+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
MIS Systems Thread, Auto install of SIMS - UAC - securing the server share in Technical; I don't want for much - just an automated install of SIMS.NET that allows UAC to be left on and ...
  1. #1

    Join Date
    Jun 2009
    Posts
    31
    Thank Post
    6
    Thanked 2 Times in 2 Posts
    Rep Power
    10

    Auto install of SIMS - UAC - securing the server share

    I don't want for much - just an automated install of SIMS.NET that allows UAC to be left on and a secured share of SIMS.NET on the server.

    I've seen some articles on edugeek relating to UAC, but no definative answers. We don't use SOLUS3 by the way. I'm not sure if this is the fix to the UAC problem, but our support people don't support SOLUS3 at the moment, so I don't think that this is an option for us yet anyway.

    SIMS is new to me, so need a bit of advice.

    I have crafted a script in Kixtart which runs as a startup script for Windows 7 32 bit, which I'll share with you...

    use I: "\\adminsims\simshare"
    Shell(%COMSPEC% + ' /c start /wait i:\sims\setups\simsinfrastructuresetup.exe -a {QuietMode} {SIMSWorkstation} {FMSWorkstation}')
    Shell(%COMSPEC% + ' /c start /wait i:\sims\setups\simsapplicationsetup.exe /s {QuietMode} [SIMSDirectory]="I:\SIMS\" [SIMSDotNetDirectory]="C:\Program Files\SIMS\SIMS .net"')
    Shell(%COMSPEC% + ' /c start /wait i:\sims\setups\simsmanualsetup.exe /s {QuietMode} [SIMSDirectory]="I:\SIMS\" [SIMSDotNetDirectory]="C:\Program Files\SIMS\SIMS .net"')
    Shell(%COMSPEC% + ' /c start /wait i:\sims\setups\SIMSAMPARKSetup.exe /s {QuietMode} [SIMSDirectory]="I:\SIMS\" [SIMSDotNetDirectory]="C:\Program Files\SIMS\SIMS .net"')
    Copy $HomeFolder + "\" + $Package + "\Source\connect.ini" "c:\program files\sims\sims .net\connect.ini"
    Copy $HomeFolder + "\" + $Package + "\Source\SIMS.ini" "C:\Windows\SIMS.ini"


    If $OS="Win7"
    Shell('C:\Windows\System32\icacls.exe "C:\Program Files\Sims" /grant "admin\staff: (OI)(CI)F"')
    Shell('C:\Windows\System32\icacls.exe "' + %ALLUSERSPROFILE% + '\Start Menu\Programs\SIMS Applications" /grant "admin\staff: (OI)(CI)F"')
    Shell('C:\Windows\System32\icacls.exe "C:\Windows\Sims.ini" /grant "admin\staff:F"')
    Shell('"' + $HomeFolder + '\' + $Package + '\Source\SubInAcl.exe" /KEYREG HKEY_LOCAL_MACHINE\SOFTWARE\Classes /GRANT=admin\staff')
    Shell('"' + $HomeFolder + '\' + $Package + '\Source\SubInAcl.exe" /KEYREG HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID /GRANT=admin\staff')
    Shell('"' + $HomeFolder + '\' + $Package + '\Source\SubInAcl.exe" /KEYREG HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface /GRANT=admin\staff')
    Shell('"' + $HomeFolder + '\' + $Package + '\Source\SubInAcl.exe" /KEYREG HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib /GRANT=admin\staff')
    EndIf

    Shell(%COMSPEC% + ' /c ECHO Sims Installed > "C:\Program Files\SIMS\SIMS .net\installed.txt"')

    USE I: /DELETE

    -----

    This script has a wrapper, so it will run only the once, and $Homefolder and $Package are variables passed from the wrapper, so are declared.

    Hopefully if you deploy SIMS.NET already, you'll see what this script is up to. It deploys fine, and no UAC prompts or updates when you fire up SIMS, but what will happen on the next big update?

    Our SIMS.NET support line have so far been non-commital as to whether this will work with UAC turned on, and I really don't want to wait until the next update to find out!

    Anyone have any idea whether this script will work with UAC?

    On another point, our support line say that all SIMS users should have modify access to the server files, which I'd have thought was recipe for disaster.

    Anyone secured their server share?

    Thanks in anticipation.
    Last edited by digone52; 25th November 2011 at 08:06 PM.

  2. #2

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,484
    Thank Post
    133
    Thanked 488 Times in 436 Posts
    Rep Power
    138
    We have UAC turned on. SIMS is deployed with a batch file - it maps the drive as an install user, then runs the installers for the three main components from the SIMS server install directory (I don't run the infrastructure setup unless needing FMS). Permissions on C:\Program Files\SIMS.net are then changed to allow users to Modify, and that's it. Installs and updates fine. Basically, that seems to be exactly what your script is doing - you may find the odd workstation will play up and might need an admin logon to update, but should work generally.

