Using BatchPatch in Non-Domain Environments with Standalone or Workgroup Computers

One of the questions we are asked regularly is can BatchPatch work on computers that are *not* domain members? How does one go about making that happen?

The answer is yes, in addition to working in a domain environment BatchPatch will also work on computers that are not members of a domain but rather are either standalone computers or computers assigned to a workgroup. However, you will most likely have to make a configuration change on your target computers in order for everything to work properly. That change is described toward the bottom of this page under the Third heading.

First:

Make sure that the account that you are using to connect to target computers is a member of the local administrators group on each of the target computers.

Second:

Decide how you will execute BatchPatch in the security context of the local administrator user that you previously defined on all target computers. You have three options here:

Option A:
Create the exact same account on the computer where you are running BatchPatch that you have already created on the target computers. The username and password of this account must be identical on the BatchPatch computer and the target computers. However, while the target computers’ user account must be a member of the local administrators group on the target computers, the user account created on the BatchPatch computer does *not* need to be a member of the local administrators group on the BatchPatch computer for most operations in BatchPatch to function properly. You certainly may add it to the local admins group if desired, but it’s not an absolute requirement since BatchPatch will generally work properly when run as a standard user for almost all of its operations. The operations that require elevation will inform you if you try to use them and they need more permission.

With the exact same account created on the BatchPatch computer as on the target computers, you may then simply log on to the BatchPatch computer as that user, and then launch BatchPatch normally by double-clicking the .exe. Since the entire BatchPatch application will now be running in the context of this user, all actions in BatchPatch will automatically have the appropriate permissions on the target computers. BUT… don’t forget to review the Third heading below in order to get everything working properly. The information provided there is necessary to get everything working in the large majority of cases.

Option B:
Just as in option A, on the BatchPatch computer you have to create the same exact user account with the same exact username and password that you previously created on the target computers. However, instead of logging on to the BatchPatch computer with that username/password, you could log on to the BatchPatch computer as a different user. Then when you launch BatchPatch, right-click on the batchpatch.exe and choose the option to “run-as” a different user. The different user that you choose to run BatchPatch would have to then be the user account that you previously created… the same one that exists in the local administrators group on all target computers.

Option C:
Launch BatchPatch with any user account on the BatchPatch computer, and then inside of BatchPatch enter alternate credentials for each row that you have added to the BatchPatch grid. To do this, select the rows and click Actions > Specify alternate logon credentials. The account that you specify here must be the account that you previously created on the target computers that is also a member of the local administrators group on the target computers.

Third:

After BatchPatch is running, you’ll find that if you try to perform an action on target computers, in most cases you will still see an error message or exception similar to the following:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Whether or not you see this error message will generally depend on which operating system version is running on the target computer as well as which particular action was executed in BatchPatch.

In order to resolve the ‘Access is denied’ exception, there is a registry value that needs to be created/modified on all target computers where this exception occurs. Instructions for the registry change is described toward the bottom of this page under the section Additional BatchPatch Authentication Details: BatchPatch Authentication in Domain and Workgroup (non-domain) Environments

This entry was posted in Blog, General, Tutorials. Bookmark the permalink. Both comments and trackbacks are currently closed.