Run Invoke-Command in remote computer as administrator - powershell

I'm trying to run invoke-command to launch a powershell script in a powershell file on a remote computer. I'm using the credentials for a user with Administrator privilege. The command needs to be executed by running powershell as an administrator. There are licensing issues with the application that i'm trying to invoke using the powershell script, so i cannot change the credentials to Administrator but need to run with that particular user itself. I have tried using -RunAsAdministrator at the end of the Invoke-Command, but i got an error saying:
Invoke-Command : Parameter set cannot be resolved using the specified named parameters.
$command = {
cd Folder
C:\Folder\build.ps1
}
Invoke-Command -ComputerName $RemoteSystemIP -ScriptBlock $command -credential $Credentials1 -ErrorAction Stop -AsJob
I'm trying to execute this as a background job that's why i added the -AsJob parameter.
Its been several days and i haven't found a solution yet.

tl;dr
The only way to get a remote PowerShell session to execute elevated (with admin privileges) is to connect with a user account (either implicitly or via -Credential) that has admin privileges on the target machine.
With such an account, the session automatically and invariably runs elevated.
The Invoke-Command's -RunAsAdministrator switch can only be used with (virtualization) containers (-ContainerId parameter), not regular remoting (-ComputerName parameter).
You cannot elevate on demand in a remote session (the way you can locally, interactively with Start-Process -Verb RunAs).[1]
Instead, you must make sure that the credentials you're passing to Invoke-Command -Credential to connect to the remote machine with refer to a user account that (also) has administrative privileges on the target machine, in which case the remote session automatically and invariably runs elevated (with admin privileges).[2]
If you cannot pass such credentials, I think you're out of luck.
To test if the current user has administrative privileges:
# Returns $true if elevated, otherwise $false.
[Security.Principal.WindowsPrincipal]::new(
[Security.Principal.WindowsIdentity]::GetCurrent()
).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
Separately, here's a simple test you can run from inside a session to determine whether it is running with elevation:
# Returns $true if elevated, otherwise $false.
[bool] (net session 2>$null)
[1] Unless the session at already is elevated, -Verb RunAs presents a pop-up UAC dialog that a user must confirm interactively, which is not supported in a remote session.
[2] The same applies if you use "loopback remoting", i.e. if you target the local machine via remoting, using Invoke-Command -ComputerName ., for instance, with additional restrictions, however: You cannot use a user that is authorized for remoting but isn't part of the local Administrators group, and if you use the current user (whether or not with explicit credentials), the calling session must itself be elevated.

I think you should do this:
$command = {
Start-Process "powershell" -Verb runas -Workingdirectory "C:\Folder\" -ArgumentList "build.ps1"
}
Invoke-Command -ComputerName $RemoteSystemIP -ScriptBlock $command -credential $Credentials1 -ErrorAction Stop -AsJob

Related

How to exit and remove Pssession without prompt for session number [duplicate]

On my local PC and locally on the servers I admin, I regularly use the $profile script to set/output basic information. For instance running Set-Location to set the current path to the folder containing the scripts, and perhaps some Write-Host entries to show a basic cheat sheet for the most commonly used scripts and their expected parameters.
Does anyone know of a way to do something similar to that when using Enter-PSSession to connect interactively with a remote server?
As far as I can see there are no $profile files available with remote sessions, so I can't just add the commands in there (and the $profile used interactively on the local server doesn't get called when you remote into that same server).
Locally I've added functions to my local profile to make connecting to specific servers quicker, for example :
function foo{
$host.ui.RawUI.WindowTitle = "Foo"
Enter-PSSession -computername foo.local.mydomain.com -authentication credssp -credential mydomain\adminuser
}
and that works fine for connecting me (eg I type foo, then enter my password, and I'm in), but I still get dumped into C:\Users\adminuser\Documents.
I've tried adding things like the Set-Location command to the function after the connection, but that gets run in the local context (where the folder doesn't exist) and THEN it connects to the server. I even tried piping the commands to Enter-PSSession, but perhaps unsuprisingly that didn't work either.
Obviously things like Invoke-Command would allow me to specify commands to run once connected, but that wouldn't (as far as I can work out) leave me with an interactive session which is the primary aim.
You can't really automate unattended execution of anything that happens after Enter-PSSession connects your host to the remote session - but you can execute all the code you want in the remote session before calling Enter-PSSession:
function DumpMeInto {
param([string]$Path)
# Create remote session (you'll be prompted for credentials at this point)
$session = New-PSSession -ComputerName foo.local.mydomain.com -Authentication credssp -Credential mydomain\adminuser
# Run Set-Location in remote runspace
Invoke-Command -Session $session -ScriptBlock { Set-Location $args[0] } -ArgumentList $Path
# ... and then enter the session
Enter-PSSession -Session $session
}
Now you can do DumpMeInto C:\temp and it should drop you into a remote session on foo.local.mydomain.com with it's working directory set to c:\temp

