Run Script as admin but prompt Current User

Welcome Forums General PowerShell Q&A Run Script as admin but prompt Current User

This topic contains 4 replies, has 2 voices, and was last updated by

 
Participant
1 year ago.

  • Author
    Posts
  • #84340

    Participant
    Points: 1
    Rank: Member

    Hi,

    I have a script which prompts a user to enter content to send a message across our domain. the script needs to be run as a domain admin but needs to be used by a standard user so it is set as a scheduled task on a computer they have access to. the issue is when running the scheduled task . the user doesn't get the prompt to enter the message.

    script is below.

     clear-content C:\Utils\Scripts\output\Techsupportmessage.bat
    $input = $(
          Add-Type -AssemblyName Microsoft.VisualBasic
          [Microsoft.VisualBasic.Interaction]::InputBox('Enter Message to Send','From!', 'Your Message Here')
         )
    $OU="OU=Computers New,OU=,DC=,DC="
    $instruct = "msg * /server:"
    $Computername = (Get-ADComputer -searchbase $OU -filter * -Properties Name  | Select Name )
    foreach ($name in $Computername) {
    
    Add-Content C:\Utils\Scripts\output\Techsupportmessage.bat "$instruct$($Name.name)  /v $input"}
    
    C:\Utils\Scripts\output\Techsupportmessage.bat 

    any help would be appreciated

  • #84341

    Keymaster
    Points: 1,673
    Helping HandTeam Member
    Rank: Community Hero

    This is not the right way to go about achieving the goal. JEA would be. Make your tool or GUI or whatever runnable by the user. Have it connect – as the user – to a remote endpoint. Have that endpoint "run as" a domain admin account. You can then lock down the commands capable of running in the endpoint so that nobody can "bypass" the tool the user is running and gain elevated permissions.

    What you're -attempting- to do is designed to not work.

  • #84347

    Participant
    Points: 1
    Rank: Member

    I'm only new to powershell and am not greatly familiar with processes. It has taken weeks to get to this point. So basically should I get the InputBox to run as the current user and output the Message to a text file and get the Script that I need to run call that file as the variable for the message input? It needs to run on up to 400 PC's

    • #84350

      Keymaster
      Points: 1,673
      Helping HandTeam Member
      Rank: Community Hero

      Uh... I mean, I guess if that's what you want to try and do, sure. Good luck. Just know that the direction you're heading will leave you wide-open to a number of easy-to-implement malicious attacks. You could be the next Equifax [grin]!

      Windows is kind of explicitly designed to not do what you'e doing, so you're fighting the way the OS wants to work. If you'd like to do it the way the OS -wants- to work, that's "Just Enough Administration," or JEA. https://msdn.microsoft.com/en-us/library/dn896648.aspx. The idea is that you have a script on the user's computer, which the user launches, and which runs as the user. It prompts them for whatever. It then sends a command – via Invoke-Command, PowerShell's Remoting system – to a JEA endpoint running on a remote computer. That endpoint can then run whatever commands you've transmitted to it, under the credentials of another user, like a domain admin. The endpoint, when you create it, can be locked down to only the commands you want to allow, so that a bad actor can't gain unnecessary elevated privileges.

      I understand that it's frustrating to have been attacking something for a long time, feel like you're so close, and then have someone tell you that you were headed in the wrong direction all along. Notwithstanding, it's worth learning the right way to do this kind of thing, and in this case, JEA is explicitly designed to do what you're trying to to. Like, the guy who invented PowerShell invented JEA for specifically the use case you've laid out.

  • #84352

    Participant
    Points: 1
    Rank: Member

    Thanks for the link, interesting reading it will; take time to absorb lol. I totally agree on doing things the right way , this will be helpful might just take some more time. :D. Not scared of learning just slow at it. Thanks for your help . I'll come back later after I've got it working to let you know how I got on.

The topic ‘Run Script as admin but prompt Current User’ is closed to new replies.