Difference between a local admin account and a user with admin privileges. for encryption GPO Bitlocker

Question

I would like to know exactly what is the difference between an administrator account and a user with administrator privileges ? I ask you this because when I run a script by GPO as an Administrator, the scrpit works but when I run the GPO with a user account of the domain that has administrator privileges, the script does not run.

Here is the script with the administrator account:

$username = 'labo\Administrator'
$password = 'Qzerty13.'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword

$Command =
{
        if ((get-tpm).TpmPresent -eq $True ) # test if puce tpm present
        { 
             write-host "Puce tpm présente"
            if ((get-tpm).TpmReady -eq $True) # test if puce tpm ready
            {
             write-host "Puce tpm prête"
                if((Get-BitLockerVolume -MountPoint $env:SystemDrive).VolumeStatus -eq "FullyDecrypted") # test the disk is not encrypted
                {
                 write-host "Unencrypted disk"
                 Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector
                 Enable-BitLocker -MountPoint $env:SystemDrive -RecoveryPasswordProtector -SkipHardwareTest
                 write-host "Disk Encryption with TPM"
                }
            }
        }
}


  Start-Process powershell.exe -Credential $Credential -ArgumentList "-NoExit -Command & {$($Command -replace '"', '\"')} -ExecutionPolicy Bypass"

When I run this script through a gpo, it works, but when I want to change the admin account by putting a user account that has admin privileges, it doesn’t start.

here is the error message when I wish to run the script with a user account with administration privileges:

Start-Process : Impossible d’exécuter cette commande en raison de l’erreur : Nom de répertoire non valide.
Au caractère C:\Users\testeur\Desktop\tpm 30_05_2022.ps1:26 : 3
+   Start-Process powershell.exe -Credential $Credential -ArgumentList  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation : (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand

Can you enlighten me on that, please. my best regards. Nordine

jack_skellington · Answer 1 · 2022-05-31T08:21:40.680

0

Try adding the RunAs option to your Start-Process

Start-Process powershell.exe -Verb RunAs -ArgumentList "-NoExit -Command & {$($Command -replace '"', '\"')} -ExecutionPolicy Bypass"

edited May 31 '22 at 08:21

answered May 30 '22 at 10:30

jack_skellington

81
6

Thanks for your answer and I just did the test and it didn’t work, it marked as error message : Start-Process :The parameter set cannot be solved using the specified named parameters Au caractère C:\Users\testeur\Desktop\tpm 30_05_2022.ps1:26 : 3 + Start-Process powershell.exe -Credential $Credential -Verb RunAs -A ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument : (:) [Start-Process], ParameterBindingException + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.PowerShell.Commands.StartProcessCommand – Nordine May 30 '22 at 12:58
My bad, remove the `-Credential $Credential` from the command – jack_skellington May 31 '22 at 08:20
In doing so, it shows me a pop up that asks me to enter the username and password of the user and that’s not what I want, since I intend to deploy this GPO to several users without them having to enter anything and also can you explain to me the difference between an administrator account and a user account that has administrator privileges please ? – Nordine May 31 '22 at 10:03
difference between admin and user-with-admin-privileges are shown by SIDs (https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) – jack_skellington May 31 '22 at 10:07
have you considered running the script as Admin from the GPO side? https://serverfault.com/questions/967045/start-gpo-script-as-administrator – jack_skellington May 31 '22 at 10:12
Yes, I had already considered running the script as administrator on the GPO side but the problem is that when I log on to a user machine, the script does not launch, because when I log on as administrator, then my script works but that’s not the way I should do it since users are not allowed to have the admin account – Nordine May 31 '22 at 10:30

Difference between a local admin account and a user with admin privileges. for encryption GPO Bitlocker

1 Answers1