Novell is now a part of Micro Focus

Running Win2K without Admin Rights

Novell Cool Solutions: Trench

Digg This - Slashdot This

Posted: 21 Oct 2004

Question: Rick L. wrote: Our workstation users running Win2K (about 800) do not have local administrative rights. We have been unsuccessful in trying to "ZEN" out the newest NAL agent upgrade. Can you help? (White paper, TID, etc.) I've been out on the Cool Solutions site but have not located any articles that apply.

Answer: OPEN CALL: Hmm, we don't have anything on this. Anyone out there that can help Rick?


  • Brian Baillie
  • James Moots
  • Rolf Lidvall
  • Gilles Normandeau
  • Blandon Ray NEW
  • Brian Baillie

    The Novell Application launcher doesn't have the rights because its application launcher service broken. The workstation manager still has the rights if you know how to use it. The solution is to use the command "nalntsrv.exe install start" from a batch file that is run as a scheduled action from a workstation policy. The process is detailed in TID 10066849. The batch file is the charm. As well use a drive letter in the batch file to the public directory where the workstation has rights. If the workstation isn't registered or doesn't have rights then place every required file in the windows temporary directory via an application object without elevation of priviledge and execute the batch file from there with the scheduled action.

    This is a bit too wordy but, read the TID create the batch file, create the policy, define the scheduled action, associate the policy and release the hounds.

    James Moots

    Create an MSI application in ZENworks as per the instructions that come with the agent. Additionally, configure the MSI to run as 'Unsecure System User'. This will allow the app the privileges it needs on the workstation. While I'm doing this on the XP, the premise is the same and should work the same on 2000.

    Rolf Lidvall

    1. Take a look at this: launchcondition.jpg

    2. Read this.

    3. Read this.

    4. And this.

    Gilles Normandeau

    Here's a way that should work. Create a NAL object that will:

    1. Push the registry keys (see TID 10052847) that will turn auto admin login on for "Workstation only" using a local admin account.
    2. Push the new MSI install file, a registry file to remove autologin settings and shutdown.exe to reboot the workstation. SHUTDOWN.EXE is a utility available in the Windows 2000 Resource Kit.
    3. Push a batch file to the "All Users" startup directory on the local machine which will remove the old agent, install the new one and restore the registry.

    Here is how to make it work. The NAL object can be set for an after-hours start and will push down the necessary files and registry settings then force a reboot. When the workstation reboots, it will auto login locally using the admin account you specified and start running the batch file.

    The batch file will run the uninstall string for the existing agent, reboot, install the new agent, reboot, restore the registry, delete the batch file and reboot.


    In this example, let's say that we pushed the files (Z4Agent.MSI, ALOFF.reg, shutdown.exe) to c:\Z4Aup and a batch file called ZAG.bat to "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\".

    To keep track of what has been done, the batch file can write files that it checks before continuing, as in the following example:

    @echo off
    IF EXIST c:\Z4Aup\rmAgent.tag GOTO INSTALL
    echo Old Agent removed>c:\Z4Aup\rmAgent.tag
    msiexec.exe /x  <uninstall string for old agent>
    c:\Z4Aup\shutdown.exe -r  <reboots the workstation if the removal does not
    force a reboot, in which case do not include this line>
    PAUSE                                  <PAUSE included to prevent next from
    starting before the reboot>
    IF EXIST c:\Z4Aup\NewAgent.tag GOTO RESTORE
    echo New Agent Installed>c:\Z4Aup\NewAgent.tag
    msiexec.exe /i c:\Z4Aup\Z4Agent.msi
    c:\Z4Aup\shutdown.exe -r  <reboots the workstation if the install does not
    force a reboot>
                      <for the above two steps, find which command line
    switches are required for a "quiet" and unattended execution: /q perhaps?>
    regedit /s C:\Z4Aup\ALOFF.reg
    C:\Z4Aup\shutdown.exe /r /t:10
    del "C:\Documents and Settings\All Users\Start
                           <after this, the cleanup should be complete>

    For the last section of the above batch file, shutdown.exe will reboot the workstation after a ten-second delay and the registry file ALOFF.reg contains the following:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

    I hope you find this information useful We used the above format for upgrading to IE6 unattended.

    Blandon Ray

    Installing the ZENworks Management Agent to Workstations Without Administrator Rights

    One of the problems that everyone faces when first installing ZENworks is that in an environment without desktop management software, you usually start with the workstations in a very un-manageable state. The network I administer is a perfect example of this: some workstations are in a Windows domain and some are not, some have different local administrator passwords, some have "back-door" help desk accounts and some don't, and on and on.

    Most of the submitted tips sent to this Open Call got me part of the way there, but none quite finished the job - probably because most of them assumed a baseline of having at least an older version of ZEN installed, which I did not (thus, for instance, I couldn't run NAL out of the PUBLIC folder on the server).

    Ultimately I was able to cobble together a solution that uses bits and pieces of those tips (especially the one from Gilles Normandeau), some info from TID 10085696, and a few more things I came up with myself. The heart of it is a free utility called CPAU (Create Process As User) which is available from its author here:

    This solution consists of a series of batch files and a login script routine. In short, it creates a local hidden directory on the workstation, tests whether the workstation is in a Windows domain, and if it is, logs in accordingly. If the workstation is not in the domain, one batch file tests several different password possibilities using a NET USE command, and writes the successful password to a text file in the hidden directory. Another batch file runs CPAU, which authenticates using the password file and kicks off the MSI to install the agent. Finally, one more batch file cleans up the mess. The batch files and script excerpt are included.

