1

Script_A.ps1 on Server A:

Invoke-Command -ComputerName Server B -ScriptBlock{
     Set-Location "C:\Path"
     .\Script_B.ps1
}

The Script "Script_B.ps1":

Set-Location "C:\Path"
.\Script_C.ps1 -Verb RunAs -Force

Script_C needs elevated permissions to execute. I can edit Script_A and Script_B but NOT Script_C.

My Problem is if I execute Script_A there is the error on Script_C:

Access Denied
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Script_C.ps1
    + PSComputerName        : Server_B

Note: Script_C can execute, but it checks if it got started in the elevated mode and if it did not it gives me the access denied error. What am I missing that would it make work?

cosmo_
  • 11
  • 5
  • 3
    Remote scripts run as admin anyway without runas. – js2010 Jan 23 '23 at 14:53
  • It is also without the -verb runas not working – cosmo_ Jan 23 '23 at 15:07
  • You need to start PS by right clicking and select Run As Admin. To run script on remote machine As Admin you replace the colon in the file name with a dollar sign. – jdweng Jan 23 '23 at 15:47
  • @jdweng, unless you're targeting the very same machine with remoting (which only makes sense for testing), you do _not_ need to elevate a session _locally_ in order to run remote commands with elevation. Re " replace the colon in the file name with a dollar sign": UNC paths to administrative shares (e.g. ``\\server1\C$``) are _not_ needed when running in a remote session - such sessions see their local file system as usual. – mklement0 Jan 23 '23 at 17:31

1 Answers1

0

  • The only way to get a remote PowerShell session to execute elevated (with admin privileges) is to connect with a user account (either implicitly or via -Credential) that has administrative privileges (also) on the target machine.

  • With such an account, the session automatically and invariably runs elevated.

    • Conversely, you can not request elevation from inside a remote session - there is no way to present a UAC dialog.

In other words, you need to ensure the following:

  • With respect to your Invoke-Command call:

    • either: make the call from a user account that has administrative privileges (also) on the target computer(s)

    • or: explicitly specify the credentials of such a user via the -Credential parameter.

    • If neither is an option for you, you're out of luck; you'll need to ask an administrator to make the call for you ad hoc.

  • That said, even if your remote command does run with elevation, there's a common problem when that command tries to access network resources (shares):

    • This is the infamous double-hop problem, discussed in the docs here, along with solution options.
mklement0
  • 382,024
  • 64
  • 607
  • 775