Hello, i would like to run the script with a special user, which have permissions in our Active Directory to create SEC Groups. Normal, the toolkit is running in system account.
I would not write any passwort into the script.
How can i change this?
Thx
If you are running your script using SCCM/ConfigMgr you can run the script as the current user by changing the targeting to a user collection instead of a device collection. You would also need to change the ToolKitRequireAdmin setting in the AppDeployToolkitConfig.xml file to False.
<Toolkit_RequireAdmin>False</Toolkit_RequireAdmin>
The user(s) that this application is deployed to would also need to have the rights to create the AD Groups in question for this to work.
Thanks for the answer, but i need to change that the script is running under an special account. When i assign the package to an user, this will not solve my problem with rights in AD.
Is it not possible to set which user should run the script?
Thx
Can you describe your scenario in more detail?
Why do you need to create an AD group while installing an application? Or are you repurposing PSADT for a different task?
You could possibly achieve it using something like this:
start-process $PathToRun -Verb RunAs
I have a script running on new installed server. Change some settings, working fine.
But with the AD part i have problems running with System account:
Steps are:
→ Create AD Groups for administrator and RDP (on local DC)
→ Add AD Group to Administrator and RDP Group (local)
Therefore i would like, that the script is runnin with an account, which have local rights and also permissions in AD (already present).
thx
You should be using Group Policy for that
I think there are better ways of achieving this.
Using Group Policy Preferences to Manage the Local Administrator Group - Microsoft Community Hub
To add a existing SEC group yes, but in my script i would like to create the group in AD first.
So new server run SCCM Package with configs, in that script:
The script is working, but i need to change the user which is running the script.
I’m pretty certain PSADT is not the tool for this and neither are the deployment tools you are using.
Deployment tools such as Intune or SCCM will (in general) run the install as SYSTEM (if you want the application to install with administrative rights) or as the logged on User (If no special rights are required)
What you are trying to do is not what the intended purposes of these tools are for.
You can game it, by deploying a script to run as a specific user, but I’d strongly advise against this as you would inevitably need to pass a user name / password combination to run this - probably leaving a Cyber Security risk in your wake.
As both @JFP and I have suggested, what you are doing should be done using the proper tools / method for this - including Group Policy
You are unlikely to find an exact solution to your problem here
You could try to create a Scheduled task running as that special AD user to install.
Or
Make the computer accounts to have the required permissions in AD.
Then you could run PSADT as System on those machines.
As for Local Group memberships, I would recommend Adrian’s GPO idea.
I solved it with an Task Sequence. There you can assign different user.
Thank you for your support here.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.