Is opsi-winst /usercontext parameter licensed ?

[ronin]

Hello

I want to use /usercontext <[domain\]user name> parameter, but i have problem ...
Do I need license for it ?

If not, please, I need some help

Till now I tried combinations:

Code: Alles auswählen

1) DosBatch_script /usercontext "OPSI\domnuser" /password "***"
2) DosBatch_script /usercontext /username "OPSI\domnuser" /password "***"
3) DosBatch_script /username "OPSI\domnuser" /password "***"

[DosBatch_script]
"%scriptpath%\script.cmd"

Thank you

[SisterOfMercy]

I don't think you need a license, except when you are using an old version. Please tell us what version of OPSI you are using, and even better: what you are trying to do. There are a lot of ways that lead to Rome.

[ronin]

Hi SisterOfMercy, I'm trying to run as domain user Bitlocker encryption script, with adbackup function:

Code: Alles auswählen

@echo off
REM Manage-bde.exe -protectors -disable c:
set test /a = "qrz"
for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr "    Encryption Method:"') do (
   echo %%A
   set test = %%A
   if "%%A"=="None" goto :activate
   )
rem goto end
:activate
echo in activate
for /F %%A in ('wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue ^| findstr "TRUE"') do (
if "%%A"=="TRUE" goto :bitlock
)
powershell Initialize-Tpm
:bitlock

:end
manage-bde -protectors -disable %systemdrive%
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
manage-bde -protectors -delete %systemdrive% -type RecoveryPassword
manage-bde -protectors -add %systemdrive% -RecoveryPassword
for /F "tokens=2 delims=: " %%A in ('manage-bde -protectors -get %systemdrive% -type recoverypassword ^| findstr "       ID:"') do (
   echo %%A
   manage-bde -protectors -adbackup %systemdrive% -id %%A
)
manage-bde -protectors -enable %systemdrive%
manage-bde -on %systemdrive% -UsedSpaceOnly -SkipHardwareTest

rem  \\lib-fs\lib-gpo\bitlockerid.bat
rem  manage-bde -status %systemdrive%

I'm using latest opsi 4.1 version

[d.oertel]

Hi,

Parameters like
'/usercontext "OPSI\domnuser" /password "***"' or
'/username "OPSI\dom'
are command line parameters of the script interpreter (e.g. winst32.exe) it self:
https://download.uib.de/opsi_stable/doc/html/en/opsi-winst-manual/opsi-winst-manual.html#opsi-winst-cliparams

There are not valid parameters for a dosbatch section call:
https://download.uib.de/opsi_stable/doc/html/en/opsi-winst-manual/opsi-winst-manual.html#opsi-winst-dosbatch

But I do not see, that any thing in your script has to run inside any user context.
Bitlocker is a system wide thing.

What is your problem running your script inside a dosInAnIcon (or DosBatch) section ?

cheers
d.oertel

[ronin]

Hi d.oertel, thank you for reply.

I want to understand it better ..

.. So opsi-winst stand for (WinBatch, DosBatch,ExecWith, Files etc) secondary sections ?
And to use opsi-winst parameters I need to call "winst" after Secondary section ?

Like?:

Code: Alles auswählen

DosBatch_bitlocker winst /usercontext "OPSI\user" /password "***"

[DosBatch_bitlocker]
"%scriptpath%\bitlocker.cmd"

This line gives me:

Code: Alles auswählen

...
[5] [Sep 04 20:38:58:386] [bitlocker]   message Installing Bitlocker...
[5] [Sep 04 20:38:58:405] [bitlocker]   Execution of: DosBatch_bitlocker winst /usercontext "OPSI\user" /password "***"
[7] [Sep 04 20:38:58:405] [bitlocker]     Save to file with encoding: system
[7] [Sep 04 20:38:58:407] [bitlocker]     Executing "cmd.exe" /C c:\opsi.org\tmp\_opsiscript_Op90Ws61.cmd
[6] [Sep 04 20:38:58:927] [bitlocker]     ExitCode 0
[7] [Sep 04 20:38:58:933] [bitlocker]     The file: c:\opsi.org\tmp\_opsiscript_Op90Ws61.cmd has been deleted
[6] [Sep 04 20:38:58:933] [bitlocker]       Search "c:\opsi.org\tmp\"
[6] [Sep 04 20:38:58:933] [bitlocker]       Search "c:\opsi.org\tmp\_opsiscript_*"
[6] [Sep 04 20:38:58:933] [bitlocker]       File "c:\opsi.org\tmp\_opsiscript_Io22Kx61.cmd"
[6] [Sep 04 20:38:58:934] [bitlocker]         The file is 1 day(s) old, no deletion
[6] [Sep 04 20:38:58:934] [bitlocker] EndIf
[1] [Sep 04 20:38:58:934] [bitlocker] ___________________
[1] [Sep 04 20:38:58:934] [bitlocker] script finished: success
[1] [Sep 04 20:38:58:934] [bitlocker] 0 errors
[1] [Sep 04 20:38:58:934] [bitlocker] 0 warnings
...

