Would it be at all possible to add the ability to launch snapins with a admin domain account ? Our registry and things get locked down via policies but I have snapins that need to import reg settings and they will only import if running script as a domain admin.
I think the problem was launching a powershell script that then launched another script as a domain admin but the credentials wont populate when it is being run from the system account just asks for password in a non visible console.
I have compiled the main powershell script as an exe which is then run via the system account and seems to be working now with the exception of not running as domain admin.
x23piracy last edited by
you did something similar to this?
a little quote from that thread:
[QUOTE][B][COLOR=#ff0000]IMPORTANT NOTE:[/COLOR][/B] If using Vista or Win 7 you must turn off UAC evaluation prompts for administrator otherwise windows will prompt for permission to install, and hold up your unattended process. To turn off, in your system image you shoud type secpol.msc into the start/run bar, then choose “local polices>security options>User account control:Behavior of the elevation prompt for administrators in Admin approval mode” and choose “Evaluate without prompting”. Also disable “User account control: Switch to the secure desktop when prompting for elevation”.[/QUOTE]
I would more prefer a solution that elevates the execution to be an admin except turning security stuff off!
Maybe interesting: [url]http://www.fogproject.org/wiki/index.php/Creating_Custom_FOG_Service_Modules[/url]
Scratch that, scripts converted to exe and run by double click work perfect but if I set a snapin to run the exe it never actually starts as far as I can see.
Thanks for the reply, I just thought it would make it easier on us to do this kind of thing but I think I have a work around in the mean time using powershell to run a powershell script as admin user using cached credentials from a securestring ( saves using a 3rd party app which would get blocked via our antivirus anyway).
Testing as we speak to make sure it works across all images.
x23piracy last edited by
you can use the runas command but it needs the user account password entered!
[CODE]runas /user:Admin /savecred[/CODE]
The Problematic things is you need to store your ad admin accounts password, not the best idea.
I would create a special user for this so you don’t need to use the major domain admin account.
There are tools outside that can encrypt passwords in batch files and tools that create exe from bat.
Sorry this one is in german but you may find one in english:
[SIZE=6][B][SIZE=3]pcwRunas: launch applications with privileged rights convenient[/SIZE][/B][/SIZE]
Published on February 12, 2011 in [URL=‘http://translate.googleusercontent.com/translate_c?depth=1&rurl=translate.google.com&sl=de&tl=en&u=http://www.tobbis-blog.de/category/admin-alltag/&usg=ALkJrhgTJgX-EGRZtKEoJpLv0BKep48h9Q’]Admin everyday life[/URL] | [URL=‘http://translate.googleusercontent.com/translate_c?depth=1&rurl=translate.google.com&sl=de&tl=en&u=http://www.tobbis-blog.de/pcwrunas-anwendungen-mit-privilegierten-rechten-bequemer-starten/&usg=ALkJrhhsTed1Hw-gyw5UQ0HVTP-c5U0GCA#comments’]2 Comments[/URL]
In a domain environment (domain) administrators usually work with two user accounts: An account for the “normal” work and an account that is privileged and extensive rights.
Annoying as it is, if you constantly invoke the context menu the “Run As …” command and must enter your user name and password for the umpteenth time.
There are several tools that promise a relief here, but almost all seem to cost money.
A free version, the PC world by 2009 with the tool [B][URL=‘http://translate.googleusercontent.com/translate_c?depth=1&rurl=translate.google.com&sl=de&tl=en&u=http://www.pcwelt.de/downloads/pcwRunAs-1215998.html%3Frate%3D0%26page%3D2&usg=ALkJrhhtfE1cveWRnHc7coTIuw1QHaNaYg’]pcwRunAs[/URL][/B] published, which allows you to create shortcuts to applications, which can then be started automatically with a privileged account.
It is also not even necessary to enter a password, it is stored encrypted namely (using the hard drive serial number).
In any case, a clear recommendation for any admin who has repeatedly durchexerzieren the above procedure every day.