3 Replies Latest reply on Sep 14, 2017 1:50 PM by jmatz135

    UEM logon tasks

    lidokci Enthusiast

      I'm running a logon task within UEM  that launches a script.  The context of the script runs a handful of commands to create localgroups AND also adds AD domain groups to these local groups.


      The script itself appears to run, but the local groups are not created.



      From the best I can tell UEM will run with Admin (system) privileges at startup so the script should complete, correct ?



      Any assistance would be appreciated.



      UEM 9.0

      Windows 7 /64bit desktops

        • 1. Re: UEM logon tasks
          Pim_van_de_Vis Expert
          vExpertVMware Employees

          No, the FlexEngine (UEM agent) runs in the same security context as the user. So this script fails because of limited permissions.

          Typically such system changes are made by a System Management tool like SCCM, and not by a User Management tool.

          Or you could incorporate them in the golden image if you use VDI.

          • 2. Re: UEM logon tasks
            lidokci Enthusiast

            thanks for your reply.


            I just ran through the script again, this time echo'ing an errorlevel and got the same response that you mentioned...Access is denied.


            A bit more detail on my problem ....


            the application Transform Verify requires 2 local groups (twadmin & twuser) to be created locally on the VM.  A number of Windows domain groups need to be members of those localgroups. 


            This is where I get stuck.


            I'm trying to consolidate the users of a pool (who use Verify) to another pool.  We currently have the "Verify" pool with the localgroups preset on the GOLD image, but I was trying to see if there was a way around that if we could reduce the # of pools in our environment.


            SCCM is not an option since we are using floating desktops.





            • 3. Re: UEM logon tasks
              jmatz135 Hot Shot

              You will have to use group policy.  You can use Group Policy preferences to add AD groups to the local security groups and you can use item level targeting to apply it only if the user is in a certain AD security group i.e. make a security group Transform_Verify_Users in AD and put the users that use it in there and then use item level targeting to only apply the policy to users of that group.  Note:  This will need to be a User Configuration policy and not a Computer Configuration policy.