up any previous messes
delete C:\windows\temp\someexe.exe
delete C:\windows\temp\scriptname.ps1

//put installer in temp
copy __Download\someexe.exe C:\windows\temp\someexe.exe

//create script
createfile until psend
( any powershell script, just use replace all in notepad to make any { into a double {{ )
psend

//copy script to temp
copy __createfile C:\windows\temp\script.ps1

//run script
dos powershell -file C:\windows\temp\script.ps1

//wait to clean up while stuff processes
dos powershell -command start-sleep 30

//clean up
delete C:\windows\temp\someexe.exe
delete C:\windows\temp\script.ps1

1 Like
13

Looks good, I’ll keep this one bookmarked for the next time I’m asked for a similar task.

Thanks!
Jose