Admin Image, only allow install on listed machines

[bnemec]

Hello,
Is there a way to prevent an admin image from running if the machine it's installing on is not listed in any of the groups? I would like to prevent people installing SW or PDM on machines that are not assigned to a specific group.

Thank you.

[jcapriotti]

I used to police this with a batch script that would kick off the admin image. It would first check if the user was in a approved user list before proceeding. That still wouldn't stop a determined person who figured out where the hidden shared network folder was located but probably stopped 99% of people. We also have an INCLUDE in the network license file for the username so even if someone installed it, they couldn't run it.

[bnemec]

I used to police this with a batch script that would kick off the admin image. It would first check if the user was in a approved user list before proceeding. That still wouldn't stop a determined person who figured out where the hidden shared network folder was located but probably stopped 99% of people. We also have an INCLUDE in the network license file for the username so even if someone installed it, they couldn't run it.

Thanks Jason. What file does the batch call? [imagefolder]\startswinstall.exe ?

[jcapriotti]

Just a tiny bit of what my batch code does.

Code: Select all

SET %SWXSOURCE%=C:\Temp\sw2019sp5.0

call "%SWXSOURCE%\64bit\sldim\sldim.exe" /adminclient /new /source "%SWXSOURCE%\64bit\AdminDirector.xml"

[mp3-250]

Hello,
Is there a way to prevent an admin image from running if the machine it's installing on is not listed in any of the groups? I would like to prevent people installing SW or PDM on machines that are not assigned to a specific group.

Thank you.

A dirt (untested) solution could be to create proper groups for all your regular machines and use cases inside the admin image configuration tool and put the "no group" default setting (close) to nothing installed and have a preinstall batch killing the install process itself cancelling the install process all together.

[JSculley]

Hello,
Is there a way to prevent an admin image from running if the machine it's installing on is not listed in any of the groups? I would like to prevent people installing SW or PDM on machines that are not assigned to a specific group.

Thank you.

You can put the admin image in a location they don't have access to and then push the image installation to them:

https://help.solidworks.com/2025/englis ... deploy.htm

They can't install what they can't see.

[bnemec]

You can put the admin image in a location they don't have access to and then push the image installation to them:

https://help.solidworks.com/2025/englis ... deploy.htm

They can't install what they can't see.

I've tried the push method in the past with very limited success. It went a bit better when the IT folks pushed it with their domain admin user. The regular CAD work stations in Des Eng group are fine, I can push those, provided they're on and except for the few portable devices that tried to run on WiFi connection, it worked. All the other users that need access to PDM it was far less than ideal as I do not have a user profile on those machines in the local admin group. In theory it would work great, I haven't figured out how to accomplish that. However, involving IT people every time I need to update an image or push one is still on the table.

[bnemec]

A dirt (untested) solution could be to create proper groups for all your regular machines and use cases inside the admin image configuration tool and put the "no group" default setting (close) to nothing installed and have a preinstall batch killing the install process itself cancelling the install process all together.

I've thought about using the "default" global option as a no-install option. Been thinking of trying this route, it seems the simplest method that meets the requirements. Wondering if anyone else does this.

[jcapriotti]

I've thought about using the "default" global option as a no-install option. Been thinking of trying this route, it seems the simplest method that meets the requirements. Wondering if anyone else does this.

I never used those options due to the maintenance of having to adding a long list of machine names. I don't know the names and users get new hardware periodically without me knowing. It would be cumbersome to keep adding and removing machines names to the admin image.

We have SNL licenses and I have an options file setup that requires the users Windows username to be on the include list. My SolidWorks batch script pulls the logged in username, then checks it against the file to see if the user has been added.

Options files entries:

Batch script user check

[AlexB]

I've thought about using the "default" global option as a no-install option. Been thinking of trying this route, it seems the simplest method that meets the requirements. Wondering if anyone else does this.

This is what I was about to suggest. With the addition of nested groups it makes this way easier. You can make the ‘root’ group install bare minimum viewing stuff like edrawings. Otherwise it’ll follow the inherited rules of whichever users are in the list.

This is the approach I’ve taken several times in past lives.