Microsoft KB Archive/155419

{| The information in this article applies to:
 * width="100%"|
 * Microsoft Systems Management Server, versions 1.0, 1.1 and 1.2

SUMMARY
This article describes a way to install software on Windows NT with Systems Management Server, using Su.exe.

This solution requires Su.exe from the Microsoft Windows NT Resource Kit. You need at least one Windows NT Resource Kit for your Systems Management Server Environment. With this solution, and in your personal Systems Management Server environment (Site structure) only, Su.exe can be used without violating the Windows NT Resource Kit License. For all other uses, the original Windows NT Resource Kit License is valid. Also, during runtime of a software installation that uses this procedure with Su.exe, a security problem may exist on the computer running Windows NT. This is described in more detail in the description section. If you do not want to violate your security during installation, or if you need a highly secure computer running Windows NT, do not use this solution.

MORE INFORMATION
When you want to install software with Systems Management Server on a computer running Windows NT Server or Workstation, some application installation programs make modifications to the Windows NT Registry. This behavior is application-dependent. In most cases, it is not possible for a nonprivileged user to install this type of software, due to the lack of rights to access and modify specific tables in the Windows NT registry. Giving the user full rights conflicts with security models. The Package Command Manager application PCMWIN32 in Systems Management Server is started by the user, and runs within the security context of the user. As previously stated, this may prevent a successful nonprivileged user installation.

Description
This solution uses a different approach to install software on computers running Windows NT than the installation of PCM as a service. This procedure uses the Windows NT Resource Kit Utility Su.exe, which is supported by Microsoft.

Su.exe can switch to a different user account during run time. This also enables the rights related to this account in the environment in which it is called. For this reason, the nonprivileged user must have additional rights in order to run Su.exe. After calling a privileged account, a software installation may be performed. In most cases, a short batch is enough to start the installation; after the installation is done, it logs off the privileged user. This prevents the nonprivileged user from working with full privileges on his system. However, during the run time of this batch, security may be compromised on the computer running Windows NT. There is the risk that the nonprivileged user can interrupt the batch and work with full privileges in the command shell that was opened for the batch file. To keep the risk as low as possible, Microsoft recommends enabling Windows NT auditing, and controlling the account and the activities that are used with Su.exe. If you do not want to accept that risk, don't use this solution. Otherwise, follow the steps below. The remainder of this article describes the preparation of common clients (normal Setup without changes to security), describes the distribution of Su.exe, and shows an example of an unattended Service Pack installation on Windows NT clients.

For more information on Su.exe, please see the Windows NT Resource Kit Tools Overview help file.

Steps to Perform to Use Su.exe
I. Client preparation (once)

1. Open the Sites window in the Systems Management Server Administrator program. You must have full access to the program, and you must be a     Domain Administrator.

2. Expand the site tree on the right side of the screen, and double- click a domain.

3. Open the PC Properties for a Windows NT client and go to the Windows NT Administrator properties, where you will find the User Manager. Open the User Manager.

4. In the User Manager, open the Policies menu item, and go to User Rights.

5. Open User Rights and click Show Advanced User Rights.

6. Add the Domain User Group to the following rights:

- Act as a part of the operating system.

- Increase Quotas.

- Replace a process level token.

- Restore files and directories.

Close the User Manager.

7. Go to the next client, and perform steps 3 to 6 until you have finished with all Windows NT clients in the domain. Adding the rights must be done only one time to prepare all the clients. After that, the rights are independent from which user performs an installation. Be sure that new installed clients are also configured in the same way. II. Su.exe Distribution (once) 1. Copy Su.exe from the resource kit to a directory on your hard disk.

2. Create a batch file called Install.cmd containing the following lines:

@echo off copy su.exe %windir% exit

Put this batch file into the same directory as Su.exe.

3. Create a new workstation package and give it a name. Use the directory where Su.exe and Install.cmd are located as the source directory. Click New. Give the package a command name, and use Install.cmd as the command line. Choose the right platform for your copy of Su.exe. Close the package.

4. Create a new job with a Jobtype of Workstation. Choose the package for your clients. Run Phase should be mandatory, to make sure that all Windows NT clients have Su.exe installed. Close Job Details and choose your schedule priority. After that, close the job and let Systems Management Server distribute and install the package. Check for completion, and verify that Su.exe is installed on the client. This procedure only needs to be performed once per client. Ensure that new added clients also receive Su.exe.

Example: The Windows NT Service Pack
1. For an unattended service pack (Windows NT 3.51 Service Pack 4 and     higher) installation, copy the files in the I386 directory to a      directory on the hard disk.

2. Create a file called Sp.inf and a batch file called Install.cmd with the following content in the directory where your service pack files are located:

@echo off su.exe -cb account < sp.inf "update.exe /u /x" domain exit

Explanation of the batch file: Su.exe starts without opening a new shell with the full privileged user "account" (Domain or Local     Administrator Group Member) in the domain called "domain." The password for the account is located in the Sp.inf file, and it is     piped in as soon as Su.exe asks for it. Through Sp.inf, you can hide the password for your user, and not type it in clear text into the batch file. Sp.inf must only include the password in ASCII text, and a carriage return after the password. The carriage return is     necessary for Su.exe to accept the password. After having all rights, Su.exe starts the file Update.exe from the service pack, with the parameters for an unattended setup, and restarts the computer after the completion of Setup. For more information, see the following article in the Microsoft Knowledge Base:

ARTICLE-ID: Q148690 TITLE    : SMS: Windows NT 3.51 Service Pack 4 PDF Availability

3. Create a new workstation package and give it a name. Use the directory where the service pack files and Install.cmd are located as     the source directory. Click New. Give the package a command name, and use Install.cmd as the command line. Choose the right platform for your Service Pack. Close the package.

4. Create a new Job with a Jobtype of Workstation. Choose the package for your clients. Run Phase should be mandatory, to make sure that all Windows NT clients have the service pack installed. Close the Job Details, and choose your schedule priority. After that, close the job and let Systems Management Server distribute and install the package. Check regularly for completion and to ensure that the service pack is     installed on the client.

5. You can modify the batch file described in step 2 to install other applications that require full privileges to perform an installation.
 * }

-

Last reviewed: April 15, 1997

© 1998 Microsoft Corporation. All rights reserved. Terms of Use.