PS script as logon script in GPO - credentials issue

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Bojan Zivkovic Bojan Zivkovic 2 years, 3 months ago.

  • Author
    Posts
  • #18469
    Profile photo of Bojan Zivkovic
    Bojan Zivkovic
    Participant

    Hi, I want to deploy PowerShell script to all Windows 7 machines in my domain as logon script via GPO. That script does the following:

    1)if app called celik is installed but old version of it, uninstall it and install new version – checks both variants (x86 or x64 machine)
    2)if app called celik is not installed, install new version of it

    Script is here: https://onedrive.live.com/redir?resid=670BDDFCE8F2477A!416&authkey=!ALSNpvycBXPskqI&ithint=file%2cdocx

    My problem is that on test client machine script always runs under credentials of logged-on user that is not member of local admin group so uninstall/install of celik app fails every time. I tried with creating PSCredential object of local administrator account but when I passed it to Start-Process msiexec.exe with -Credential $credential nothing happened on client machine. Also using private functions works well when script is run locally from ISE on client machine but via GPO that does not work.

    NOTE: I also tried to deploy this script as startup script via GPO thus account under script was run should have been at least Local System which should have rights to uninstall/install app on local machine – nothing happened despite gpresult /r showed that GPO was successfully applied to computer.

  • #18470
    Profile photo of Don Jones
    Don Jones
    Keymaster

    PowerShell might not be the best way to deploy the application. Have you considered using Group Policy itself, which has built-in abilities to run the installer under elevated credentials? You could also consider repackaging the installer so that it did not need elevated credentials, perhaps.

    GPO logon scripts run in a bit of an unusual environment, and they sometimes cause problems for installer packages.

  • #18516
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Bojan,

    I think you first problem is that you're trying to get the MSI file from a file server. The computer account most likely does not have access. You need to grant access to \Domain Computers group to the file system of the file share. The 2nd problem is that you're not telling Start-Process to wait for the Windows Installer processes to finish with the -Wait switch which will result in a conflict and failure.

    Additionally you'll need to post where you've configured the PowerShell script call your GPO (a GPO report would be nice).

    Best,
    Daniel

  • #18524
    Profile photo of Bojan Zivkovic
    Bojan Zivkovic
    Participant

    I solved my task by using EMCO Remote Installer Professional (trial period of 30 days) which has ability to silently install/uninstall software on many remote computers in parallel. It is much better way compared to GPO's since it does not require gpupdate /force nor restarting client computers . . . However I will try solution with GPO and check what you told me and afterwards I will post outcome of that. And Don, as always, you are right. PS is not the best way to deploy apps. Since this is trivial task (practically run .msi file on many remote computers in parallel) other ways might be more appropriate. This EMCO software is awesome and price is not bad at all – 445 $ for unlimited number of nodes.

You must be logged in to reply to this topic.