3 Replies Latest reply on Sep 2, 2013 5:40 AM by C.Cyrille

    Fast & Easy Migrate GPO Package to Landesk

    C.Cyrille Rookie

      Hi everybody,

       

      We use LDMS 9.0 SP3, we try to find an easy and fast solution to migrate our 1000+ GPO (user-based) package script to Landesk.

      Our GPO are .msi who are execute a .cmd script on network with custom actions parameters

      We can migrate .msi in Landesk but there is a problem with admin rights :

       

      In case of GPO, at execution of .msi at the opening session of the user, there is no admin rights problem because there is an auto elevation of the user to admin right. So, the script can execute setup, modify file of system, change ACL on directory, delete icon in alluser directory, etc …

       

      In case of .msi transferred to Landesk, there is two choice to execute .msi : Execute with Landesk Admin account, or User logged in :

      If we choose User logged in, script fail to execute setup, change ACL, access to alluserdirectory, etc …

      If we choose Landesk Admin account, variable %USERNAME%,  %USERPROFILE%, %APPDATA%, network share, etc … are wrong.

       

      Rewrite every script to separate the part to execute by admin account, and part to execute by logged user is real time killer. (remind 1000+ script of ten years history and probability to make script errors).

       

      I’m looking for an easy solution to promote temporary admin, user who are executing the .msi transferred to Landesk like MakeMeAdmin (http://blogs.msdn.com/b/aaron_margosis/archive/2004/07/24/193721.aspx) but I loose silent install … and user need to know admin local password.

       

      Other way is to force %USERNAME%, %USERPROFILE , etc … when executing package by Landesk Admin Account by how easy automatising this?

       

      Do you have and idea? Thanks.

        • 1. Re: Fast & Easy Migrate GPO Package to Landesk
          Apprentice

          The LANDesk health check script will probably meet your need. It will run as the computer SYSTEM context during startup.

           

          http://community.landesk.com/support/docs/DOC-23053

           

          or, assign the advance agent MSI to the GPO (I don't recommend this option).

          • 2. Re: Fast & Easy Migrate GPO Package to Landesk
            synsa Specialist

            From your post I gather that you are migrating your distribution packages from GPO to Landesk and that some of the packages require editing user profile data?

             

            Both Landesk and GPO installs should both be using the SYSTEM account so I guess where I'm confused is, if you are using MSI then it should be installing the same.  Any variables / data changes to APPDATA, USERPROFILE, or HKCU should still be done by the MSI and the ALLUSERS=1 flag.

             

            I guess what I'm trying to understand is have you come up against an issue that your MSI's are no longer working and are just looking for a workaround of temporarily elevating user admin rights?  I have personally never attempted this type of workaround as it shouldn't be necessary.

             

            Let us know and hopefully can help sort the issue instead of forcing a workaround.

            1 of 1 people found this helpful
            • 3. Re: Fast & Easy Migrate GPO Package to Landesk
              C.Cyrille Rookie

              Thanks for answer,

               

              I’m looking for a workaround of temporarily elevating user admin rights.

               

              Our .msi are not real msi. Its “package” made by Windows Installer Wrapper Wizard for execute network script (.cmd).

               

              Here an example of a .cmd :

              - Install Setup from \\network …

              - Remove link in alluser startup menu and desktop

              - Create custom link in logged %username% startup menu

              - Import .reg in HKCU for auto configure application parameters

              - Copy files from network to %appdata% for auto configure applications parameters

              - Make xcals on %programfiles%\application to grant to %username% full access on application directory

              - Etc …

               

              Theses actions cant be executed by a limited user.

               

              I’m looking for launch .msi with admin rights but in the logged user environnement.

              I’m actually testing Psexec, Cpau, Xrunas, etc …but looking for the best “easy” solution.