In my company I used to code on one of our domain controllers (DCs) with Windows Server 2012. However since I can not do it there anymore, I am now forced to code on my workstation using my normal user account instead of my domain administrator account.
The problem I encountered now was that when I run PowerShell as administrator I can use "Set-ExecutionPolicy unrestricted", but I don't have full access to our DFS filesystem since I am not the domain administrator with this account.
When I start PowerShell as the domain administrator I can not set the execution policy since I didn't run PowerShell as administrator.
How can I run PowerShell as administrator and domain administrator?
Related
IT admin here, First Question on this site. Online I found a simple Powershell script that manually creates a System Restore Point on a user's PC. I want to deploy this to all company computers via a GPO scheduled task. Script as follows:
Checkpoint-Computer -Description 'System Restore Point' -RestorePointType modify_settings
Script work perfectly fine. Issue is that powershell needs to run as an admin. In scheduled task menu, the option to run with highest privileges only works if the user is a local admin. For security reasons at our company, it will not be possible to grant user's local admin access.
My question, is there some simple commands I can add that will elevate powershell to have admin privileges? Also, have to make sure that the user will not be prompted, and that the rest of the command will still execute. I do not mind having to store username or admin passwords in the script itself as the users will not see the script. I appreciate any suggestions, but only if it is fairly simply to execute. Keep in mind, I am not a programmer, I am a Cisco network engineer as well as a Windows Server admin. My boss just wants me to create manual restore points on a set schedule and I think powershell might be the best. Open to other script types though.
There are 2 parts to your question. The first part is about how to run a scheduled task as a specific user with elevated rights. I don't think it's correct that it's only possible to do so with a local admin account, but that's off-topic for this site. Consider posting that separately on ServerFault (if you do and link it, I will take a look).
The second part concerns embedding credentials into the script.
This is typically a bad idea. Saying that the user "won't" see it is not the same as saying they can't see it. If they can see it, the credential is compromised and essentially that user now can trivially have elevated rights.
So you would need to secure the script file well enough so that the unprivileged user cannot read the file.
Encrypted Credentials
PowerShell also has a [PSCredential] object which stores the password as a secure string. It is possible to store and retrieve an encrypted version of this object.
For example:
$cred = Get-Credential
$cred | Export-CliXml -Path C:\my\cred.xml
The XML file will contain the credential but it will be encrypted. It can only be decrypted by the same user on the same machine that encrypted it to begin with.
This could be a way for you to use a credential if needed. But to be honest it probably isn't.
How I would do this
Run your scheduled task as SYSTEM.
It should be privileged enough to take a restore point
It's local
It's easy to set a scheduled task to run as SYSTEM even through GPO
It requires no password handling
I tried manually creating a local user account in a windows xp when logged in as a user whose is a member of Power Users group. The user got created.
But when i tried creating the user remotely through invoke -command passing the credentials of the user who is a Power Users gives the following exception :
Connecting to remote server failed with the following error message :
Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
With the default PowerShell session configurations, only users who are member of the local Administrators security group can establish PowerShell Remoting sessions.
If you want a member of the Power Users security group to be able to connect to a PowerShell Remoting session, you will have to create a custom PowerShell session configuration, or modify one of the built-in ones.
Scenario:
Normally, I would use remote desktop, log on to my server, launch the Powershell window as Administrator and perform the import-module and subsequent commands to get the information I'm looking for. When I log on using remote desktop, I don't log on as Administrator, but I do log on as a user that belongs to the Administrators group. (I don't have the Admin creds.)
Question:
I can easily create a session using New-PSSession. I can enter this session using Enter-PSSession. After I've entered the session, I import the module I need to use. After I import the module, I attempt to run a command from that module. I do get some output, but I also get "[Get-WmiObject], UnauthorizedAccessException". I do not get this error when I log on to the server with remote desktop and launch the powershell window as Administrator. Is there a way I can do this with a PSSession?
I met such a problem and it was due to the Forwarding of credentials in multihop environments.
Using New-PSSession you only have a network token on the second computer, you can’t directly connect to another computer.
The interactive token, I mean what you get when you sit down in front of a PC and log on (or using TS) is required to automatically connect to another computer, and to create an interactive token, the user’scredentials are needed.
To accomplish the interactive credential forwarding magic, PowerShell uses a mechanism called CredSSP (Credential Security Service Provider).
CredSSP need to be allowed on both side. You have to run these commands from an elevated PowerShell
session.
To allow CredSSP on the client side run :
Enable-WSManCredSSP -Role client -DelegateComputer computername
To allow CredSSP on the server side run :
Enable-WSManCredSSP -Role server
You've got a good explanation in Chapter 13. Remoting: configuring applications and services
We have a SQL server (Name: SQL) that launches an SSIS job with proxy credentials (a service account), consisting of multiple steps.
One of these steps require files to be put in a local folder on a remote machine (Name: VM) and execute a program that securely copies these files to a service on the net. I have successfully ran both PowerShell and WinRM commands to do this (as administrator), but I need to find a way to run them without being an admin on SQL.
All of these steps work fine, when the service account is a local administrator of both SQL and VM. However, we do not want the service account to be a local admin on SQL.
The command I run is:
Invoke-Command -ComputerName vm.fqdn -ScriptBlock {E:\Share\ThirdParty\FTP_Admin\FtpUpload.bat}
I found a google post suggesting I need to give access to the root/CIIV2 namespace. I gave the service account full control and restarted the WinRM service.
When it fails (NOT running as administrator), the security log gets populated with 4656 event ID's.
Any idea what I can try? Been stumped on this for a while.
Here is the link on the Microsoft technet forums:
http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/70a5a870-b911-4b1a-9c68-e7d91142e511
Long story short - ensure the server has been patched to post SP1 (Server 2008 R2) at least if you are running into these problems.
By default, only administrators have access to the (default) runspace you are connecting to:
On the vm.fqdn, try running:
set-pssessionconfiguration -Name microsoft.powershell -ShowSecurityDescriptorUI
and grant full control to the service account. Restart the WinRM service (just confirm when asked).
I want to control thinreg.exe util via powershell script. This util is used for registering vmware thinapp packages on the system(it creates shorcuts and add registry entries under HKCU hive.)
If I run my ps script as admin then also thinreg runs under admin account and register app to the admin.
So it is possible to get user credentials from AD and use them to run PS script or just thinreg util ?
I'm domain admin and other users are domain users. AD is win 2008r2 and client OSes are winXP sp3.
Thank you very much.
EDIT
Is it possible to install windows service via login script so that would run under logged user account ?
Via this service I could then control thinreg.exe util
I would try two ways.
Add the powershell script run once during the logon script of the user
If user are using roming profiles, try to modify their profiles when they are logged off.
If you want to be more "interactive", and do it as the user is log in, you can try to play with PSTOOLS you can have a look to this post to have an example how to call your powershell script from PSTOOLS.