Running the script as System context and trigger in script part as User context

Question

Running the script as System context and trigger in script part as User context

Prabhjot Singh 255

We are deploying the package from SCCM as system context and downloaded package should trigger in script as User context on devices. So, we have an application SaRa tool "SaRaCmd.exe" and full command line is "SaRacmd.exe -S ResetOfficeActivation -AcceptEula -CloseOffice. The user has no admin rights in his device, and we are deploying the sara tool to signout the user from m365 applications and clear the lincense for the user. But while running the app deployed from sccm the SaraTool is unable to remove the user from the application

What will be the steps we should follow to sign-out the non admin user from the M365 applications using the system deloyed package?

NOTE: Will be possible to execute the Script from SCCM in System Context and run part of the code within the script in logged in user context.

Accepted answer

1 additional answer

Your answer

Answer 1

If you don't need to interact with the user, but only run a program, then give this a try.

For testing, I commented out your transcript and had the task run cmd.exe and simply delay for a bit.

# This script runs as the SYSTEM account. 
#$transcriptPath = Join-Path -Path $PSScriptRoot -ChildPath "OfficeResetActivation.log"
#Start-Transcript -Path $transcriptPath
try {
	# Define the path to SaRacmd.exe
	#$exePath = Join-Path -Path $PSScriptRoot -ChildPath "SaRacmd\SaRacmd.exe"
    $exePath = "c:\windows\system32\cmd.exe"
    # Look for an explorer process to insure that someone is logged on to the desktop
    $timeout = 5                     # how long do we wait for a user
    $count = 0
    $wait4user = $true 
    while ($wait4user) {
        $count++                      # how many times have we looped through this
        if ($count -gt $timeout) {
            throw "We have waited too long for a user to log on."
        }
        $e = Get-Process -Name Explorer -ErrorAction SilentlyContinue
        if ($e.count -gt 0) {
            $wait4user = $false 
            "We found an Explorer process, someone is logged on."
        } else {
            "Sleeping"
            Start-Sleep -Seconds 60        # wait for a minute 
        } 
    }
    "We have a user."
    Get-WmiObject Win32_Process -f 'Name="explorer.exe"'  |%  getowner  |% user
    # Define the task name
    $taskName = "ResetOfficeActivation"
    # Delete it if it already exists
    get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$false
    # Create a scheduled task to run as the logged-in user
    #$action = New-ScheduledTaskAction -Execute $exePath -Argument "-S ResetOfficeActivation -AcceptEula -CloseOffice"
    $action = New-ScheduledTaskAction -Execute $exePath -Argument "/c timeout /t 30"
    $principal = New-ScheduledTaskPrincipal -GroupId "Interactive"
    # We don't need a trigger 
    $t = Register-ScheduledTask -TaskName $taskName -Action $action  -Principal $principal -Force
    # Start the task immediately
    Start-ScheduledTask -TaskName $taskName
    Write-Output "Scheduled task '$taskName' created and started."
    Start-Sleep -Seconds 2           # give it a few seconds to fire up
    $timeout = 20                    # how many loops do we wait for the task to finish 
    $count = 0
    $wait4user = $true 
    while ($wait4user) {
        $count++                      # how many times have we looped through this
        if ($count -gt $timeout) {
            throw "We have waited too long for the task to finish."
        }
        $t = Get-ScheduledTask -TaskName $taskName
        $t.State
        if ($t.State -eq "Ready") {
            $wait4user = $false 
            "Our task has finished."
        } else {
            Start-Sleep -Seconds 5        # wait for a minute 
        } 
    }
    $TaskInfo = Get-ScheduledTaskInfo -TaskName $taskName
    "Last run time is {0}" -f $TaskInfo.LastRunTime
    "Task finished at {0}" -f (get-date) 
    "Return code is {0}" -f $TaskInfo.LastTaskResult
} catch {
	# Log any errors that occur during the process
    Write-Error "An error occurred: $_"
} finally {
	# Stop the transcript
	#Stop-Transcript
}

Simon Ren-MSFT 40,341 Reputation points Microsoft External Staff

2024-09-11T09:04:19.4666667+00:00

Thanks for your help!

Answer 2

MotoX80 36,291

Is some user logged on to the desktop?

I can't help you with SCCM, but in this question I demonstrated how to use the task scheduler to run one script as the system account and communicate with a second script that runs in the user context.

https://learn.microsoft.com/en-us/answers/questions/246173/scheduled-task-to-launch-powershell-script-in-syst

In your case, SCCM would run the server.ps1 script as the system account. It would define and run a scheduled task that executes as the user (schtasks /ru interactive). That would require that someone is logged on to the desktop.

For that question, the author wanted to delay the processing that the system account performed, until the desktop user "clicked on ok". The 2 scripts "talk" to each other by creating files in a temp folder.

If the SCCM experts can't offer an SCCM solution, you may be able to use this technique to accomplish the system/user processing split.

Prabhjot Singh 255 Reputation points

2024-08-26T13:47:03.18+00:00
@MotoX80

Thanks for your response, currently we have two machines with logged in user. One machine contains Admin User (added in local admin group) and another machine has Non-Admin User. We have to test this functionality for both scenario Admin user and Non-Admin user. This is the script we are using: <# Start a transcript to log all activities

$transcriptPath = Join-Path -Path $PSScriptRoot -ChildPath "OfficeResetActivation.log"

Start-Transcript -Path $transcriptPath

try {

# Define the path to SaRacmd.exe $exePath = Join-Path -Path $PSScriptRoot -ChildPath "SaRacmd\SaRacmd.exe" # Get the currently logged-in user $loggedInUser = "$env:USERDOMAIN\$env:USERNAME" if (-not $loggedInUser) { throw "No user is currently logged in." } # Define the task name $taskName = "ResetOfficeActivation" # Create a scheduled task to run as the logged-in user $action = New-ScheduledTaskAction -Execute $exePath -Argument "-S ResetOfficeActivation -AcceptEula -CloseOffice" $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) $principal = New-ScheduledTaskPrincipal -UserId $loggedInUser -LogonType Interactive Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -Principal $principal -Force # Start the task immediately Start-ScheduledTask -TaskName $taskName Write-Output "Scheduled task '$taskName' created and started successfully for user $loggedInUser."

Open Command Prompt as the current user to execute the task

$cmdPath = "C:\Windows\System32\cmd.exe"

$arguments = "/c start ""Elevated Command Prompt"" /d C:\Windows\ccmcache\e\Saracmd /wait SaRacmd.exe -S ResetOfficeActivation -AcceptEula -CloseOffice"

Start-Process -FilePath $cmdPath -ArgumentList $arguments -NoNewWindow -Wait

} catch {

# Log any errors that occur during the process Write-Error "An error occurred: $_"

} finally {

# Stop the transcript Stop-Transcript

}

Can you check and provide the changes we need to do in this script. This script was deployed as System context. Additionally, when we execute this, it picks up System account instead of current logged in user. $loggedInUser = "$env:USERDOMAIN$env:USERNAME". It opens the command prompt but not succeeds with current logged in user.

Also, Thanks for the link, I am going through that one.

Share via

Running the script as System context and trigger in script part as User context

1 additional answer

Open Command Prompt as the current user to execute the task

Your answer