    This isn't the prettiest solution in the world, and it will certainly require some adaptation to other environments, and it won't help you if you don't at least know what the local administrator password MIGHT be. But it does (finally) solve the chicken-and-egg problem of getting the agent installed.

    EXAMPLE: Included are: the login script excerpt, all of the batch files (filecopt.bat, insdom.bat, inslocal.bat, netuse1.bat, filedel.bat), and the registry entry file (done.reg).

    ***** START Login Script Excerpt *****
    ; Zenworks agent auto install - begin
    ; This bit tests to see if the workstation is registered, and skips to the end if it is.
    REGREAD "HKLM,SOFTWARE\Novell\Workstation Manager,Registration Agent"
    IF "%99" = "zenwsreg.dll" THEN
       WRITE "Workstation registered."
       GOTO FIN
    ; This bit checks for a registry key which we should have written if the install procedure was already done.
    IF "%99" = "1" THEN
       WRITE "ZENworks install already completed."
       GOTO FIN
    ; This bit copies files to a local hidden directory (which it creates and hides if necessary).
    WRITE "Please wait a moment..."
    ; This bit skips the testing for passwords if the workstation is in the domain (according to the environment variable).
    ; This bit tests possibilities for local admin password and writes to local text file.
    ; This bit reads the resulting admin password and uses CPAU to pipe it into the MSI install.
    ; If successful, a registry flag is written so that the install will not repeat before the WS registers itself.
    WRITE "Beginning ZENworks software installation."
    #regedit /s c:\_zen\done.reg
    ; This bit does the same as above, but with a domain username/password (see top).
    WRITE "Beginning ZENworks software installation."
    #regedit /s c:\_zen\done.reg
    ; Now we're done.
    write "Installation finished."
    ***** END Login Script Excerpt *****
    ***** START filecopy.bat *****
    REM This file creates a local directory, hides it, and copies installation files to it.
    md c:\_zen
    attrib +h c:\_zen
    copy \\zenserver\zen\packages\zfdmgmt\zfdagent.msi c:\_zen
    copy \\zenserver\zen\packages\zfdmgmt\cpau.exe c:\_zen
    copy \\zenserver\zen\packages\zfdmgmt\done.reg c:\_zen
    ***** END filecopy.bat *****
    *** START insdom.bat *****
    REM This file uses CPAU to install the ZEN MSI with a known domain admin account.
    REM Note command line switches; see CPAU docs for more information.
    @echo ZENworks management software is being installed.
    @echo Your computer may restart. Please do not close this window.
    @c:\_zen\cpau -u DOMAINNAME\domainadmin -p domainpassword -ex "msiexec.exe /i c:\_zen\zfdagent.msi /qn REBOOT=\"ReallySuppress\" STARTUP_APPEXPLORER=1" -profile -wait -cwd c:\_zen
    ***** END insdom.bat *****
    ***** START inslocal.bat *****
    REM This file uses CPAU to install the ZEN MSI with a local password written by NETUSE1.BAT.
    REM Note command line switches; see CPAU docs for more information.
    @echo ZENworks management software is being installed.
    @echo Your computer may restart. Please do not close this window.
    @c:\_zen\cpau -u administrator -ex "msiexec.exe /i c:\_zen\zfdagent.msi /qn REBOOT=\"ReallySuppress\" STARTUP_APPEXPLORER=1" -profile -pipepwd -wait -cwd c:\_zen <c:\_zen\pass.txt
    ***** END inslocal.bat *****
    ***** START netuse1.bat *****
    REM This file uses a NET USE command to test for each possible local administrator password.
    REM When a NET USE command succeeds, the resulting password is written to the hidden folder and the batch exits.
    REM As far as I know there is no limit to the number of passwords tested, but only two are included here.
    net use w: \\%COMPUTERNAME%\ADMIN$ password1 /USER:%COMPUTERNAME%\administrator /persistent:no >NUL 2>NUL
       ECHO password1>c:\_zen\pass.txt
       rem ECHO Password is number 1.
       GOTO LAST
    net use w: \\%COMPUTERNAME%\ADMIN$ password2 /USER:%COMPUTERNAME%\administrator /persistent:no >NUL 2>NUL
       ECHO password2>c:\_zen\pass.txt
       rem ECHO Password is number 2.
       GOTO LAST
    ECHO Batch execution finished.
    ***** END netuse1.bat *****
    ***** START filedel.bat *****
    REM This file removes anything that was written to the hidden directory by the other files.
    IF EXIST c:\_zen\pass.txt (
       del c:\_zen\pass.txt
       del c:\_zen\zfdagent.msi
       del c:\_zen\done.reg
       echo Files removed.
    ***** END filedel.bat *****
    ***** START done.reg *****
    Windows Registry Editor Version 5.00
    ***** END done.reg

    If you have any questions you may contact Blandon at

    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

    © Copyright Micro Focus or one of its affiliates