    To help protect the share, hide the share mapped drive. Can't remember exactly what permissions we have set on it, but it's more open for admin (rather than teaching) staff.

  3. Thanks to 3s-gtech from:

    digone52 (26th November 2011)

  4. #3

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,589
    Thank Post
    638
    Thanked 1,306 Times in 1,088 Posts
    Rep Power
    336
    You could try to trigger it on a test machine to run again, i think even if no update is needed it will just run those files anyway, because it knows no different.
    To make it more real, download the ISO from SupportNet and put newer versions of those files on a secret 'hidden to all but you' share and map to it with the I drive on that one test machine. Ideally, you have a test stafflike user to do it with, rather than your account so you can see impact of any other policies / restrictions too.

  5. Thanks to vikpaw from:

    digone52 (26th November 2011)

  6. #4

    Join Date
    Jun 2009
    Posts
    31
    Thank Post
    6
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Thanks for your help on this one.

    Having had the script run successfully on my PC, and I can see that the permissions are set correctly, but if I run the installers, I promptly get UAC kick in.

    For instance, if I run the following as myself from a command prompt...

    start /wait i:\sims\setups\simsmanualsetup.exe /s {QuietMode} [SIMSDirectory]="I:\SIMS\" [SIMSDotNetDirectory]="C:\Program Files\SIMS\SIMS .net"

    ... UAC prompts, and I have done a ProcMon capture of what is going on, and I get the log below (I didn't let the installer go beyond a UAC prompt)...

    capture1.gif

    I can't see anything in this capture where simsmanualsetup.exe is trying to access something it can't.

    I'm a bit stumpted over this one at the moment.

  7. #5

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,589
    Thank Post
    638
    Thanked 1,306 Times in 1,088 Posts
    Rep Power
    336
    What if you run as admin the command prompt then do it?
    With win 7 there is that issue with the user that things are done as, so you can actually have two mappings to the same drive, under different security contexts.
    I can't find the exact thread, but it should also be on M$ site too.
    This thread may help a little.

    EDIT: forgot to paste! Sims install windows 7 problem (unable to write to shared directory "(S:\SIMS)"
    Last edited by vikpaw; 26th November 2011 at 09:26 AM. Reason: add link

  8. #6

    Join Date
    Jun 2009
    Posts
    31
    Thank Post
    6
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    If I start a command prompt running as administrator and kick off simsmanualinstall.exe, the install happens fine.

    Just to clarify, we are heading into a situation where the vast majority of our users are not local administrators, and I want to leave UAC on. I think that there are very good reasons why we should have both of these.

    I also want the initial setup of SIMS.NET to be automated. It obviously needs to be done under the context of an administrator, so hence the startup script above.

    With every post I have seen, it has not been absolutely clear that anyone has got SIMS.NET working in this scenario.

    Thanks.

  9. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    My understanding is that UAC has to be turned off for SIMS. It just won't install properly with it enabled (using the GUI method).

    It can also create problems with Anti-Virus software too. You can't install the Sophos Enterprise Console with UAC enabled.

    I think the other problem you may run into is updating SIMS when future releases spring up. As a result I just disable UAC as recommended.

  10. Thanks to Michael from:

    digone52 (26th November 2011)

  11. #8


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,113
    Thank Post
    203
    Thanked 2,385 Times in 1,765 Posts
    Rep Power
    703
    Quote Originally Posted by digone52 View Post
    if I run the installers, I promptly get UAC kick in.
    This is probably caused by the application manifest embedded in the installers (shown below is the one from SIMSInfrastructureSetup.exe). There is a way to force the installer to run with different privileges using Microsoft's Application Compatibility Toolkit, but I haven't tried this myself.

    Code:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
       <ms_asmv2:security>
          <ms_asmv2:requestedPrivileges>
             <ms_asmv2:requestedExecutionLevel
             level="requireAdministrator"
             />
          </ms_asmv2:requestedPrivileges>
       </ms_asmv2:security>
    </ms_asmv2:trustInfo>
    </assembly>
    Manifest files can include the requestedElevationLevel tag that specifies a value defining the level of privilege the application should be launched with. The three values are:

    asInvoker
    The application runs with the same token as the parent process.

    highestAvailable
    The application runs with the highest privileges the current user can obtain. If the user is a standard user, elevation will not be attempted; if the user is a protected administrator, elevation will be triggered.

    requireAdministrator
    The application runs only for administrators and requires that the application be launched with the full token of an administrator. (Sources: [1] [2])

  12. Thanks to Arthur from:

    digone52 (26th November 2011)

  13. #9

    Join Date
    Jun 2009
    Posts
    31
    Thank Post
    6
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Hi Michael. Thanks for your reply.

