(imported comment written by MattBoyd)
I completely agree with you Paul.
(imported comment written by macook91)
Why do I find it funny that the latest Tivoli console upgrade fixlet is an interactive installer run as System which pops up the annoying (and apparently deadly) interface when run on a Windows 7 machine?
(imported comment written by BenKus)
I am so close to making the runaslocaladmin tool… but the damn runas command won’t allow you to insert a password from the commandline and I can’t embed psexec in this tool… sigh… i will keep on it…
macook, I am not sure what you mean about the interactive installer, but it sounds like a bug…
Ben
(imported comment written by BenKus)
OK… working with Jeremy from the dev team, we may have come up with something…
I need some people to try it out… Can you please email me if you want to try this solution and if it works, we can post it…
Thanks!
Ben
(imported comment written by SystemAdmin)
Hi Ben, I’ve
almost
got this working - currently however, it requires the user with no admin privileges to logout/login again. Therefore it appears that it needs to be two tasks one that sets permission to the current user and one to work after the user logs out and in again (the logging out can be automated). This is a massive kludge tho, I am desperate to get this working before next week and will dearly like to test it out. Good talking to you at Pulse btw! 
I’m trying something out that works …however it requires the user to logout/login before it can take effect. I tried to stop/start some services but that had no impact wotsoever:
begin prefetch block
add prefetch item sha1=44f598be7fc117f1f949f87cccec0d07f7260b56 size=2771482 url=http://svmhsesc01.stvincents.com.au:52311/Uploads/44f598be7fc117f1f949f87cccec0d07f7260b56/MeadCo.tmp
add prefetch item name=RunAsCurrentUser.exe sha1=ee47505ebfb2790b9da8a20ed70e67158e9753d0 size=342528 url=http://software.bigfix.com/download/bes/util/RunAsCurrentUser-2.0.3.1.exe
end prefetch block
extract MeadCo.tmp
//
// Create Batch file
//
if {exists (name of logged on user)}
action uses wow64 redirection false
delete __appendfile
delete __Download\run_smsx.cmd
appendfile @echo off
appendfile cd C:\Documents and Settings%USERNAME%
appendfile .\net user tem password /add
appendfile .\net localgroup “administrators” tem /ADD
appendfile .\PsExec.exe /accepteula -u tem -p password .\smsx.exe /q
appendfile .\sleep 3
appendfile rem cleaning up…
appendfile .\net localgroup “administrators” tem /DELETE
appendfile .\net user tem /DELETE
appendfile
//
// Copy files to user area where it can be successfully copied to
//
if {exists (file (“C:\Documents and Settings” & (name of logged on users) & “\run_smsx.cmd”))}
delete "C:\Documents and Settings{name of logged on users}\run_smsx.cmd"
copy __appendfile "C:\Documents and Settings{name of logged on users}\run_smsx.cmd"
else
copy __appendfile "C:\Documents and Settings{name of logged on users}\run_smsx.cmd"
endif
//more copies…
//
// Give user temporary administrator’s access to execute apps
//
waithidden cmd /c net localgroup “administrators” SVMHS{name of logged on user} /ADD
waithidden cacls “C:\Documents and Settings{name of logged on users}” /t /e /g SVMHS{name of logged on user}:F
//
// Attempt here to enact previleges without having to logout out
//
if {(exists (selects “Name from Win32_Process where Name = ‘lsass.exe’” of wmi))}
waithidden cmd /c net stop "Net Logon"
waithidden cmd /c net stop "Secondary Logon"
waithidden cmd /c net stop “Security Accounts Manager” …(exits with exit code ‘2’)
waithidden cmd /c net stop “Workstation” …(exits with exit code ‘2’)
//
waithidden cmd /c net start "Net Logon"
waithidden cmd /c net start "Secondary Logon"
waithidden cmd /c net start "Security Accounts Manager"
waithidden cmd /c net start "Workstation"
endif
//
// Run batch file as user masquerading as administrator
//
waithidden “C:\Documents and Settings{name of logged on users}\RunAsCurrentUser.exe” --w “C:\Documents and Settings{name of logged on users}\run_smsx.cmd”
//
// Revoke admin access
//
waithidden cacls __Download /t /e /r {name of logged on user}
waithidden cmd /c net localgroup “administrators” {name of logged on user} /DELETE
endif
(imported comment written by MattBoyd)
aardvarke, that’s a really creative script. However, it seems like you’d actually be better off (IMO) using PSEXEC to spawn an interactive process. Something like ‘psexec.exe -i 1 setup.exe’ should spawn the process interactively as SYSTEM (I’m going off memory here).
