SMS: Software Installation on Windows NT with Su.exeLast reviewed: April 15, 1997Article ID: Q155419 |
The information in this article applies to:
SUMMARYThis article describes a way to install software on Windows NT with Systems Management Server, using Su.exe. This solution requires Su.exe from the Microsoft Windows NT Resource Kit. You need at least one Windows NT Resource Kit for your Systems Management Server Environment. With this solution, and in your personal Systems Management Server environment (Site structure) only, Su.exe can be used without violating the Windows NT Resource Kit License. For all other uses, the original Windows NT Resource Kit License is valid. Also, during runtime of a software installation that uses this procedure with Su.exe, a security problem may exist on the computer running Windows NT. This is described in more detail in the description section. If you do not want to violate your security during installation, or if you need a highly secure computer running Windows NT, do not use this solution.
MORE INFORMATIONWhen you want to install software with Systems Management Server on a computer running Windows NT Server or Workstation, some application installation programs make modifications to the Windows NT Registry. This behavior is application-dependent. In most cases, it is not possible for a nonprivileged user to install this type of software, due to the lack of rights to access and modify specific tables in the Windows NT registry. Giving the user full rights conflicts with security models. The Package Command Manager application PCMWIN32 in Systems Management Server is started by the user, and runs within the security context of the user. As previously stated, this may prevent a successful nonprivileged user installation.
DescriptionThis solution uses a different approach to install software on computers running Windows NT than the installation of PCM as a service. This procedure uses the Windows NT Resource Kit Utility Su.exe, which is supported by Microsoft. Su.exe can switch to a different user account during run time. This also enables the rights related to this account in the environment in which it is called. For this reason, the nonprivileged user must have additional rights in order to run Su.exe. After calling a privileged account, a software installation may be performed. In most cases, a short batch is enough to start the installation; after the installation is done, it logs off the privileged user. This prevents the nonprivileged user from working with full privileges on his system. However, during the run time of this batch, security may be compromised on the computer running Windows NT. There is the risk that the nonprivileged user can interrupt the batch and work with full privileges in the command shell that was opened for the batch file. To keep the risk as low as possible, Microsoft recommends enabling Windows NT auditing, and controlling the account and the activities that are used with Su.exe. If you do not want to accept that risk, don't use this solution. Otherwise, follow the steps below. The remainder of this article describes the preparation of common clients (normal Setup without changes to security), describes the distribution of Su.exe, and shows an example of an unattended Service Pack installation on Windows NT clients. For more information on Su.exe, please see the Windows NT Resource Kit Tools Overview help file.
Steps to Perform to Use Su.exeI. Client preparation (once)
1. Open the Sites window in the Systems Management Server Administrator
program. You must have full access to the program, and you must be a
Domain Administrator.
2. Expand the site tree on the right side of the screen, and double-
click a domain.
3. Open the PC Properties for a Windows NT client and go to the
Windows NT Administrator properties, where you will find the User
Manager. Open the User Manager.
4. In the User Manager, open the Policies menu item, and go to User
Rights.
5. Open User Rights and click Show Advanced User Rights.
6. Add the Domain User Group to the following rights:
- Act as a part of the operating system.
- Increase Quotas.
- Replace a process level token.
- Restore files and directories.
Close the User Manager.
7. Go to the next client, and perform steps 3 to 6 until you have
finished with all Windows NT clients in the domain. Adding the rights
must be done only one time to prepare all the clients. After that,
the rights are independent from which user performs an installation.
Be sure that new installed clients are also configured in the same
way.
II. Su.exe Distribution (once)
1. Copy Su.exe from the resource kit to a directory on your hard disk.
2. Create a batch file called Install.cmd containing the following
lines:
@echo off
copy su.exe %windir%
exit
Put this batch file into the same directory as Su.exe.
3. Create a new workstation package and give it a name. Use the
directory where Su.exe and Install.cmd are located as the source
directory. Click New. Give the package a command name, and use
Install.cmd as the command line. Choose the right platform for your
copy of Su.exe. Close the package.
4. Create a new job with a Jobtype of Workstation. Choose the package
for your clients. Run Phase should be mandatory, to make sure that
all Windows NT clients have Su.exe installed. Close Job Details and
choose your schedule priority. After that, close the job and let
Systems Management Server distribute and install the package. Check
for completion, and verify that Su.exe is installed on the client.
This procedure only needs to be performed once per client. Ensure
that new added clients also receive Su.exe.
Example: The Windows NT Service Pack
1. For an unattended service pack (Windows NT 3.51 Service Pack 4 and
higher) installation, copy the files in the I386 directory to a
directory on the hard disk.
2. Create a file called Sp.inf and a batch file called Install.cmd with
the following content in the directory where your service pack files
are located:
@echo off
su.exe -cb account < sp.inf "update.exe /u /x" domain
exit
Explanation of the batch file: Su.exe starts without opening a new
shell with the full privileged user "account" (Domain or Local
Administrator Group Member) in the domain called "domain." The
password for the account is located in the Sp.inf file, and it is
piped in as soon as Su.exe asks for it. Through Sp.inf, you can hide
the password for your user, and not type it in clear text into the
batch file. Sp.inf must only include the password in ASCII text, and
a carriage return after the password. The carriage return is
necessary for Su.exe to accept the password. After having all rights,
Su.exe starts the file Update.exe from the service pack, with the
parameters for an unattended setup, and restarts the computer after
the completion of Setup. For more information, see the following
article in the Microsoft Knowledge Base:
ARTICLE-ID: Q148690
TITLE : SMS: Windows NT 3.51 Service Pack 4 PDF Availability
3. Create a new workstation package and give it a name. Use the
directory where the service pack files and Install.cmd are located as
the source directory. Click New. Give the package a command name,
and use Install.cmd as the command line. Choose the right platform
for your Service Pack. Close the package.
4. Create a new Job with a Jobtype of Workstation. Choose the package
for your clients. Run Phase should be mandatory, to make sure that
all Windows NT clients have the service pack installed. Close the Job
Details, and choose your schedule priority. After that, close the job
and let Systems Management Server distribute and install the package.
Check regularly for completion and to ensure that the service pack is
installed on the client.
5. You can modify the batch file described in step 2 to install other
applications that require full privileges to perform an installation.
|
Additional query words: prodsms reskit ntw
© 1998 Microsoft Corporation. All rights reserved. Terms of Use. |