I’ve been struggling with something for quite some time now.
The boss wants a directory in our fileserver, that he will put program installation files in, all can read and only he can modify.
He wants client workstations to have a script that reads the directory and shows the user what files are there. Then the user, which is a normal domain user (without the ability to install anything), would be able to click install and it would install it.
The idea behind it is to have local admin at the user’s station and have the script know the local admin’s password and then install the program on the user’s computer with those local admin credentials.
This is a very problematic issue because I cannot see how I can secure it without storing the local admin password inside the script, which is a very bad thing.
I tried to think about encrypting the password somehow and converting the script to an executable, but I cannot see a way that a user that knows a little bit about computers wouldn’t be able to decompile the executable. If I use PowerShell encryption, it would be suited for one machine and one user only.
Then I thought of another way: making a call from the client workstation to the filer and then making the filer use psexec back to the user, but this is getting too spaghetti.
Then I thought about making a call from the user’s computer to the filer and then from the filer back to the user using invoke-command, but I need to allow WinRM to all the clients.
I’m using PowerShell for this. Maybe someone here has done something similar and can advise me on how to do that securely.
The first option worked great, so I would like to stick with it if possible, but I have to figure out how to secure this thing and not just put credentials in a PowerShell script that sits on the user’s computer.
This sounds like a job for Group Policy software deployment. This gets around the issue of users lacking administrative rights.
By publishing a package, it will make the software available to users under Control Panel (as opposed to just automatically installing it).
Add-WindowsCapability -Name "Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0" -Online
From here on out, your boss is ready to start copying installers to the Software share and modifying the software deployment GPO accordingly (though, he'll need to be guided initially). And it's all without local machine or domain admin privileges and a (reasonably) easy experience for all involved!
You could even make things easier for end users and your boss by pushing out shortcuts directly to where they need to go. Installation of Group Policy Management console could also be automated if this needs to scale up to more administrative users or if your boss roams around multiple machines.
Answered by Luke Humberdross on November 14, 2021
I see two approaches.
Still reading? Okay. It can be done.
Be warned though, that many installation programs are rather dumb, they will install the program for use by the user which installs the program (i.e. your installer user) and not for the user logged in in the foreground. Some installers can be parametrized to install to "all users", which will probably do, for the others you'll have to make your script smarter so it can add "all required settings, licenses(!), icons, whatever a program needs to function" into the foreground user's profile after the software's installer has finished.
There is absolutely no legit way to have a user account perform the task. If there was any way a user can elevate his privileges to administrator without knowing an administrator password or being given administrative rights by an administrator, any user could do anything any time, which is almost equivalent to running all user accounts as administrators all the time.
Now you need some additional script, web GUI, whatever you like, which lets the user choose from the software on the server, probably check whether the user has permissions to have the software installed, and probably whether the user's computer meets the requirements for the installation (Hardware? Free disk space? ...) to succeed. Then you'll have to store that information in a location where your background installer can read it. A simple list on the server will do.
Finally the background script will periodically access that list and trigger the installers.
Let me say that what you have in mind is programming an automated software distribution facility. There are commercial tools available which do it, one is even built-in Windows Active Directory and comes for free. I don't know how many years and money the developers have sunk in each, to get to a point where their installers master many (most? all? some?) of the many installer variants used by various Windows software. At first they may look expensive per client, but I doubt that you'll be able to beat any commercial solution in terms of cost, reliability, features, documentation and community support with anything you'll be able to make in Powershell.
Answered by Nimral on November 14, 2021
2 Asked on December 24, 2020
0 Asked on December 24, 2020 by victor-nascimento
0 Asked on December 24, 2020 by vu-thanh-vinh
2 Asked on December 24, 2020 by t7e
3 Asked on December 24, 2020 by nextgenneo
4 Asked on December 24, 2020 by josh-m
0 Asked on December 23, 2020 by ram619
1 Asked on December 23, 2020
3 Asked on December 23, 2020 by user402434
1 Asked on December 22, 2020 by needgpuhelp
3 Asked on December 22, 2020 by nuno
8 Asked on December 22, 2020 by dizzley
4 Asked on December 22, 2020 by dirdi
2 Asked on December 21, 2020 by scoopsahaagendazs
0 Asked on December 21, 2020 by daiwik-kashyap
1 Asked on December 21, 2020 by ex-umbris
0 Asked on December 21, 2020 by kidfrom
1 Asked on December 21, 2020
Get help from others!