Although the SYSTEM account is technically more privileged than the local administrator account, I don’t see how the local admin account is any more secure. With the local admin account, you can spawn a process as SYSTEM anyway (with PSEXEC, in fact). Even temporary access to the local administrator account could theoretically allow an attacker to install a stealth tool or backdoor, or even just create another local account with administrative rights.
(imported comment written by SystemAdmin)
Has there been any progress on this?
Is it now possible to have an installation display installation progress (say office 2010) to a user that doesn’t have admin permissions and UAC running?
(imported comment written by RakeshSasi)
Hi,
I am getting the following error while create an instance using madconfig create_instance utility -
wrapper | Unable to install the IBM Initiate Master Data Engine 10.0.0 Bootcamp
service - Access is denied. (0x5)
wrapper | Performing this action requires that you run as an elevated process.
Return Code: 1, Time elapsed: 0.468 sec
Does any one know how to resolve this ?
Thanks,
Rakesh
(imported comment written by MBARTOSH)
Has there been any progress with this issue?
This is what we are using, but it is a kluge, and it doesn’t fit with “Manage Software Distribution” Dashboard.
waithidden “{parameter “installdir”}\PsExec.exe” -accepteula -s -i {if (major version of operating system < 6) then 0 else session id of logged on user} “{parameter “installdir”}\notepad.exe”
My current issue is how to get the above statement to work with run.bat.
waithidden “{parameter “baseFolder”}\PsExec.exe” -accepteula -s -i {if (major version of operating system < 6) then 0 else session id of logged on user} -w “{parameter “installdir”}” “run.bat”
I am going to try:
waithidden “{parameter “baseFolder”}\PsExec.exe” -accepteula -i {if (major version of operating system < 6) then 0 else session id of logged on user} -w “{parameter “installdir”}” “cmd.exe /c run.bat”
(imported comment written by JasonWalker)
Did you get any results out of changing to “cmd.exe /c run.bat”?
Also wanted to bump this thread. Is there a “runasadmin” out there yet? I can see at least three use cases.
-
An application that will not install when executed in the SYSTEM account, but will install (silently) when run under an Adminstrator account. Sadly, some of IBM’s own Rational products fall into this category; as does Java Runtime (have a look at the hackery involved in the JRE installer fixlets, to create the directory junctions that don’t exist in SYSTEM’s profile but JRE installer depends on). So it may be easier to have the program run under an Administrator account (maybe a temporary Administrator account), than to make it work under SYSTEM.
-
Installers that require some kind of interaction. Agreed, for the most part we can find ways to re-create the installers, but there are cases where it’s simply not worth the investment to do so. A lot of InstallShield products these days can chain-load several different installers, passing values between them. I’d like to be able to send an Action from the console to let the user guide the installation. I’ll be keeping a log of it, so if the user decides it’s also a good time to load up his favorite games, well, there’s an Action I can take for that too.
-
Allowing an end-user to run specific programs (via Offers) without granting them full Administrator rights. This is a case we’re looking at now, where we may want a client machine to give an end-user control over some routing table configuration or firewall rules configuration.
(imported comment written by ne1)
runasadmin would be a great utility.
The Tivoli Framework Agent version 4.3.1 had the ability to run as the Built-In Administrator account on Windows 7. If any of those guys are still around perhaps someone from IBM could ask them, since Tivoli framework is an IBM product. It was a neat feature, we didn’t understand how it was being done since the built-in Admin account was disabled.