Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Saturday, May 4, 2019 8:44 PM
Hi,
I am trying to run a powershell script using SCCM package with admin rights using command line switch - "powershell.exe -executionpolicy bypass .\filename.ps1" but it is partially working form me. My script goes to Registry\HKLM and HKU to collect values, it works successfully for HKLM but doesn't collect any value for HKU because SCCM is running script with NT Authority\SYSTEM. Does anyone have any idea how can we run the script from sccm in logged user context with admin rights.
Please help!
All replies (6)
Saturday, May 4, 2019 10:30 PM
Hi
Try this command line insted
"%WINDIR%\Sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File filename.ps1"
Hope it helps!
Sunday, May 5, 2019 7:56 AM
Generally you wouldn't need admin rights to add keys or delete "things" from a user location be it file or registry.
You only really require elevated permissions when trying to change something system based.
You would need to target the user portion of the script separately and set to run in user context rather than system.
Sysnative will not help here.
https://www.thewindowsclub.com/sysnative-folder-in-windows-64-bit
Richard Knight | Collection Refresh Manager | Automate detection rules for patch \ msp files | Twitter
Sunday, May 5, 2019 3:35 PM
What keys within HKU are you specifically expecting to collect info from?
> Does anyone have any idea how can we run the script from sccm in logged user context with admin rights.
This cannot be done but does not need to be done in Windows (it has nothing to do with ConfigMgr).
See Richard's answer below for a possibly better path; however, without knowing more specific details, not much more can be said.
Jason | https://home.configmgrftw.com | @jasonsandys
Wednesday, May 8, 2019 8:09 AM
Hi Richard, Thanks for reply!
You are correct. Sysnative didn't help me here.
WHat actually the situation is - Using my script, I am storing registry values to variables from "HKU:\UserSID%\Software\Microsoft\Office\OfficeSubKeys%\Addins" and writing to WMI. So I need elevated prompt to create WMI table and write/delete data from there.
The major challange arrives when i specifically query from HKU\UserSID% because i use below script portion to get UserSID :
$cUser = New-Object System.Security.Principal.NTAccount($env:UserName)
$UserSID = $cUser.Translate([System.Security.Principal.SecurityIdentifier]).value
#and then
"HKU:\UserSID\Software\Microsoft\Office\OfficeSubKeys%\Addins"
The above variable returns user SID of NT Authority\System not for current user because i ran script as Admin rights in SCCM Package.
Now, as you have mentioned, i am also thinking to separate the script for admin part and user part.
Any other suggestion is appreciated.
Thanks,
Anil
Wednesday, May 8, 2019 8:26 AM
Hi Jason, Thanks for reply!
Richard is correct. Sysnative didn't help me here.
What actually the situation is - Using my script, I am storing registry values to variables from "HKU:\UserSID%\Software\Microsoft\Office\OfficeSubKeys%\Addins" and writing to WMI. So I need elevated prompt to create WMI table and write/delete data from there.
The major challange arrives when i specifically query from HKU\UserSID% because i use below script portion to get UserSID :
$cUser = New-Object System.Security.Principal.NTAccount($env:UserName)
$UserSID = $cUser.Translate([System.Security.Principal.SecurityIdentifier]).value
#and then use in HKU path to collect data to variable
"HKU:\UserSID\Software\Microsoft\Office\OfficeSubKeys%\Addins"
The above variable returns user SID of NT Authority\System not for current user because i ran script as Admin rights in SCCM Package.
In some of my scripts, i have used qser to get current logged on user but this didn't work here.
Now, as Richard have mentioned, i am also thinking to separate the script for admin part and user part.
Any other suggestion is appreciated.
Thanks,
Anil
Saturday, May 11, 2019 2:21 PM
> Richard is correct. Sysnative didn't help me here.
Yes, we knew that as this has nothing to do with OS or application architecture.
> Any other suggestion is appreciated.
An alternative is to iterate through all SIDs in HKU and add the necessary values. There are lots of samples on the web for this in both VBScript and PowerShell. This is also built into the PowerShell App Deployment Toolkit.
Jason | https://home.configmgrftw.com | @jasonsandys