Run Batch File On Remote Computer Without PsExec

[Hell Bomb]

Ok imma give a full rundown of the situation. Currently on the network we are on because of the way it is setup wake on lan doesn't work, so SCCM has at best a 70 success rate for patching. So I am currently spending a couple days a week remoting into computers and running a batch file to manually update computers. I need a way, that isn't psexec to execute a batch file on a remote computer. If anyone has any ideas they would be greatly appreciated.

Additional Notes
- Batch file is on share drive atm.

 

[kegobeer]

So, you are using RDP and remotely logging into the computer? If that's the case, you should be able to put the batch file on a network share, and then execute it while you are in the RDP session.

 

[Alejandro85]

An alternative may be to use telnet or SSH to login through command line and run the bat file from there, without the users even realizing there is something happening. You need to install the server first on each machine however.

Another thing that may work is to put the batch file on the startup menu folder of the start menu so that it runs on the next logon of each user. You can user the default security hole that Windows has because of the administrative shares (C$/D$ and so on). You only need a local administrator password on each computer only, which you can have if you're on a domain.

 

[Hell Bomb]

So, you are using RDP and remotely logging into the computer? If that's the case, you should be able to put the batch file on a network share, and then execute it while you are in the RDP session.

Thats what we are doing, but when we have to remote into 200+ computers every other week its very tedious.

An alternative may be to use telnet or SSH to login through command line and run the bat file from there, without the users even realizing there is something happening. You need to install the server first on each machine however.

Hmmm not sure if i want to install that on every computer, but i'll check it out. Thx for the idea.

Another thing that may work is to put the batch file on the startup menu folder of the start menu so that it runs on the next logon of each user. You can user the default security hole that Windows has because of the administrative shares (C$/D$ and so on). You only need a local administrator password on each computer only, which you can have if you're on a domain.

We disable the local admin of each computer through the local GPO. Plus I wouldn't want to leave the local admin password just there in cleartext.

 

[kegobeer]

We require all of our users to keep their systems powered on so we can apply updates. Do you have that policy?

Something else you could try - configure the BIOS on your computers to turn the systems on at a certain time. This way, if your users power down the system it will be up at a certain time, and it will receive the updates you push.

 

[Hell Bomb]

We require all of our users to keep their systems powered on so we can apply updates. Do you have that policy?

Our current policy is to turn a computer to sleep mode after about 45 minutes of inactivity.

Something else you could try - configure the BIOS on your computers to turn the systems on at a certain time. This way, if your users power down the system it will be up at a certain time, and it will receive the updates you push.

This is an interesting idea, but we have a couple thousand computers and a handful of technicians.

Currently I am playing around with the idea of WMIC to just execute the batch file on the file server.

 

[kegobeer]

Our current policy is to turn a computer to sleep mode after about 45 minutes of inactivity.

What's the reasoning behind that? We have thousands of computers at the Air Force base where I work, and the policy is to leave them on 24/7 so patches can be pushed. If it's for power saving, I don't think there's much difference, to tell the truth.

Something else you could try - configure the BIOS on your computers to turn the systems on at a certain time. This way, if your users power down the system it will be up at a certain time, and it will receive the updates you push.

This is an interesting idea, but we have a couple thousand computers and a handful of technicians.

Currently I am playing around with the idea of WMIC to just execute the batch file on the file server.[/QUOTE]

It will take a while, but I think it would definitely help your situation.

 

[Alejandro85]

Another thing that may work is to put the batch file on the startup menu folder of the start menu so that it runs on the next logon of each user. You can user the default security hole that Windows has because of the administrative shares (C$/D$ and so on). You only need a local administrator password on each computer only, which you can have if you're on a domain.

We disable the local admin of each computer through the local GPO. Plus I wouldn't want to leave the local admin password just there in cleartext.

Hi, you don't need to enable the built in admin password for such a trick, any admin account will do really. I haven't tried that, but I think that domain administrators are automagically granted local administrator rights on every domain-joined computer, so you can use that user/password to get into every system.

 

[Hell Bomb]

Another thing that may work is to put the batch file on the startup menu folder of the start menu so that it runs on the next logon of each user. You can user the default security hole that Windows has because of the administrative shares (C$/D$ and so on). You only need a local administrator password on each computer only, which you can have if you're on a domain.

We disable the local admin of each computer through the local GPO. Plus I wouldn't want to leave the local admin password just there in cleartext.

Hi, you don't need to enable the built in admin password for such a trick, any admin account will do really. I haven't tried that, but I think that domain administrators are automagically granted local administrator rights on every domain-joined computer, so you can use that user/password to get into every system.

That still leaves the issue with an admin account's password being stored in cleartext.

 

[Alejandro85]

We disable the local admin of each computer through the local GPO. Plus I wouldn't want to leave the local admin password just there in cleartext.

Hi, you don't need to enable the built in admin password for such a trick, any admin account will do really. I haven't tried that, but I think that domain administrators are automagically granted local administrator rights on every domain-joined computer, so you can use that user/password to get into every system.

That still leaves the issue with an admin account's password being stored in cleartext.

You may try to run the batch though the task scheduler, using the "run as user..." option. That way Windows takes cares of storing the password (don't know for sure, but I guess it has some form of encryption). Or manually run the script using the "run as another user" explorer context menu option, which ask for your password and it isn't saved at all.

 

[Bvaughn]

Ran across this thread while reseaching another subject -
Problem restated - Desire to initiate running a bat file from a network share without using RDP, etc. tools
Solution -
Make a bat file that runs at a set time (scheduled task) or event (Logon script)
Step 1. Make a local bat file and copied to each server that does the folllowing steps
a) Checks for current flag on network share. This could be version number inside a file, or an if exists stepment where the names of the servers are in a run_now folder
b) possible pre-execute stage is write to a log file on share so that know run recieved
c) Execute target bat file
d) post execute stage, remove flag (update local version number so will not re-run or remove server named file from run_now) Both methods have good points. In the run now folder I can at a glance see which machines have not run, in the version method, the local machine version info will tell me when the last update was run.

.
If you have servers in groups, then a simple push bat file would set things up. For the if exists method
Push FishTeam would just have a series of xcopy with Fish1, fish2, etc. being copied to the Run_now folder

For version number, you can have groups of servers in the version control file.
So Fish would go from 2.5 to 2.6 would mean all the servers configured for Fish would now update.

I have used both and the bat programming is easy. It mainly is which is easier to wrap head around what is going on.