Not sure I understood this part (services.exe does not work on your
runtime?? why IE mentioned here?).
The customer has specified that Internet Explorer must not be in the build
and the Control Panel\Administrative Tools\Services UI will not work without
it.
Why you just don't set Administrator option in he DUA component settings? Or
you're saying that if yo set the option, DUA still runs as "Default User"?
This is weird then. I'd check out if DUA gets installed properly (FBA log,
system log).
Setting the DUA component to start services as administrator causes the
service to be registered to run as the .\Administrator user but not to start
in the deployed image. There are no problems reported in any logs except to
indicate that the DUA service could not start.
Anyway.. to automate service config at run time you can always use sc.exe
tool from NT Resource Kit.
If you want to change the account the service runs under, use a command like
"sc.exe <ServiceName> config obj=<AccoutName> password=<AccountPassword>".
Sorry, forgot about the existence of sc (been working 24/7 lately).
Running 'sc start duagent' says The service did not start due to a logon
failure. This is obviously because no password is specified for that user
in the DUA component definition. Looking thru the properties for the DUA
component shows that there are several places where a password could be
specified (in advanced properties and service properties). Putting the
correct password into any/all of those locations still does not allow DUA to
run as the administrator user.
In the build running 'sc config duagent obj= .\Administrator password=
*****' returns success. However running 'sc start duagent' afterwards still
says The service did not start due to a logon failure. The same thing
occurs when it is run after a reboot.
If I use the Services UI to set the password (in a debug build that has IE
in it) then DUA will start running as the administrator user. Running 'sc
config' to change the service password after that has been done correctly
allows the password to be changed and the DUA service will start if the
password supplied by sc is correct and not if it is incorrect. If I then
delete the DUA service and re-create it using sc (providing the
administrator account settings) it is possible to successfully
start/stop/configure the service using sc. However doing the same thing
before using the Services UI to set the password does not allow DUA to run
with administrator privileges. This seems to indicate that the Services UI
adds some persistent data to the system that is not lost when the DUA
service is deleted. This is inherited by the new DUA service created by sc
allowing it to run without problems.
Have you tried using DALOGONWITHPROFILE option (next to password) ?
Yes. The command is still not executed and the logs show the same error.
Are you able to use "runas" command to run you msiexec manually as a
different user?
Added 'runas' to the image and executed 'runas /env
/user:.mymachine\administrator cmd' as per help. This gave me the clue as
to how the DUA execute command should be structured. Using the DUA command
.....
EXECUTE,,DANO,,c:\windows\system32\cmd.exe,,c:\windows\system32\cmd.exe /k
set,,,,administrator,,mymachine,,****,,,,c:\windows\system32,1,,WinSta0\Defa
ult
Caused the command prompt to appear as per the runas utility. So rebuilt
image with no debug components and re-ran DUA as 'LocalSystem'. Unchanged
DUA script would not cause command prompt to appear. Added 'runas'
component to image. DUA script executed correctly causing the command
prompt to appear with the correct user privileges.
!!!! VICTORY !!!! DUA now runs my batch scripts with administrator
privileges.
LESSONS LEARNED
------------------------
There seems to be no way (that I can find) to get DUA to run with anything
other than with LocalSystem privileges without using the Services UI to set
it to run with .\Administrator user privileges.
To use the EXECUTE command in a DUA script you must have the 'RunAs Service'
component installed or you always get a 'Service Not Installed' error
message logged when DUA executes the command.
In the DUA script your EXECUTE command must specify 'mymachine' in the
domain field when using local user accounts.
Debugging DUA scripts in an image configuration that does not have Internet
Explorer in it is a pain in the *** .
Many thanks to all those who helped!
David