Permission/role required to run migration command - powershell

I am a Global Admin I can run set-moverequest in PowerShell.
I want to give another IT staff member permission so that he can also run this command to help me migrate users from the local exchange to exchange 365
What are the Roles in M365 which allow you to run this command?
Is there any way we can check in PS what Role is required to run any specific command?
P.S: my colleague has a Helpdesk Administrator role in M365, and he gets error when try to run the command.

Related

Powershell Script Error - A specified Logon session does not exist

I am trying to export the STARTLAYOUT.XML file from Windows 10 computer. I issue the following command in Powershell which is logged in as a local admin user.
Powershell Admin
I enter the local admin username and password
Run the command >Export-Startlayout c:\startlayout.xml
Error
Export-Startlayout: A specified logon session does not exist. It may already have been terminated.
At line1 Char1
Any ideas guys. I have not had issues like this before. These are Autopilot Intune joined AAD devices.

Changing registry without admins rights windows 10

Changing registry without admins rights windows 10
What would be the best way add an entry XXX on windows registry with password
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\XXX
current permission for everyone are Read.
Tried this :
[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker]
#="Run as user without UAC privilege elevation"
[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker\command]
#="cmd /min /C \"set __COMPAT_LAYER=RUNASINVOKER && start \"\" \"%1\"\""
Coming up with Registry error:
Cannot import RegFix.reg: not all data was successfully written to the registry. Some keys are open by the system or other processes, or you have insufficient privileges to perform this operations.
If it cant be done any other option, using powershell, or an executable file, without revealing the password.
I would suggest looking into this link: http://woshub.com/run-program-without-admin-password-and-bypass-uac-prompt/
You can open registry even if it is admin protected with a batch file that runs registry with the RUNASINVOKER compatibility mode, also in this link is a registry file that allows you to run things as admin without UAC coming up. To change elements in the registry it requires administrator privileges since it affects the system configuration like how System32 cannot be edited without administrator permissions.
You cannot write to HKLM or HKCR without admin rights. There is no workaround
Ken white is correct under normal circumstances but if you use the registry file in the link (which you need administrators rights to import to registry) you can bypass UAC and run registry as admin allowing you to edit the registry.

Silent initdb.exe postgresql

I am trying to install postgresql on a server using a bat file. I am using initdb.exe with --pwfile option so that it picks up the password form a text file and continues...
for some reason, even with --pwfile option, it is still prompting me for a password.. Not sure what the problem is.. This is the script I am using:
set DBPATH = something
set DBADMIN = something
set DBDATA = something
RunAs /noprofile /user:%computername%\postgres ""%DBPATH%\initdb.exe" --locale=C --encoding=UTF-8 -U %DBADMIN% --pwfile="D:\Pass.txt" -D "%DBDATA%""
Thanks
If you want to install a software which requires for the installation administrator privileges and the current user account does not have the required privileges, it is possible to use command RunAs to run the installation executable and all processes started by this application with a different user account than the current user account which has the required privileges.
But the user has to enter nevertheless a password - the password for the other user account with the extended privileges to install applications. If it would be possible to run something requiring extended privileges for installing software without requesting entering the password by the user, every bad guy out in the world could very easily install trojaners and other malware (as it is possible on Windows 2000 / XP or since Windows Vista with user account control disabled).
There are systems to deploy and install software on all clients of a company like Group Policy or System Center Configuration Manager.

Execute a remote process on a non-admin account using Powershell

I want to run aa remote process (winword.exe more specifically) from a remote machine using Powershell 2.0. One requirement is that the process is run by a non-admin user account. I'm able to run winword.exe if the user is part of the local administrator group on the remote machine, however when I remove it from the admin group, it fails - I get a winword.exe cannot be found error (32bit winword running on a 64bit 2008 server).
I've tried adjusting the PSSession configuration by granting the non-admin user account more elevated priveleges but it still fails:
Set-PSSessionConfiguration Microsoft.Powershell -ShowSecurityDescriptorUI
Is there something I'm missing here? Or does the user account explicitly require admin level priveleges on the server? Although PS tools would be a nice alternative, I would prefer using PS.
Have a look to the "Understanding Session Configurations" paragrph in the Administrator's guide to PowerShell Remoting from PowerShell.com.

Impersonation in Powershell - Access remote file

I need to read a file on a remote server, however I dont have permissions to do so. If I use another account with elevated rights, I can. I would like to run the script from anywhere with the credentials built into the script (accepting the risks).
If you just need access to the file you can establish credentials an any manner. If you don't have a drive mapped you can use the net use command or the Get-Credential commandlet. Once you establish access with a valid user name you should be fine unless you need some type of elevate privileges on your box