Enabling Users to Install Software During an Automated Installation
If you want to write to the Registry, Windows NT 4.0 requires Administrator privileges. Thus, a standard user can't run a batch file or an ordinary Microsoft Systems Management Server (SMS) package to install software during an automated installation. To overcome this limitation, I use the Microsoft Windows NT Server 4.0 Resource Kit Su utility.
First, install the Su service on every workstation. Next, to install software that NT requires Administrator privileges to install, run a batch script that executes su.exe with an Administrator account, followed by the required command line (the command line depends on what the script is installing). For example, you run the following batch file to install NT Service Pack 5 (SP5):
SET SU_PASSWORD=adminpassword
SU adminaccount "filepath\sp5i386.exe -u -f
-o" domainname
SET SU_PASSWORD=
I ran this script from a source folder on the C drive, which permits only Administrator access rights to prevent users from customizing their OS installations.
I used the following script to add a local account to all PCs, then added the account to the LocalAdmin group:
SET SU_PASSWORD=adminpassword
NET USER helpdeskaccount >c:\null || SU adminaccount "net user helpdeskaccount accountpassword /add " domainname -v >c:\null
SU adminaccount "NET LOCALGROUP administrators helpdeskaccount /add" domainname -v >c:\null
SET SU_PASSWORD=
However, having an Administrator password in a text file creates a potential security hazard. To secure the password, I put the batch script in a folder that has only execute privileges to prevent users from viewing the password. In addition, I use SMS Installer to compile an executable, a one-line batch file that calls the main script file, so that users can't see where I stored the batch file or what it's called. I send the executable to all users through an SMS package (preceded by an email message that warns users to run the executable only after they close all applications).
—Thomas Hazlett