This topic contains 4 replies, has 4 voices, and was last updated by
August 15, 2018 at 5:47 pm #108620ParticipantPoints: 1Rank: Member
I need some help on using the best way to do something.
I'm working on a script. The script will be launched using a non admin user. The script will run some cmdlets (Microsoft Configuration Manager). I need to run them using another user. What would be the best solution to do it? The CM cmdlets don't provide the option to specify the user to use. From what I read, using invoke-command is not possible neither since it require to provide another computername and localhost won't work.
Thanks for your help
August 15, 2018 at 5:51 pm #108623ParticipantPoints: 135Rank: Participant
If you have SCCM in place you don't need to switch accounts/credentials inside scripts. You should specify in SCCM to run the script with administrative rights.
August 15, 2018 at 5:56 pm #108626ParticipantPoints: 1Rank: Member
That script will be ran by users who don't have enough rights within our SCCM. And we don't want to give them more. Those cmdlets need to run using a service account that will have enough rights to perform the task. That's why I'm doing it that way.
August 15, 2018 at 7:06 pm #108635ParticipantPoints: 206Rank: Participant
That script will be ran by users who don't have enough rights within our SCCM.
You are running script(s) that must be ran in the context currently logged on user which also requires admin privs due to the SCCM priv requirement?
Since you are saying you cannot follow Olaf's recommendation, IMHO (taking the interactive user out of the picture) your option(s): (1) is to create a scheduled task remotely, and have that ST run the scripts using the creds you provide, and only set to run when the user is logged on. (2) Use MS SysInternals psexec with the credentials needed to execute what you are after.
PS, does not provide native a way for you to run scripts logged on user context, as this is a Windows security boundary.
August 16, 2018 at 1:58 pm #108701ParticipantPoints: 158Rank: Participant
I've done this in the past as @postanote recommended, which is basically setup a queue that has a scheduled task running as the privileged account. You drop Computer123.txt in a folder (with permissions for just those users to write), script would read it every minute to get params, execute the task and then delete (or move) the file.
You must be logged in to reply to this topic.