vsanchez12514
vsanchez12514

Reputation: 21

Run Powershell remotely as Admin

IT admin here, First Question on this site. Online I found a simple Powershell script that manually creates a System Restore Point on a user's PC. I want to deploy this to all company computers via a GPO scheduled task. Script as follows:

Checkpoint-Computer -Description 'System Restore Point' -RestorePointType modify_settings

Script work perfectly fine. Issue is that powershell needs to run as an admin. In scheduled task menu, the option to run with highest privileges only works if the user is a local admin. For security reasons at our company, it will not be possible to grant user's local admin access.

My question, is there some simple commands I can add that will elevate powershell to have admin privileges? Also, have to make sure that the user will not be prompted, and that the rest of the command will still execute. I do not mind having to store username or admin passwords in the script itself as the users will not see the script. I appreciate any suggestions, but only if it is fairly simply to execute. Keep in mind, I am not a programmer, I am a Cisco network engineer as well as a Windows Server admin. My boss just wants me to create manual restore points on a set schedule and I think powershell might be the best. Open to other script types though.

Upvotes: 2

Views: 1226

Answers (1)

briantist
briantist

Reputation: 47862

There are 2 parts to your question. The first part is about how to run a scheduled task as a specific user with elevated rights. I don't think it's correct that it's only possible to do so with a local admin account, but that's off-topic for this site. Consider posting that separately on ServerFault (if you do and link it, I will take a look).

The second part concerns embedding credentials into the script.

This is typically a bad idea. Saying that the user "won't" see it is not the same as saying they can't see it. If they can see it, the credential is compromised and essentially that user now can trivially have elevated rights.

So you would need to secure the script file well enough so that the unprivileged user cannot read the file.

Encrypted Credentials

PowerShell also has a [PSCredential] object which stores the password as a secure string. It is possible to store and retrieve an encrypted version of this object.

For example:

$cred = Get-Credential
$cred | Export-CliXml -Path C:\my\cred.xml

The XML file will contain the credential but it will be encrypted. It can only be decrypted by the same user on the same machine that encrypted it to begin with.

This could be a way for you to use a credential if needed. But to be honest it probably isn't.

How I would do this

Run your scheduled task as SYSTEM.

  • It should be privileged enough to take a restore point
  • It's local
  • It's easy to set a scheduled task to run as SYSTEM even through GPO
  • It requires no password handling

Upvotes: 1

Related Questions