Durring installation cmd windows showing up for split seconds, with some errors (i presume), but i don't know how to log output of bitlocker.cmd

If I'm doing this totally wrong, could you please give me some examples ?

Thank you

To clarify,
This script work as intended on domain user account and local account with cmd run as different user (domain)

[d.oertel]

try something like this:

Code: Alles auswählen

DosBatch_bitlocker

[DosBatch_bitlocker]
@echo off
REM Manage-bde.exe -protectors -disable c:
set test /a = "qrz"
for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr "    Encryption Method:"') do (
   echo %%A
   set test = %%A
   if "%%A"=="None" goto :activate
   )
rem goto end
:activate
echo in activate
for /F %%A in ('wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue ^| findstr "TRUE"') do (
if "%%A"=="TRUE" goto :bitlock
)
powershell Initialize-Tpm
:bitlock

:end
manage-bde -protectors -disable %systemdrive%
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
manage-bde -protectors -delete %systemdrive% -type RecoveryPassword
manage-bde -protectors -add %systemdrive% -RecoveryPassword
for /F "tokens=2 delims=: " %%A in ('manage-bde -protectors -get %systemdrive% -type recoverypassword ^| findstr "       ID:"') do (
   echo %%A
   manage-bde -protectors -adbackup %systemdrive% -id %%A
)
manage-bde -protectors -enable %systemdrive%
manage-bde -on %systemdrive% -UsedSpaceOnly -SkipHardwareTest

rem  \\lib-fs\lib-gpo\bitlockerid.bat
rem  manage-bde -status %systemdrive%


[ronin]

d.oertel, This script deployed from opsi generates some errors.

I made some opsi packages, so i know some basics . But it's first time when i need run script as domain user

I switch to DosInAaIcon.
And I want to see script output to inspect those errors.

I found on opsi-winst manual:

Code: Alles auswählen

Set $list$ = getOutStreamFromSection ('DosInAnIcon_bitlocker')

But this gives me another error :/

Code: Alles auswählen

(85)      [2] [Sep 04 23:25:16:817] [bitlocker]   Syntax Error in Section: Actions (Command in line 19 in section: Actions file: setup.ins section start at line: 1; origin: setup.ins line: 19): $list$ = getOutStreamFromSection ('DosInAnIcon_bitlocker') -> getOutStreamFromSection ('DosInAnIcon_bitlocker') illegal String Expressionstr
(86)      [2] [Sep 04 23:25:16:817] [bitlocker]   Syntax Error in Section: Actions (Command in line 20 in section: Actions file: setup.ins section start at line: 1; origin: setup.ins line: 20): EndIf -> expected

Btw. Can you tell me, is this syntax correct ?

Code: Alles auswählen

DosInAnIcon_bitlocker winst /usercontext "OPSI\user" /password "***"

Thank you

[d.oertel]

Hi,

i can't tell you the exact reason for your error because i do not see the complete code.
But it looks like set the stringlist var $list$ is perhaps not deklared as stringlist.

Code: Alles auswählen

DosInAnIcon_bitlocker winst /usercontext "OPSI\user" /password "***"

is not correct because (as i told) "/usercontext" is not a command you may use inside a script but a cli parameter you may use starting the winst32.exe like /logfile or /batch (winst32.exe myscrpt.opsiscript /batch /logfile mylog.log)

So go back to my example and let us discuss the errormessages that are resulted by this code.

cheer
detlef