Powershell start-process can't find file

I am trying to upgrade a server with a particular application from a client by PowerShell remote:
Invoke-Command -ComputerName $server -Credential $mycreds {Start-Process -FilePath "C:\temp\xxx.exe" -ArgumentList "-default", "-acceptEULA" -wait }
Whatever I try, I get messages like "Can't find the file specified..." what do I do wrong?
FilePath is on the local (client) computer.
Your C:\temp\xxx.exe executable must be present on the server (the remote machine) for your command to work, because that is where your script block ({ ... }) executes.
Note: By contrast, if you use Invoke-Command with the -FilePath parameter in order to run a locally present script file (.ps1) remotely, PowerShell automatically copies it to the remote machine; from the docs: "When you use this parameter, PowerShell converts the contents of the specified script file to a script block, transmits the script block to the remote computer, and runs it on the remote computer."
To copy the executable there from your local (client-side) machine, you need a 4-step approach (PSv5+, due to use of Copy-Item -ToSession[1]):
Create a remoting session to $server explicitly, using New-PSSession
Copy the local (client-side) executable to that session (the remote computer) with Copy-Item and its -ToSession parameter
Run your Invoke-Command command with the -Session parameter (rather than -ComputerName) in order to run in the explicitly created session (this isn't strictly necessary, but there's no need to create another (ad hoc) session).
Run Remove-PSSession to close the remote session.
Important: In a PowerShell remoting session, you cannot run external programs that require interactive user input:
While you can launch GUI applications, they invariably run invisibly.
Similarly, interactive console applications aren't supported (although output from console applications is received by the client).
However, interactive prompts from PowerShell commands are supported.
To put it all together:
# Specify the target server(s)
$server = 'w764' # '.'
# Establish a remoting session with the target server(s).
$session = New-PSSession -ComputerName $server
# Copy the local executable to the remote machine.
# Note: Make sure that the target directory exists on the remote machine.
Copy-Item C:\temp\xxx.exe -ToSession $session -Destination C:\temp
# Now invoke the excutable on the remote machine.
Invoke-Command -Session $session {
# Invoke *synchronously*, with -Wait.
# Note: If the program is a *console* application,
# you can just invoke it *directly* - no need for Start-Process.
Start-Process -Wait -FilePath C:\temp\xxx.exe -ArgumentList "-default", "-acceptEULA"
}
# Close the remote session.
# Note: This will terminate any programs that still
# run in the remote session, if any.
Remove-PSSession $session
[1] If you're running Powershell v4 or below, consider downloading psexec.

Running a PowerShell script on a remote Windows server using WinRM

I have written a script that allows to connect to a windows server machine using WinRM in order to run a script that exists on the Windows Server machine PS_Block_Access_Internet_GPO.ps1 but the script is not executed despite that the session was well created.
Besides the script needs administrator privileges to be executed, so how can I provide the needed privileges for script using PowerShell.
Enable-PSRemoting
Enter-PSSession -ComputerName Server.Admin.6NLG-AD
.\PS_Block_Internet_Access_GPO.ps1
To run a local script against a remote computer I would use use Invoke-Command, this doesn't need the script to be present on the remote computer.
Invoke-Command -ComputerName 'Server.Admin.6NLG-AD' -FilePath C:\Folder\myScript.ps1
As your script looks to create a GPO, you may likely need to use an alternative user account with appropriate permissions on your domain...
You can use the Credential param to specify an account like this:
Invoke-Command -ComputerName 'Server.Admin.6NLG-AD' -FilePath C:\Folder\myScript.ps1 -Credential Domain\Username

