Run Script as admin but prompt Current User

This topic contains 4 replies, has 2 voices, and was last updated by  Mikebrod 4 weeks, 1 day ago.

  • Author
    Posts
  • #84340

    Mikebrod
    Participant

    Hi,

    I have a script which prompts a user to enter content to send a message across our domain. the script needs to be run as a domain admin but needs to be used by a standard user so it is set as a scheduled task on a computer they have access to. the issue is when running the scheduled task . the user doesn't get the prompt to enter the message.

    script is below.

     clear-content C:\Utils\Scripts\output\Techsupportmessage.bat
    $input = $(
          Add-Type -AssemblyName Microsoft.VisualBasic
          [Microsoft.VisualBasic.Interaction]::InputBox('Enter Message to Send','From!', 'Your Message Here')
         )
    $OU="OU=Computers New,OU=,DC=,DC="
    $instruct = "msg * /server:"
    $Computername = (Get-ADComputer -searchbase $OU -filter * -Properties Name  | Select Name )
    foreach ($name in $Computername) {
    
    Add-Content C:\Utils\Scripts\output\Techsupportmessage.bat "$instruct$($Name.name)  /v $input"}
    
    C:\Utils\Scripts\output\Techsupportmessage.bat 

    any help would be appreciated

  • #84341

    Don Jones
    Keymaster

    This is not the right way to go about achieving the goal. JEA would be. Make your tool or GUI or whatever runnable by the user. Have it connect – as the user – to a remote endpoint. Have that endpoint "run as" a domain admin account. You can then lock down the commands capable of running in the endpoint so that nobody can "bypass" the tool the user is running and gain elevated permissions.

    What you're -attempting- to do is designed to not work.

  • #84347

    Mikebrod
    Participant

    I'm only new to powershell and am not greatly familiar with processes. It has taken weeks to get to this point. So basically should I get the InputBox to run as the current user and output the Message to a text file and get the Script that I need to run call that file as the variable for the message input? It needs to run on up to 400 PC's

    • #84350

      Don Jones
      Keymaster

      Uh... I mean, I guess if that's what you want to try and do, sure. Good luck. Just know that the direction you're heading will leave you wide-open to a number of easy-to-implement malicious attacks. You could be the next Equifax [grin]!

      Windows is kind of explicitly designed to not do what you'e doing, so you're fighting the way the OS wants to work. If you'd like to do it the way the OS -wants- to work, that's "Just Enough Administration," or JEA. https://msdn.microsoft.com/en-us/library/dn896648.aspx. The idea is that you have a script on the user's computer, which the user launches, and which runs as the user. It prompts them for whatever. It then sends a command – via Invoke-Command, PowerShell's Remoting system – to a JEA endpoint running on a remote computer. That endpoint can then run whatever commands you've transmitted to it, under the credentials of another user, like a domain admin. The endpoint, when you create it, can be locked down to only the commands you want to allow, so that a bad actor can't gain unnecessary elevated privileges.

      I understand that it's frustrating to have been attacking something for a long time, feel like you're so close, and then have someone tell you that you were headed in the wrong direction all along. Notwithstanding, it's worth learning the right way to do this kind of thing, and in this case, JEA is explicitly designed to do what you're trying to to. Like, the guy who invented PowerShell invented JEA for specifically the use case you've laid out.

  • #84352

    Mikebrod
    Participant

    Thanks for the link, interesting reading it will; take time to absorb lol. I totally agree on doing things the right way , this will be helpful might just take some more time. :D. Not scared of learning just slow at it. Thanks for your help . I'll come back later after I've got it working to let you know how I got on.

You must be logged in to reply to this topic.