PowerShell console - what user credentials do I really have?

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Jack Neff Jack Neff 1 year, 10 months ago.

  • Author
    Posts
  • #22390
    Profile photo of Jeffrey Wagar
    Jeffrey Wagar
    Participant

    I log into my Windows 8.1 desktop using the built-in Domain Administrator account (which belongs to the local Administrators account) then click on "Windows PowerShell". Typing "whoami.exe" at the console prompt, it replies "MyDomain\Administrator." I did not pick "Run As Administrator" so am I limited to Standard User permissions or will my Windows login account [MyDomain\Administrator] override that limitation and let me execute commands that require elevated privileges? If I do indeed open PowerShell with "Run As Administrator" and execute "whoami" in the console, it also gives the same answer, my underlying Windows user session credentials, namely "MyDomain\Administrator".

    Next, I wish to execute Enable-PSRemoting on a target remote computer. Since I am logged in to my desktop Windows session with the built-in Domain Administrator account credentials, and those credentials automatically belong to the local Administrator's group on every domain computer, my current PowerShell session should have sufficient permissions to execute that cmdlet from a New-CimSession on every remote domain computer. Or must I use the New-PSSession -Credential parameter and specify the Domain Administrator credentials explicitly?

  • #22394
    Profile photo of Jack Neff
    Jack Neff
    Participant

    In 8.1 the UAC requires that you invoke the administrator access token even when you are logged into the machine as an administrator. It's a security feature and can be disabled but I wouldn't recommend it. If you find that you accidentally opened a non-admin shell and need to elevate simply type this command

    Start-Process powershell -verb runas

    Unfortunately you're caught in a catch 22 when trying to enable-psremoting on a remote machine with CIM or New-PSSession because both commands require the WSMAN service to already be running. The preferred method is to enable the service via Group Policy. However if you're not a domain admin and do not control GP but still have full admin rights on the workstations I have found using PSEXEC works well. I wrote this function a while back that has worked well for me but if anyone else has a better technique without using third party tools I would be interested to learn it.

    function Enable-WinRM {
        [CmdletBinding()]
        param([Parameter(Mandatory=$true,ValueFromPipeline=$true)]$Computername)
    
        foreach ($c in $Computername){
            & c:\pstools\psexec.exe \\$c -s c:\windows\system32\winrm.cmd quickconfig -quiet 2>&1>$null
        }
    }
    

You must be logged in to reply to this topic.