How to run w32tm in non-elevated powershell

I am writing a helper script that will go through a list of servers and verify they are in sync with the NTP. The script shall be run as a normal script on request by the facility operator and shall request for Admin credentials if the target is not in sync. We unfortunately cannot change the NTP configuration at the moment so we have to make workaround.
What I have right now (and it works beautifully if the script is run as administrator) is a command ("w32tm /query /status" of a remote computer) that is executed via "Invoke-Command" so I can pass it Admin credentials.
My idea was to avoid using WinRM since the hostname resolution is not working properly in our system (it requires some painful host-to-IP-and-back-to-proper-hostname resolution) which makes the WinRM useless.
The command w32tm can obtain status of a remote computer but it needs to be run as administrator for it.
In both cases (run as administrator and run as normal user and later providing the credentials) the $script is executed as domain\administrator (confirmed with the check of Admin role and the "WhoAmI" command) but the status is only obtained when the whole script is executed as administrator.
For the execution as normal user I receive the error:
The following error occurred: Access is denied. (0x80070005)
All machines I use obviously allow remote execution since it works with administrator user.
So basically my question is why is the "w32tm ..." command not allowed in the $script if the role of the user is appropriate (it is administrator role) for the task?
The part of the script which I can't resolve:
function synchronize_remote_machine ($target, $username, $cred)
{
$script = {
param( [String] $compName )
$user = [Security.Principal.WindowsIdentity]::GetCurrent();
$userIsAdmin = (New-Object Security.Principal.WindowsPrincipal $user).`
IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if (-not $userIsAdmin)
{
Write-Warning "You do not have Administrator rights to run this script!`n
Please re-run this script as an Administrator!"
}
else
{
whoAmI
w32tm /query /status /computer:$compName
#w32tm /resync /rediscover /computer:$compName
}
}
# resync via WinRM
try
{
#execute_resync_command $target $username $cred
if ($username -eq 'Administrator')
{
# when run as admin
invoke-command -ScriptBlock $script -ArgumentList $target;
}
else
{
# for normal user the initalized credential cals is used
invoke-command -computername "localhost" -Credential $cred -ScriptBlock $script -ArgumentList $target
}
}
catch
{
Write-Error "Error executing resync command on host $target."# -foregroundcolor "red"
throw
}
}
Rather than (re-)running the script with elevated privileges, I'd grant the operators group the SeSystemtimePrivilege on those servers. You can do that either with a group policy or by running ntrights.exe from the Server 2003 Resource Kit Tools on each server:
ntrights +r SeSystemtimePrivilege -u DOMAIN\operators
Even if you execute it as administrator, do to try to run you script in an elevated process ?
You can acheive that using Start-Process CmdLet.
start-process 'c:\system32\WindowsPowerShell\v1.0\powershell.exe' -verb runas -argumentlist "-file YourScript.ps1"

Difference between runas.exe and Start-Process -Credential

I am playing around with setting up some scripts on a vpn on a client's network. This client generally assigns an ActiveDirectory account on their network and use it to manage permissions (eg. to databases). Ok, that makes sense.
But here is something that confuses me:
start-process runas.exe "/user:CLIENTDOMAIN\George.Mauer /netonly W:\tools\LINQPad4\LINQPad.exe
queries for a password and runs just fine (and I can access the database)
But
Start-Process W:\tools\LINQPad4\LINQPad.exe -Credential (Get-Credential)
and entering CLIENTDOMAIN\George.Mauer and my password at the popup prompt always results in an error
Start-Process : This command cannot be run due to the error: The user name or password is incorrect.
Are these not the same thing? What's the difference between runas and -Credential? And a secondary question - how do I Start-Job with my CLIENTDOMAIN\George.Mauer credential?
/netonly runs the process as the current user and only network connections are made with the other credentials.
Start-Process will run the process (and all its network connections) with the other credentials. There's no way to achieve the /NETONLY functionality with Start-Process.
You'd have to p/invoke the Win32 API to achieve /NETONLY functionality. If you're up for the exercise this is the API you'll need to use LOGON_NETCREDENTIALS_ONLY with:
http://www.pinvoke.net/default.aspx/advapi32/createprocesswithlogonw.html
More resources:
example code with LOGON_NETCREDENTIALS_ONLY
CreateProcessWithTokenW function
To run a job as a different user:
Start-Job -ScriptBlock {whoami} -Credential (get-credential) | Wait-Job | Receive-Job