SMS: Software Installation on Windows NT with Su.exe

Last reviewed: April 15, 1997
Article ID: Q155419
The information in this article applies to:
  • Microsoft Systems Management Server, versions 1.0, 1.1 and 1.2

SUMMARY

This article describes a way to install software on Windows NT with Systems Management Server, using Su.exe.

This solution requires Su.exe from the Microsoft Windows NT Resource Kit. You need at least one Windows NT Resource Kit for your Systems Management Server Environment. With this solution, and in your personal Systems Management Server environment (Site structure) only, Su.exe can be used without violating the Windows NT Resource Kit License. For all other uses, the original Windows NT Resource Kit License is valid. Also, during runtime of a software installation that uses this procedure with Su.exe, a security problem may exist on the computer running Windows NT. This is described in more detail in the description section. If you do not want to violate your security during installation, or if you need a highly secure computer running Windows NT, do not use this solution.

MORE INFORMATION

When you want to install software with Systems Management Server on a computer running Windows NT Server or Workstation, some application installation programs make modifications to the Windows NT Registry. This behavior is application-dependent. In most cases, it is not possible for a nonprivileged user to install this type of software, due to the lack of rights to access and modify specific tables in the Windows NT registry. Giving the user full rights conflicts with security models. The Package Command Manager application PCMWIN32 in Systems Management Server is started by the user, and runs within the security context of the user. As previously stated, this may prevent a successful nonprivileged user installation.

Description

This solution uses a different approach to install software on computers running Windows NT than the installation of PCM as a service. This procedure uses the Windows NT Resource Kit Utility Su.exe, which is supported by Microsoft.

Su.exe can switch to a different user account during run time. This also enables the rights related to this account in the environment in which it is called. For this reason, the nonprivileged user must have additional rights in order to run Su.exe. After calling a privileged account, a software installation may be performed. In most cases, a short batch is enough to start the installation; after the installation is done, it logs off the privileged user. This prevents the nonprivileged user from working with full privileges on his system. However, during the run time of this batch, security may be compromised on the computer running Windows NT. There is the risk that the nonprivileged user can interrupt the batch and work with full privileges in the command shell that was opened for the batch file. To keep the risk as low as possible, Microsoft recommends enabling Windows NT auditing, and controlling the account and the activities that are used with Su.exe. If you do not want to accept that risk, don't use this solution. Otherwise, follow the steps below. The remainder of this article describes the preparation of common clients (normal Setup without changes to security), describes the distribution of Su.exe, and shows an example of an unattended Service Pack installation on Windows NT clients.

For more information on Su.exe, please see the Windows NT Resource Kit Tools Overview help file.

Steps to Perform to Use Su.exe

I. Client preparation (once)

   1. Open the Sites window in the Systems Management Server Administrator
      program. You must have full access to the program, and you must be a
      Domain Administrator.

   2. Expand the site tree on the right side of the screen, and double-
      click a domain.

   3. Open the PC Properties for a Windows NT client and go to the
      Windows NT Administrator properties, where you will find the User
      Manager. Open the User Manager.

   4. In the User Manager, open the Policies menu item, and go to User
      Rights.

   5. Open User Rights and click Show Advanced User Rights.

   6. Add the Domain User Group to the following rights:

       - Act as a part of the operating system.

       - Increase Quotas.

       - Replace a process level token.

       - Restore files and directories.

      Close the User Manager.

   7. Go to the next client, and perform steps 3 to 6 until you have
      finished with all Windows NT clients in the domain. Adding the rights
      must be done only one time to prepare all the clients. After that,
      the rights are independent from which user performs an installation.
      Be sure that new installed clients are also configured in the same
      way.

II. Su.exe Distribution (once)

   1. Copy Su.exe from the resource kit to a directory on your hard disk.

   2. Create a batch file called Install.cmd containing the following
      lines:

         @echo off
         copy su.exe %windir%
         exit

      Put this batch file into the same directory as Su.exe.

   3. Create a new workstation package and give it a name. Use the
      directory where Su.exe and Install.cmd are located as the source
      directory. Click New. Give the package a command name, and use
      Install.cmd as the command line. Choose the right platform for your
      copy of Su.exe. Close the package.

   4. Create a new job with a Jobtype of Workstation. Choose the package
      for your clients. Run Phase should be mandatory, to make sure that
      all Windows NT clients have Su.exe installed. Close Job Details and
      choose your schedule priority. After that, close the job and let
      Systems Management Server distribute and install the package. Check
      for completion, and verify that Su.exe is installed on the client.
      This procedure only needs to be performed once per client. Ensure
      that new added clients also receive Su.exe.

Example: The Windows NT Service Pack

   1. For an unattended service pack (Windows NT 3.51 Service Pack 4 and
      higher) installation, copy the files in the I386 directory to a
      directory on the hard disk.

   2. Create a file called Sp.inf and a batch file called Install.cmd with
      the following content in the directory where your service pack files
      are located:

         @echo off
         su.exe -cb account < sp.inf "update.exe /u /x" domain
         exit

      Explanation of the batch file: Su.exe starts without opening a new
      shell with the full privileged user "account" (Domain or Local
      Administrator Group Member) in the domain called "domain." The
      password for the account is located in the Sp.inf file, and it is
      piped in as soon as Su.exe asks for it. Through Sp.inf, you can hide
      the password for your user, and not type it in clear text into the
      batch file. Sp.inf must only include the password in ASCII text, and
      a carriage return after the password. The carriage return is
      necessary for Su.exe to accept the password. After having all rights,
      Su.exe starts the file Update.exe from the service pack, with the
      parameters for an unattended setup, and restarts the computer after
      the completion of Setup. For more information, see the following
      article in the Microsoft Knowledge Base:

         ARTICLE-ID: Q148690
         TITLE     : SMS: Windows NT 3.51 Service Pack 4 PDF Availability

   3. Create a new workstation package and give it a name. Use the
      directory where the service pack files and Install.cmd are located as
      the source directory. Click New. Give the package a command name,
      and use Install.cmd as the command line. Choose the right platform
      for your Service Pack. Close the package.

   4. Create a new Job with a Jobtype of Workstation. Choose the package
      for your clients. Run Phase should be mandatory, to make sure that
      all Windows NT clients have the service pack installed. Close the Job
      Details, and choose your schedule priority. After that, close the job
      and let Systems Management Server distribute and install the package.
      Check regularly for completion and to ensure that the service pack is
      installed on the client.

   5. You can modify the batch file described in step 2 to install other
      applications that require full privileges to perform an installation.


Additional query words: prodsms reskit ntw
Keywords : kbenv kbnetwork kbsetup kbtool kbusage smsadmin smsinv
Version : 1.0 1.1 1.2
Platform : WINDOWS
Issue type : kbhowto


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: April 15, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.