Running the script as System context and trigger in script part as User context

Prabhjot Singh 200 Reputation points
2024-08-26T06:56:03.1+00:00

We are deploying the package from SCCM as system context and downloaded package should trigger in script as User context on devices. So, we have an application SaRa tool "SaRaCmd.exe" and full command line is "SaRacmd.exe -S ResetOfficeActivation -AcceptEula -CloseOffice. The user has no admin rights in his device, and we are deploying the sara tool to signout the user from m365 applications and clear the lincense for the user. But while running the app deployed from sccm the SaraTool is unable to remove the user from the application

What will be the steps we should follow to sign-out the non admin user from the M365 applications using the system deloyed package?

NOTE: Will be possible to execute the Script from SCCM in System Context and run part of the code within the script in logged in user context.

Microsoft Configuration Manager
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,446 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. MotoX80 33,296 Reputation points
    2024-08-26T13:19:04.4033333+00:00

    Is some user logged on to the desktop?

    I can't help you with SCCM, but in this question I demonstrated how to use the task scheduler to run one script as the system account and communicate with a second script that runs in the user context.

    https://learn.microsoft.com/en-us/answers/questions/246173/scheduled-task-to-launch-powershell-script-in-syst

    In your case, SCCM would run the server.ps1 script as the system account. It would define and run a scheduled task that executes as the user (schtasks /ru interactive). That would require that someone is logged on to the desktop.

    For that question, the author wanted to delay the processing that the system account performed, until the desktop user "clicked on ok". The 2 scripts "talk" to each other by creating files in a temp folder.

    If the SCCM experts can't offer an SCCM solution, you may be able to use this technique to accomplish the system/user processing split.


  2. MotoX80 33,296 Reputation points
    2024-08-26T17:20:04.7+00:00

    If you don't need to interact with the user, but only run a program, then give this a try.

    For testing, I commented out your transcript and had the task run cmd.exe and simply delay for a bit.

    # This script runs as the SYSTEM account. 
    #$transcriptPath = Join-Path -Path $PSScriptRoot -ChildPath "OfficeResetActivation.log"
    #Start-Transcript -Path $transcriptPath
    try {
    	# Define the path to SaRacmd.exe
    	#$exePath = Join-Path -Path $PSScriptRoot -ChildPath "SaRacmd\SaRacmd.exe"
        $exePath = "c:\windows\system32\cmd.exe"
        # Look for an explorer process to insure that someone is logged on to the desktop
        $timeout = 5                     # how long do we wait for a user
        $count = 0
        $wait4user = $true 
        while ($wait4user) {
            $count++                      # how many times have we looped through this
            if ($count -gt $timeout) {
                throw "We have waited too long for a user to log on."
            }
            $e = Get-Process -Name Explorer -ErrorAction SilentlyContinue
            if ($e.count -gt 0) {
                $wait4user = $false 
                "We found an Explorer process, someone is logged on."
            } else {
                "Sleeping"
                Start-Sleep -Seconds 60        # wait for a minute 
            } 
        }
        "We have a user."
        Get-WmiObject Win32_Process -f 'Name="explorer.exe"'  |%  getowner  |% user
        # Define the task name
        $taskName = "ResetOfficeActivation"
        # Delete it if it already exists
        get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$false
        # Create a scheduled task to run as the logged-in user
        #$action = New-ScheduledTaskAction -Execute $exePath -Argument "-S ResetOfficeActivation -AcceptEula -CloseOffice"
        $action = New-ScheduledTaskAction -Execute $exePath -Argument "/c timeout /t 30"
        $principal = New-ScheduledTaskPrincipal -GroupId "Interactive"
        # We don't need a trigger 
        $t = Register-ScheduledTask -TaskName $taskName -Action $action  -Principal $principal -Force
        # Start the task immediately
        Start-ScheduledTask -TaskName $taskName
        Write-Output "Scheduled task '$taskName' created and started."
        Start-Sleep -Seconds 2           # give it a few seconds to fire up
        $timeout = 20                    # how many loops do we wait for the task to finish 
        $count = 0
        $wait4user = $true 
        while ($wait4user) {
            $count++                      # how many times have we looped through this
            if ($count -gt $timeout) {
                throw "We have waited too long for the task to finish."
            }
            $t = Get-ScheduledTask -TaskName $taskName
            $t.State
            if ($t.State -eq "Ready") {
                $wait4user = $false 
                "Our task has finished."
            } else {
                Start-Sleep -Seconds 5        # wait for a minute 
            } 
        }
        $TaskInfo = Get-ScheduledTaskInfo -TaskName $taskName
        "Last run time is {0}" -f $TaskInfo.LastRunTime
        "Task finished at {0}" -f (get-date) 
        "Return code is {0}" -f $TaskInfo.LastTaskResult
    } catch {
    	# Log any errors that occur during the process
        Write-Error "An error occurred: $_"
    } finally {
    	# Stop the transcript
    	#Stop-Transcript
    }
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.