    When you say as recommended, Our support company have just told me to turn UAC off if I have problems - i.e. a suck it and see approach, which I did not find very helpful to be honest, but I have not heard that Capita recommend turning it off. Is this their official line?

    Will Solus 3 help with this situation anyone know?

    I have not yet looked into the functionality of SIMS.NET yet, and I'm sure it is very capable, but from a setup perspective the words "dogs dinner" spring to mind!

    I guess I could move systems where users are local administrators into an OU with a group policy to enable UAC, and move systems where users are not local administrators into a different OU where UAC is disabled by policy.

  14. #10

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,589
    Thank Post
    638
    Thanked 1,306 Times in 1,088 Posts
    Rep Power
    336
    SOLUS 3 would help, because it installs as a different user with privilege. Similarly, couldn't you invoke the script overnight, not under the user context. Then you can use whichever elevated privileges are required to get the upgrade done. Leaving the local groups, and UAC settings untouched.

  15. #11

    Join Date
    Jun 2009
    Posts
    31
    Thank Post
    6
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Arthur - thanks for the info, really interesting. Looks like it forces administrator then.

    vikpaw - I did wonder whether I could do something like forcing a reinstall once SIMS.NET has been updated through the scripts, but the problem is that we are using laptops which are usually hibernated, so I can't see how I could force the update as an administrator equivalent since there is no certainty that computers ar started on the network after an update.
    Last edited by digone52; 26th November 2011 at 12:47 PM.

  16. #12

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    Quote Originally Posted by digone52 View Post
    Hi Michael. Thanks for your reply.

    When you say as recommended, Our support company have just told me to turn UAC off if I have problems - i.e. a suck it and see approach, which I did not find very helpful to be honest, but I have not heard that Capita recommend turning it off. Is this their official line?
    I liaise with Link2ICT (in Birmingham) and it was their recommendation to disable UAC. You can easily do this with a GPO and SIMS then works perfectly on Windows 7 SP1 x86. I have tried installing SIMS with UAC enabled and it is problematic. I wouldn't recommend it and as I say, speaking from experience, disabling UAC does allow SIMS to work correctly.

  17. #13


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,113
    Thank Post
    203
    Thanked 2,385 Times in 1,765 Posts
    Rep Power
    703
    Quote Originally Posted by Michael View Post
    disabling UAC does allow SIMS to work correctly
    As @vikpaw mentioned, isn't this fixed with SOLUS3? There is a service called "Solus3Agent" which installs updates under the LocalSystem account.

    Disabling UAC isn't a particularly good idea because it also disables many useful features including file-system and registry virtualization, Internet Explorer's protected mode, the Secure Desktop, UI Privilege Isolation, UAC remote restrictions etc.

  18. #14

    Join Date
    Jun 2009
    Posts
    31
    Thank Post
    6
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    It does look like I'm going to have to find out more about SOLUS 3, even though our support don't currently use it, and in the meantime switch off UAC if that's what it takes. As you say Arthur, it isn't a good idea, but I think necessary in the short term to get SIMS upgrading unless there is an avenue I have not explored.

    Presumably I can leave UAC enabled on the few users who are local admins?

  19. #15

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    I agree, Solus3 is certainly worth looking at, but I'm not currently using that as yet.

    A lot more schools are now taking the register through Sims, so it's installed on every workstation. Of course the same upgrades apply throughout the year, so it's important this can happen as smoothly as possible.

    I was under the impression Solus3 simply automated upgrades, so theoretically, UAC would still create problems. You could argue Capita just need to make Sims compatible with Windows 7 in a default state. I also remember reading on these very forums about a proper Sims MSI, but this never materialised.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. [News] Securing The Server Room, Part II
    By mattx in forum Jokes/Interweb Things
    Replies: 0
    Last Post: 26th November 2009, 12:24 PM
  2. Fresh Install of SIMS (new DB)
    By binky in forum MIS Systems
    Replies: 10
    Last Post: 19th February 2008, 11:09 AM
  3. Fresh install of Sims on Server 2003
    By myrideruk in forum MIS Systems
    Replies: 12
    Last Post: 12th February 2008, 09:12 PM
  4. Admin installs of software _ without the crap.
    By Kyle in forum General Chat
    Replies: 2
    Last Post: 9th November 2007, 10:58 AM
  5. Replies: 3
    Last Post: 9th September 2006, 08:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •