Friday, June 20, 2008

Introducing User Profile Wizard 3.0 - Part III

Running additional programs as an Administrator

One of the options that was introduced with User Profile Wizard 2.5 was to be able to run a "follow-on" file - a script or an .exe - in the security context of the local administrator account specified by the /LOCALADMIN command line parameter. This has proved very useful for customers who need to carry out additional tasks using admin permissions. With User Profile Wizard 3.0 we have beefed up this functionality.

To be honest, we didn't have much choice. Because 3.0 supports "push" migrations to remote machines, we had to find a way of running any script or executable someone specifies remotely on that machine. Not only that, but we had to make sure Vista's UAC (User Account Control) technology didn't get in the way. The result is that User Profile Wizard 3.0 can run an application interactively on a user's desktop without the user being prompted to "elevate" the process.

To show how this works, lets try and run something that requires Administrator permissions: Vista's Windows Firewall Settings. Normally, of course, you would never want to do this as part of your migration! However, it is as good an example as any. If you run FirewallSettings.exe (and you are not the administrator) you will see this:

Or, if you are not an administrator at all, this:

If we are running an additional process as part of a workstation migration we definitely do not want the user to be bothered these UAC prompts.

To get User Profile Wizard 3.0 to run a follow-on file we need to give it some information: the Administrator credentials with an encrypted password, the path of the file we want to run, and a security hash of the file to guarantee that only that file gets run - unchanged - and no other file. Details on how to create the hash are in the User Guide. We just need to add this information to the profwiz.config file:

Note that in this example these are the only settings that are required: we don't have to migrate a profile or join a domain to get profwiz.exe to run the executable for us - although normally we would be running a follow-on file as part of a migration process. In fact, to stop profwiz trying to join the machine to a domain we set the "NoJoin" parameter here to "True."

The other parameter to note is the "NoGUI" parameter under "Advanced Settings." Generally, if you just type "Profwiz.exe" at the command line, User Profile Wizard will start up in GUI mode. Here we don't want that to happen: we want profwiz to just process the config file: "NoGUI" makes that happen. Now if you type "Profwiz.exe" at the command line, or even just double-click the Profwiz icon, what you get is "Windows Firewall Settings" - and no UAC prompts. You get this even if you are just a regular user with no administrator credentials at all: the credentials are in file.

Want to run the file on a remote machine? No problem...

profwiz /COMPUTER machinename

Of course, in this case FirewallSettings.exe is Vista-specific application, so machinename needs to be Vista machine, but generally this does not need to be the case.

The example here has been a little bit contrived because normally you wouldn't just want to run a file - you would want to migrate a machine. However, I hope that you can see the power that User Profile Wizard can give you over your workstations.

You can check out User Profile Wizard 3.0 for yourself here.


Post a Comment

<< Home