Is it possible to elevate the permissions of a powershell script so a user without admin privileges can run the script? Our network admins are trying to find more time-efficient ways to accomplish certain tasks that right now they have to use remote desktop for...automating them with PS scripts would help, but the users don't have admin rights.
-
3Belongs on Server Fault.Richard– Richard2009-05-27 13:03:23 +00:00Commented May 27, 2009 at 13:03
-
See SF@ serverfault.com/questions/12985/elevated-powershell-scriptRichard– Richard2009-05-27 15:13:12 +00:00Commented May 27, 2009 at 15:13
-
2yea, if you look at the user that posted that question...you will see that it was me. I posted it there cuz you were trying to get my question here booted...user35288– user352882009-05-28 20:18:32 +00:00Commented May 28, 2009 at 20:18
Add a comment
|
5 Answers
The task is more like setuid than sudo ... and thankfully, setuid is possible: you can simply create a scheduled task (without a set schedule), and set it to run elevated. Then, give your users rights to execute that task. I outlined the process in a blog post awhile ago along with a PowerShell script to help create the tasks and shortcuts to run them.
The problem (as JaredPar suggested) is that you have to make sure that the apps which you have scheduled to run elevated or "as administrator" are protected, and this is especially true if you will run a script. Make sure noone but the administrator(s) can edit or replace that script, or you're giving away the proverbial keys to the kingdom.
2 Comments
Mr. Annoyed
Dead link. Internet Archive Activate! web.archive.org/web/20110821152558/http://huddledmasses.org/…
if you are using V2, you can use the following which is up on the PowerShell Team Blog
Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList '-command "Get-Process"'
This would run "Get-Process" as administrator.
If you don't have V2, you could create a StartInfo object and set the Verb to Runas like this.
function Start-Proc {
param ([string]$exe = $(Throw "An executable must be specified"),[string]$arguments)
# Build Startinfo and set options according to parameters
$startinfo = new-object System.Diagnostics.ProcessStartInfo
$startinfo.FileName = $exe
$startinfo.Arguments = $arguments
$startinfo.verb = "RunAs"
$process = [System.Diagnostics.Process]::Start($startinfo)
}
I have a blog post that talks a bit more about using a System.Diagnostics.ProcessStartInfo object.
2 Comments
Jaykul
That doesn't help if the users aren't administrators ;)
Andy Schneider
Fair enough. I glanced over the question a bit too fast
The Powershell Community Extensions include a cmdlet for this, alias 'su'. http://www.codeplex.com/Pscx
Comments
It sounds like you are looking for a sudo equivalent in windows. Sudo is not inherent to Windows as it is to most Unix style environments. But there are several tools available that are close equivalents.
Be wary when using these types of tools though. An unhardened script + sudo is a security risk.
Comments
first choco install pscx via http://chocolatey.org/ (you may have to restart your shell environment)
then enable psxc
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser #allows scripts to run from the interwebs, such as pcsx
Then use Invoke-Elevated
Invoke-Elevated {Add-PathVariable $args[0] -Target Machine} -ArgumentList $MY_NEW_DIR
