3


Okay, so this has been bugging me for a while and I have tried too many things now.

I'm trying to run a PowerShell script - my user account is a regular one on the domain, it is however local administrator on my computer. Therefore I've created a PowerShell script prompting me for credentials (where I type the credentials of my domain administrator account) to be used to invoke another script which needs this domain administrator elevation. This script looks like this:

Invoke-Command -FilePath "C:\Temp\script.ps1" -ComputerName localhost -Credential Get-Credential

Here the script.ps1 is the script which needs domain administrator elevation.
Executing the shown script results in a prompt for credential and then the following error:

[localhost] Connecting to remote server localhost failed with the following error message : Access is denied.

I've tried messing around with a .bat file looking like this: 

SET ThisScriptsDirectory=%~dp0
SET PowerShellScriptPath=%ThisScriptsDirectory%script.ps1 PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""%PowerShellScriptPath%""' -Verb RunAs}";

aswell, but I can't make it work - it is not elevating the script to domain administrator level.
Lastly however, I need to mention that the script I want to run with domain elevation works if I open PowerShell with the domain administrator elevation, navigates to C:\Temp\script.ps1 and executes it by .\script.ps1.

Any suggestions?

zniwalla
  • 367
  • 4
  • 17
  • if you're only trying to execute scripts on your local machine, why use invoke-command? You can just run the script and pass arguments to it in your powershell host. – Chris Kuperstein Apr 06 '16 at 14:34

4 Answers4

2

One topic that helped me (I had a similar case) was the section "HOW TO ENABLE REMOTING FOR NON-ADMINISTRATIVE USERS" in About Remote Troubleshooting. Basically, it tells you to execute a PS Command: Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI and grant execution permission to the user that you are trying to use it.

Carlos Goncalves
  • 21
  • 2
1

If you have local administrative rights, run powershell as administrator and run Invoke-Command without the -Credential flag.

If you're only running the script locally, you don't need Invoke-Command. You're better off just running the script and passing arguments to it.

Chris Kuperstein
  • 668
  • 4
  • 8
  • Local administrative rights is not enough, I need the rights of my domain admin. – zniwalla Apr 11 '16 at 06:32
  • add the domain admin to the local machine as a local admin, run powershell as other user (shift right click to get 'run as another user...' in the context menu), input the DA credentials then run your script. I do this on the regular at work with my multitude of administratifve accounts for exchange, AD, and domain local-admin accounts. – Chris Kuperstein Apr 13 '16 at 23:46
  • Invoke-Command has an -AsJob parameter making it non-blocking, and some scripts may run on different systems, including localhost. – Brain2000 Jan 23 '19 at 22:08
1

Enable PSRemoting Service to Start Automatic

on both host and remote machines

Set-Service winrm -StartupType Automatic 
Start-Service winrm

Enable PSREmoting

On both host and remote machines

EnablePSRemoting -Force

Add computers to Trusted Hosts

On Remote machine

Set-Item wsman:\localhost\Client\TrustedHosts -Value "$(hostname),*$((Get-WmiObject Win32_ComputerSystem).Domain)"

Enable Multi Hopping in Powershell Remoting

Identify which hosts to allow passing of Creds

Enable-WSManCredSSP –Role Client –DelegateComputer   "$(hostname),*$((Get-WmiObject Win32_ComputerSystem).Domain)"

On the source machine. 

Enable-WSManCredSSP –Role Server

You must specify Authentication and a Credential

on Host Machine

$Cred = [System.Management.Automation.PSCredential]::new("<username>",$("<Password>" | ConvertTo-SecureString -AsPlainText -Force))
invoke-command -ComputerName localhost -ScriptBlock {Write-Host $args[0]} -ArgumentList "Hello!, It Works" -Authentication Credssp -Credential $cred

REFERENCE

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_troubleshooting?view=powershell-6

user2850560
  • 101
  • 1
  • 2
  • 5
0

Well, you are doing it wrong if I understand it correctly.

Credential you provided is used to access localhost (which you don't need BTW). Script is still executed unelevated. There are two solutions:

  • You need to elevate the powershell itself and execute the script.
  • You need to change the script so that it itself accepts Credential parameter and use it to access things. There isn't much more I can say about it until you show the script.

You can elevate shell with:

 start powershell -verb Runas

The problem here is that unless you disable UAC, it will prompt you. Unfortunately there is no easy way around this that I know. One sure way is to add the script to task scheduler and set the task to run elevated, then run it and delete the task. All of this can be automated ofc. This is a consequence of unfortunate design of UAC system (sudo on Linux that serves the same purpose will cache the response for some time so that subsequent commands do not prompt). This would go something like:

  schtasks /Create /TN runner ... /TR powershell -File script.ps1 /RU username /RP password /RL HIGHEST
  schtasks /run runner
  schtasks /delete runner
majkinetor
  • 8,730
  • 9
  • 54
  • 72
  • I've tried your first solution - as mentioned - but I can't figure a way to automate that process. It needs to be elevated as domain admin, not local admin. The script is creating a user in the AD and modifying some other AD and Exchange stuff, which is a task reserved for the domain admins and not accesible for my local admin. – zniwalla Apr 11 '16 at 06:31
  • It is irrelevant if its in domain or local. Just use `/RU domain\username`. Your script can also accept `-Credential` argument and you pass it with `Get-Credential`. Then, you either use `schtasks.exe` (you will have to extract the password) or newer TaskScheduler cmdlets (>= Win8) that accept credential. – majkinetor Apr 11 '16 at 06:51
  • Okay, tried it out doing this: `schtasks /Create /TN createUser /TR "powershell -File script.ps1" /RU domain\user /RP /RL HIGHEST /SC MONTHLY` but it doesn't seem to execute the script. The cmd outputs this when I run the task: `SUCCESS: Attempted to run the scheduled task "createUser".` – zniwalla Apr 11 '16 at 14:13
  • You have to run the script, that only creates a job. Use `SCHTASKS /Run /TN createUser` afterwards or use Task Scheduler to test it (right click -> run). – majkinetor Apr 11 '16 at 16:11
  • That what I've done - that's where the CMD outputs that message. – zniwalla Apr 12 '16 at 08:25
  • Scheduled Tasks can sometimes be a little tricky to setup. That approach will certainly work - I have it on number of production systems. I can't help you further, you will have to debug the script to see where it fails and if it actually starts. Usual problems are invalid starting directory, desktop interaction and credentials. Good idea is to use`Start-Transcript` or log every line to a file and see where it fails when executed from Scheduled Task context. – majkinetor Apr 12 '16 at 09:11
  • It doesn't start at all - nothing is written to the transcript. There is however output in the transcript when I run the script in the domain administrator elevated PowerShell. – zniwalla Apr 13 '16 at 09:06
  • Try to tweak it by hand using Task Scheduler. – majkinetor Apr 13 '16 at 10:38