Legacy application installations

Catch 22.
The batch file is on the mapped drive, which is not accesible until you map
it.
Recall that just trying the "Run as Administrator" on the cmd file fails.
I had to start a cmd.exe window (with "Run as Administrator") and the map
the drive within the session.
- Mike

"Paul Adare - MVP" wrote:

> On Tue, 8 Jul 2008 03:30:13 -0700, Mike_g wrote:
>
> > In our normal process the drives are mapped during login.
> >
> > Hopefully there is a way to fix this. I had thought that "Run as
> > Administrator" just eleveted the current user's privileges (like the on VMS
> > model).
>
> No, that's not the way runas works. Why not map the drives required in the
> batch file itself?
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> One picture is worth 128K words.
>

Hi Mike,

I agree with Paul, we cannot "Run as Administrator" of the batch file in
the mapped driver session since it only elevate the current local user’s
privilege not the remote user's privilege. However, it is better for us to
customize a batch file to map the drives locally.

For your convenience, I have list the following link to TechNet Script
Center which provides some example of the scripts, just for your reference:

TechNet Script Center
http://www.microsoft.com/technet/scriptcenter/default.mspx

Hope the issue will be resolved soon.
David Shen
Microsoft Online Partner Support

David,
If I follow your path I need to distribute a batch file to thousands of
computers instead of just using one copy on the mapped drive. And it's sole
purpose is to map drive after you change security context.
There must be a better way!

i have been on the Script Center page before. Are you referring to the
Elevation Power Toys? Of something else.
- Mike

"David Shen [MSFT]" wrote:

> Hi Mike,
>
> I agree with Paul, we cannot "Run as Administrator" of the batch file in
> the mapped driver session since it only elevate the current local user’s
> privilege not the remote user's privilege. However, it is better for us to
> customize a batch file to map the drives locally.
>
> For your convenience, I have list the following link to TechNet Script
> Center which provides some example of the scripts, just for your reference:
>
> TechNet Script Center
> http://www.microsoft.com/technet/scriptcenter/default.mspx
>
> Hope the issue will be resolved soon.
> David Shen
> Microsoft Online Partner Support
>
>

Hello Mike,

Thanks for the reply.

According to your description, your purpose is that you want to distribute
the arbortext.msi to thousands of computers instead of just using one copy
on the mapped driver.

Based on the further research, I find a better way to distribute the msi
file, just for your reference.

Analysis and Suggestion:
=========================

We may create a new Group Policy Object on the domain controller, and
configure Software installation to assign or to publish software to all the
computers (Computer Configuration\Software Settings\Software Installation)
within a domain. It is best practice to be able to deploy software based on
group membership. We can link the GPO to the domain level to deploy to all
the computers within the domain. In this way, there is no need for us to
write a script or map a driver.

For you convenience, I have list the general steps to configure the
software installation policy as follow.

General Steps:
===============

1. Create a software package folder as a distribution point

Please note:

If the application installation file resides on the local hard disk of the
server, please do not use a local path. Instead, use the UNC
path of the local computer to indicate the location of the installation
files. An example of UNC path takes the form like
\\servername\sharename\path\filename.msi.

2. Grant "Domain Computers" group with full control both share and NTFS
security permission on the software package folder.

3. Create a Group Policy object (GPO) for the customer application software
deployments.

Please refer to:

How to assign software to a specific group by using Group Policy in Windows
Server 2003
http://support.microsoft.com/kb/324750

4. Deploy file from the shared distribution folder as machine-assigned
Group Policy (Computer Configuration\Software Settings\Software
Installation)

Please refer to:

How to assign software to a specific group by using Group Policy
http://support.microsoft.com/kb/302430

6. After the deployment of Group Policy, please run "gpupdate /force" on
both domain controller and clients to refresh the Group Policy.

7. You may reset the clients to wait for the processing of Group policy to
deploy the customer software.

For more detailed information, you may refer to:

How to use Windows Installer and Group Policy to deploy the VPModule.msi in
an Active Directory domain
http://support.microsoft.com/kb/887405

Hope it helps.

David Shen
Microsoft Online Partner Support

David,
We have hundreds of different applications to install over many different
computers.
We only install on the systems that need it and the Group Policy method of
installation would be very inefficient for our needs.
Is there some way to embed into the .cmd file a call to some application
that requests privilege elevation?
Like:
--------------------------------------
:@echo off
\\server\share\elevate.exe
msiexec ...
--------------------------------------


"David Shen [MSFT]" wrote:

> Hello Mike,
>
> Thanks for the reply.
>
> According to your description, your purpose is that you want to distribute
> the arbortext.msi to thousands of computers instead of just using one copy
> on the mapped driver.
>
> Based on the further research, I find a better way to distribute the msi
> file, just for your reference.
>
> Analysis and Suggestion:
> =========================
>
> We may create a new Group Policy Object on the domain controller, and
> configure Software installation to assign or to publish software to all the
> computers (Computer Configuration\Software Settings\Software Installation)
> within a domain. It is best practice to be able to deploy software based on
> group membership. We can link the GPO to the domain level to deploy to all
> the computers within the domain. In this way, there is no need for us to
> write a script or map a driver.
>
> For you convenience, I have list the general steps to configure the
> software installation policy as follow.
>
> General Steps:
> ===============
>
> 1. Create a software package folder as a distribution point
>
> Please note:
>
> If the application installation file resides on the local hard disk of the
> server, please do not use a local path. Instead, use the UNC
> path of the local computer to indicate the location of the installation
> files. An example of UNC path takes the form like
> \\servername\sharename\path\filename.msi.
>
> 2. Grant "Domain Computers" group with full control both share and NTFS
> security permission on the software package folder.
>
> 3. Create a Group Policy object (GPO) for the customer application software
> deployments.
>
> Please refer to:
>
> How to assign software to a specific group by using Group Policy in Windows
> Server 2003
> http://support.microsoft.com/kb/324750
>
> 4. Deploy file from the shared distribution folder as machine-assigned
> Group Policy (Computer Configuration\Software Settings\Software
> Installation)
>
> Please refer to:
>
> How to assign software to a specific group by using Group Policy
> http://support.microsoft.com/kb/302430
>
> 6. After the deployment of Group Policy, please run "gpupdate /force" on
> both domain controller and clients to refresh the Group Policy.
>
> 7. You may reset the clients to wait for the processing of Group policy to
> deploy the customer software.
>
> For more detailed information, you may refer to:
>
> How to use Windows Installer and Group Policy to deploy the VPModule.msi in
> an Active Directory domain
> http://support.microsoft.com/kb/887405
>
> Hope it helps.
>
> David Shen
> Microsoft Online Partner Support
>
>

Hi Mike,

Is there some way to embed into the .cmd file a call to some application
that requests privilege elevation?

No. Because of the existing of the UAC feature on Windows Vista, we cannot
call the application that requests privilege elevation within a batch file.

You may disable the UAC feature on the Windows Vista boxes or you may logon
these system with local administrator credential to install these
application.

Hope it helps.

David Shen
Microsoft Online Partner Support