Question
How can I safely allow an end user to start Deployment Solution jobs?
Using the axsched.exe is not a viable option with regards to security (AxSched needs access to the Deployment Solution database and credentials to be stored in clear text) if you want to provide self-help access to Deployment Server jobs (such as refreshing OS images from a local image store, etc.) to a large number of client computers.
Answer
A three-tiered process using VB Script has been designed and tested to allow end users to instantiate an OS refresh in a secure and robust manner.
This process uses three VB scripts, each designed to run a specific set of tasks and to ensure separation of concern and greater security.
AutoImg-Client.vbs: This script is used for end user to create a token and store it on the local drive and on the DS share AutoImg folder. In the example attached to this article, the script terminates by changing the current user desktop background to let user know that the request for imaging has completed successfully.
AutoImg-Server.vbs: This script needs to be scheduled to run by the Deployment server at a short interval (5 to 10 minutes) to ensure scheduling requests are handled in a timely manner.
This script checks for files in the AutoImg folder and creates a schedule for the requesting computer to run asap the Deployment Solution job specified with this line (line 15): sDSJob = "<job to run>"
AutoImg-DS.vbs: this script should be used as the first task running on the scheduled job. It does check that the computer on which it is running is the computer that posted the scheduling request. If this is the case (a key stored in the local file system is the same that as the key that was used to schedule the Deployment Solution job) it will return with an error code of 0.
If not the script will return a non zero value. In this case the job should terminate and flag the error to the Deployment Solution administrator.
Note: The script provided in the article are provided "as is" and are only provided as an example how to extend the benefits of Deployment Solution using simple scripts.
Also note that LogEvent sub used in the scripts could be extended to use the wlogevent functions from Deployment Solution.
Finally, a number of logging level were built in the script (value to be changed on the scripts themselves) to allow for faster troubleshooting as shown here:
Severity details:
If you decide to use logging make sure that the script is not sending log information out to the standard console (cmd.exe) as this can used up a lot of CPU power.
Instead run the script with a command such as:
cscript "AutoImg-Client.vbs" >> c:\AutoImg-Client.log
cscript "AutoImg-Server.vbs" >> c:\AutoImg-Server.log
cscript "AutoImg-DS.vbs" >> c:\AutoImg-DS.log