1

I use bat + Powershell script to reboot a domain computer. I do not want to use domain admin but local user with admin privileges.

bat file:
PowerShell -NoProfile -ExecutionPolicy Unrestricted -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Unrestricted -File ""d:\public\Reboot Computer\Reboot.ps1""' -Verb RunAs}";

Powershell Reboot.ps1:
Restart-Computer -ComputerName (Read-Host "ComputerName") -Credential (Get-Credential) -Force

I run bat as administrator, then enter computer name comp002, as credentials I use local user which are in administrators group comp002\admuser and password script is executed but computer is not rebooting.

Maybe the problem is related to windows firewall (WMI are allowed)?

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
zuku
  • 61
  • 1
  • 7
  • its the bat file you need to modify. I changed "&" and see the latest edit above. did few modification. pls note your bat file and the ps script must be both in one place – Aravinda Mar 02 '20 at 08:40
  • tried with the lastest edit below? – Aravinda Mar 02 '20 at 22:01

3 Answers3

0

You can use PsExec (https://docs.microsoft.com/en-us/sysinternals/downloads/psexec)

psexec \\comp002 -u comp002\admuser shutdown /r /t 0

Virsacer
  • 648
  • 4
  • 14
0

bat file:

PowerShell -NoProfile -ExecutionPolicy Unrestricted -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Unrestricted -File ""d:\public\Reboot Computer\Reboot.ps1""' -Verb RunAs}";

I tried below one, instead of your above code in my bat file. Simply I created a bat file using below and called "Reboot.ps1" using that.(used same PowerShell script in your answer) Content of the bat file

PowerShell.exe -executionpolicy Unrestricted -file "%~dp0Reboot.ps1"

content of the ps script (Reboot.ps1)

Restart-Computer -ComputerName (Read-Host "ComputerName") -Credential (Get-Credential) -Force

Both bat file and ps script must be in the same directory. It works with no issue. no WMI nor firewall settings modified. I could successfully restart a remote server with remote credentials. (local user which are in administrators group as you said)

Community
  • 1
Aravinda
  • 1,101
  • 5
  • 12
  • 30
  • This is what I get using your ps1 file: `D:\public\Skrypty\Reboot Computer\1\Reboot.ps1'" At line:1 char:31 + -executionpolicy Unrestricted & 'D:\public\Skrypty\Reboot Computer\1\ ... + ~ The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampe rsand in double quotation marks ("&") to pass it as part of a string. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : AmpersandNotAllowed ` – zuku Mar 02 '20 at 07:58
  • its the bat file you need to modify. I changed "&" and see the latest edit above. did few modification. pls note your bat file and the ps script must be both in one place. – Aravinda Mar 02 '20 at 08:15
  • I would that .bat and .ps1 be in the same folder – zuku Mar 02 '20 at 09:18
  • tried with the lastest edit above ? – Aravinda Mar 02 '20 at 09:33
  • Yes, the scripts are executing but still use local credentials in domain environment to reboot PC, I get an error access denied: `Restart-Computer : Failed to restart the computer comp02 with the following error message: Odmowa dostępu. . At D:\public\Reboot.ps1:1 char:1 + Restart-Computer -ComputerName (Read-Host "ComputerName") -Credential ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (ukt096:String) [Restart-Computer], InvalidOperationException + FullyQualifiedErrorId : RestartcomputerFailed,M ` – zuku Mar 04 '20 at 07:36
  • Should be a problem with credentials or privileges associate with that user. – Aravinda Mar 04 '20 at 22:47
  • User can be locked, disabled or wrong credentials . Or the format is not ok. Or user may not have prprivileges to restart. – Aravinda Mar 04 '20 at 22:53
  • User is in local administrator group so it has full local privileges. To be sure I logged locally as that user and I'm successfully logged in, so password is correct. I cannot use anywhere in my domain environment local admins accounts. As I read on Microsoft technet forums local credentials are not working on domain authentication process because Kerberos do not allow this. – zuku Mar 06 '20 at 10:50
0

Try by running Invoke-command -computername (gc computers.txt) -scriptblok {Restrt-computer -Force} This worked for me where the method you tried produced invalid_operation_exception access denied.

user299119
  • 11
  • 1