3 Replies Latest reply on Oct 10, 2011 9:10 AM by Jared Barneck

    Can't get provisioning to see cmd.exe

    baffoni Apprentice

      I'm trying to do software install from our DFS replicated shares regardless of whether a user is logged in or not.  Since I can't get localsystem to connect to the shares (even though I've given "domain computers" read access to share and file permssions), I thought I would do an end-run around limitations of "software deployment" (e.g. all you get is logged in user context or local system - no "run as" a specific AD account option) and use a provisioning script to do the same thing.  I've created a provisioning script that maps drive letters to all servers, then copies the install.bat file to a local subdirectory (new folder in c:\software).  However, when the provisioning script goes to "execute file", I can neither call the batch file directly, nor call c:\windows\system32\cmd /c "c:\software\install.bat" because the provision error is the same "file not found".  I'm installing on 64bit Windows 7, and I've seen the references to using "%windir%\sysnative, but replacing c:\windows\system32 with %windir%\sysnative doesn't help.

       

      Running Win7 64bit, I couldn't even use the (3 year old) guide on batch file programming because Win7 has a prohibition of allowing system to interactively run in the user context.  No way to see what the localsystem user can see/access/etc.  Ugh.

       

      If it matters, for now we are running LD8.8 Sp4 (although hopefully not for long).

       

      Does anyone else have any suggestions for running batch files that must access DFS share resources?

        • 1. Re: Can't get provisioning to see cmd.exe
          Jared Barneck SupportEmployee

          I thought 8.8 had the preferred package server (PPS) option, where you enter a path and credentials? Or does only 9 have that? I thought 8.8 had it.

           

          8.8 should have it. Configure that option and then you will be authenticated to that share with the credentials you have entered in the PPS settings.

          • 2. Re: Can't get provisioning to see cmd.exe
            baffoni Apprentice

            Although a PPS will allow me to connect to the server and download say the batch file, will it run the batch file (and the paths in it) as the credentials of the PPS?  I don't believe so.  It is possible that the UNC used to locate the batch file may be left open during the running of the batch file (although I doubt it, I would expect the UNC to be disconnected after downloading any necessary files), however DFS is a funny thing, and you can't guarantee that it will _always_ connect to the local server (although it usually does), so it could leave an issue where PPS connects properly to local server A, but DFS redirect points the batch to run/download files from ServerB.  However, if PPS points to Server A and leaves it open during the duration of running the batch, and if DFS redirects to the same server, this would probably work.

             

            Honestly, I wish that "domain computers" group would actually allow the localsystems account to access the domain shares like you would think that it would (no luck so far on that, at least not on NAS and Windows 2003 shares).  Then I could just run the batch as local system and not worry about it.

            • 3. Re: Can't get provisioning to see cmd.exe
              Jared Barneck SupportEmployee

              Michael Baffoni wrote:

               

              Although a PPS will allow me to connect to the server and download say the batch file, will it run the batch file (and the paths in it) as the credentials of the PPS?  I don't believe so.  It is possible that the UNC used to locate the batch file may be left open during the running of the batch file (although I doubt it, I would expect the UNC to be disconnected after downloading any necessary files), however DFS is a funny thing, and you can't guarantee that it will _always_ connect to the local server (although it usually does), so it could leave an issue where PPS connects properly to local server A, but DFS redirect points the batch to run/download files from ServerB.  However, if PPS points to Server A and leaves it open during the duration of running the batch, and if DFS redirects to the same server, this would probably work.

               

              Honestly, I wish that "domain computers" group would actually allow the localsystems account to access the domain shares like you would think that it would (no luck so far on that, at least not on NAS and Windows 2003 shares).  Then I could just run the batch as local system and not worry about it.

               

              I haven't seen domain computers fail to work unless the device was not on the domain.

               

              Also, if you choose "Run from source" you never lose access to the share for sure. However, if you download from source, you may be correct that after download you don't have access anymore. I am not sure there.

               

              Also, you still can test as local system, it is just a little harder in Windows 7.

              How to open a command prompt running as Local System on Windows 7?