This afternoon, I went ahead and added the Restricted Groups GPOs to both the STUDENT and STUDENT2 domain.
This will add the CMP_WS_Admins_Access group, which will give local admin access to the appropriate groups. Including the TaskRunner service account.
In the past 2 days I have been performing some major research regarding UAC, and elevated privileges, and without getting into much details, it's quite a complex situation, and part of the reason why some of the swinstall.exe aren't running the tasks correctly on Windows 7 are because the tasks aren't running in the required elevated privileges.
Since I have changed the Restricted Groups policies. We should hopefully get some added privileges on the workstations that will allow the TaskRunner account to run correctly.
The one thing that is left which I still don't seem to have a specific answer to, is the fact that the Scheduled Tasks on Windows 7, which are supposed to get created to run with Elevated Privileges, are in fact not, for reasons I won't get into in this post. I have tested some workstations, and it seems that if the domain admins of the praticular domain i.e: STUDENT\Administrator on STUDENT, will setup the privileges correctly on the scheduled task.
If you check the scheduled task, you should be able to see something like this:
If that checkbox is not checked, it is unlikely that the installation will run. I'm still trying to look for a way to get this to work. We can definitely accomplish this by completely turning off UAC. (it is not currently completely disabled), but I'm trying to avoid doing this because the Windows 7 Security Center Notification Alerts would start popping up for the users. (this is fixable, but again, it's a registry change I'd have to push).
Also, many of you were asking of alternate methods of installing all these agents.
There are tons of ways, but I will share this most simple way, which essentially allows you to run the batch file that installs these agents manually. Here are the paths to them:
KACE Installer: \\do-tech\scripts$\swinstallscripts\installkace.bat
Nod32: \\do-tech\scripts$\SWInstallScripts\installnod32.bat
and if that doesn't work, you can try this batch file instead:
\\do-tech\scripts$\SWInstallScripts\InstallNod32Simple.bat
Dameware: \\do-tech\scripts$\SWInstallScripts\installdameware.bat
and you can even trigger the LANDesk uninstaller manually (This does NOT force reboot the machine:
\\do-tech\scripts$\SWInstallScripts\removelandesk-man.bat
If the level of success is still not too high with these, let me know, and I can think of something yet different than the above.
Hope these steps will help to making your lives a bit easier in regards to agent installations.
I'm doing my best to get things as smooth as possible. Unfortunately, with all the variants of OS, machines, networks, etc ... it's quite challenging to get something that works across the board.
Thanks for your patience during the process.
This will add the CMP_WS_Admins_Access group, which will give local admin access to the appropriate groups. Including the TaskRunner service account.
In the past 2 days I have been performing some major research regarding UAC, and elevated privileges, and without getting into much details, it's quite a complex situation, and part of the reason why some of the swinstall.exe aren't running the tasks correctly on Windows 7 are because the tasks aren't running in the required elevated privileges.
Since I have changed the Restricted Groups policies. We should hopefully get some added privileges on the workstations that will allow the TaskRunner account to run correctly.
The one thing that is left which I still don't seem to have a specific answer to, is the fact that the Scheduled Tasks on Windows 7, which are supposed to get created to run with Elevated Privileges, are in fact not, for reasons I won't get into in this post. I have tested some workstations, and it seems that if the domain admins of the praticular domain i.e: STUDENT\Administrator on STUDENT, will setup the privileges correctly on the scheduled task.
If you check the scheduled task, you should be able to see something like this:
 |
| Note that the "Run with Highest Privilege" is checked |
Also, many of you were asking of alternate methods of installing all these agents.
There are tons of ways, but I will share this most simple way, which essentially allows you to run the batch file that installs these agents manually. Here are the paths to them:
KACE Installer: \\do-tech\scripts$\swinstallscripts\installkace.bat
Nod32: \\do-tech\scripts$\SWInstallScripts\installnod32.bat
and if that doesn't work, you can try this batch file instead:
\\do-tech\scripts$\SWInstallScripts\InstallNod32Simple.bat
Dameware: \\do-tech\scripts$\SWInstallScripts\installdameware.bat
and you can even trigger the LANDesk uninstaller manually (This does NOT force reboot the machine:
\\do-tech\scripts$\SWInstallScripts\removelandesk-man.bat
If the level of success is still not too high with these, let me know, and I can think of something yet different than the above.
Hope these steps will help to making your lives a bit easier in regards to agent installations.
I'm doing my best to get things as smooth as possible. Unfortunately, with all the variants of OS, machines, networks, etc ... it's quite challenging to get something that works across the board.
Thanks for your patience during the process.
No comments:
Post a Comment
Please make your comment. (GMK)
Note: Only a member of this blog may post a comment.