RunAs or Other Elevation Methods

[ViciousXUSMC]

Just curious, if you have a task that needs administrator rights to work but the user executing the script is only a user what kind of tricks/tips have we collectively gathered to make this happen?

I know we have RunAs() this would work well except the part I do not like is its not to run the current script, its to run another program.  Is there a creative way to have it self reference the script that contains it?

We have a few other UDF's out there for like Run as System, Install as Service, but they are pretty old and complicated so seems like it may be prone to error on newer OS or in various environments.

My ultimate goal would be being able to use a domain admin account but not have the credentials in plain text in the script (does not need to be super complicated, a simple regread() with one of our Crypt() functions would probably be more than enough in my case.  So that I can have users run a script off the desktop or at startup to do tasks they would be blocked from due to user level permissions.

[AutoBert]

 

My ultimate goal would be being able to use a domain admin account but not have the credentials in plain text in the script (does not need to be super complicated, a simple regread() with one of our Crypt() functions would probably be more than enough in my case.  So that I can have users run a script off the desktop or at startup to do tasks they would be blocked from due to user level permissions.

Just make a smal Gui whith 2 Input's one for the Adminaccount and the other for the password,

[JohnOne]

Depends what your environment is.

There will be many ways to tackle this.

[ViciousXUSMC]

@AutoBert that will not work the users are running the script and or the script will run at login

I need them to have admin privileges for limited tasks, they will never know the admin credentials, that is why RegRead() would be used to pull them down, and I can push that registry key via AD easily to change it as needed.  Users also have no rights to open RegEdit or CMD so it would be very hard for them to find the key even if they knew it was there, and if they did it would still be encrypted

My best idea for now is to push these kind of jobs in twos, one compiled .exe for the actual work, and another for the RunAs that will call the Admin Account to run.

I would be interested in some of your ideas JohnOne.

For the most part I can run anything as System because I have the Dell K1000 to push scripts and they run as System but for dynamic on the fly breakfix kind of stuff for these guys working Fire Trucks and Ambulances I want to give them the ability to self fix certain things that they do not have rights for.

Edited October 22, 2015 by ViciousXUSMC

[AutoBert]

@AutoBert that will not work the users are running the script and or the script will run at login

My best idea for now is to push these kind of jobs in twos, one compiled .exe for the actual work, and another for the RunAs that will call the Admin Account to run.

Yes and so you must know a Password of an User with Adminprivileges. My best idea is to give the user's correct privileges, so they can do what they have to do or all this jobs must be done by a Admin

[JohnOne]

I would create a script that executes another script on admin PC and returns the data needed, or even just a request for the admin PC to execute the script.

That way, no passwords ever touch user PC in script compiled or not.