Run Invoke-Command in remote computer as administrator

Asked 26/11, 2020 at 12:35 Answered 26/11, 2020 at 15:13

I'm trying to run invoke-command to launch a powershell script in a powershell file on a remote computer. I'm using the credentials for a user with Administrator privilege. The command needs to be executed by running powershell as an administrator. There are licensing issues with the application that i'm trying to invoke using the powershell script, so i cannot change the credentials to Administrator but need to run with that particular user itself. I have tried using -RunAsAdministrator at the end of the Invoke-Command, but i got an error saying:

Invoke-Command : Parameter set cannot be resolved using the specified named parameters.

$command = {
    cd Folder
    C:\Folder\build.ps1
} 
Invoke-Command -ComputerName $RemoteSystemIP -ScriptBlock $command -credential $Credentials1 -ErrorAction Stop -AsJob

I'm trying to execute this as a background job that's why i added the -AsJob parameter.

Its been several days and i haven't found a solution yet.

Dated answered 26/11, 2020 at 12:35 Comment(0)

tl;dr

The only way to get a remote PowerShell session to execute elevated (with admin privileges) is to connect with a user account (either implicitly or via -Credential) that has admin privileges on the target machine.
With such an account, the session automatically and invariably runs elevated.

The Invoke-Command's -RunAsAdministrator switch can only be used with (virtualization) containers (-ContainerId parameter), not regular remoting (-ComputerName parameter).

You cannot elevate on demand in a remote session (the way you can locally, interactively with Start-Process -Verb RunAs).^[1]

Instead, you must make sure that the credentials you're passing to Invoke-Command -Credential to connect to the remote machine with refer to a user account that (also) has administrative privileges on the target machine, in which case the remote session automatically and invariably runs elevated (with admin privileges).^[2]

If you cannot pass such credentials, I think you're out of luck.

To test if the current user has administrative privileges:

# Returns $true if elevated, otherwise $false.
[Security.Principal.WindowsPrincipal]::new(
  [Security.Principal.WindowsIdentity]::GetCurrent()
).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)

Separately, here's a simple test you can run from inside a session to determine whether it is running with elevation:

# Returns $true if elevated, otherwise $false.
[bool] (net session 2>$null)

^{[1] Unless the session at already is elevated, -Verb RunAs presents a pop-up UAC dialog that a user must confirm interactively, which is not supported in a remote session.}

^{[2] The same applies if you use "loopback remoting", i.e. if you target the local machine via remoting, using Invoke-Command -ComputerName ., for instance, with additional restrictions, however: You cannot use a user that is authorized for remoting but isn't part of the local Administrators group, and if you use the current user (whether or not with explicit credentials), the calling session must itself be elevated.}

Oneman answered 26/11, 2020 at 15:13 Comment(5)

Possibly worth noting that running Invoke-Command against the local computer also results in automatic elevation of the commands inside the script block, provided the account has administrative privileges. – Punish 30/5, 2022 at 10:31

Thanks. On your last sentence, I've found that I can open an unelevated Powershell window, and still elevate locally with Invoke-Command. See Powershell output at pastebin.com/wqeUaC8R – Punish 30/5, 2022 at 16:14

Thanks, @Punish - I wasn't aware that if you specify a different user's credentials, elevation isn't required. I've updated the footnote to hopefully paint the full picture. Let me know if it matches your experience. – Oneman 31/5, 2022 at 13:9

That makes sense. Yes, different user - I am opening the PS window as a standard user a/c, then entering an administrator a/c in the Get-Credential prompt. – Punish 31/5, 2022 at 15:37

@Oneman In case you are bored on SO per the BS (wow, smh) and know the answer to this, how to make this work with wt.exe and elevate in PS, I wanted to pass by you.... superuser.com/questions/1840766/…. I tested some things and found this post, and figured I'd ping your awesomeness on this. – Marigraph 29/4 at 22:27

I think you should do this:

$command = {
    Start-Process "powershell" -Verb runas -Workingdirectory "C:\Folder\" -ArgumentList "build.ps1"
}

Invoke-Command -ComputerName $RemoteSystemIP -ScriptBlock $command -credential $Credentials1 -ErrorAction Stop -AsJob

Hax answered 26/11, 2020 at 12:52 Comment(2)

Its not executing the script within build.ps1 – Dated 26/11, 2020 at 13:52

If the credentials are admin credentials, the remote session is automatically elevated - no extra work needed; if they're not, trying to elevate on demand with Start-Process -Verb RunAs does not work (no way to show the UAC GUI). – Oneman 26/11, 2020 at 15:21

Recommended topics

Hot tags