Login/Register
Run Command as administrator in PowerShell script. UAC
Asked Answered
Solved powershelluacappcmdinvoke-command
P

4

11

OK here is my issue:

I am trying to run a script remotely on a server.

I am an administrator on both boxes, firewall exceptions are in place, remote admin is enabled, and everything else looks good that i can see. 

invoke-command -ComputerName $ComputerName -ScriptBlock `
{
    cd C:\Windows\System32\inetsrv\; 
    ./appcmd.exe ADD vdir /app.name:<SiteName>/ /path:/<VDir Name> /physicalPath:<Path to files>
}

I keep getting the following error in return

ERROR ( hresult:80070005, message:Failed to commit configuration changes. Access is denied.

The server it is trying to run on is a server 2k8 R2 box and I am thinking the issue is a UAC problem. Is there anyway to get this to run as administrator without having to click yes on a UAC box?

This piece of code will eventually become a script that will have to be completely automated.

Any help would be greatly appreciated.

Partiality answered 11/2, 2010 at 22:5 Comment(3)
OK well it isn't UAC. I disabled UAC, The firewall, and everything else i could think that would be interfering. I also made the registry change suggested by tyranid. neither works. its odd. it says the operation was successful then gives the same access is denied error.Partiality
Can you run 'whoami /all' on the remote powershell instance and see what permissions you actually do have?Pilsner
I ran the command and it listed my domain account name, the groups i am a member of on the domain, and a list of privileges. all privileges were administrator level and enabled, one of the groups listed is in the Administrators group and all looks right.Partiality
P
10

OK. After some research and testing I figured out the issue. After disabling UAC and the firewall and the script still not working I dug a little deeper and discovered that the main issue was the way invoke-command runs the commands. it uses the credentials of the person running the script to authenticate to the server then tries to use another account to run the permissions or lowers the privileges of the user so that certain commands cannot be run.

I added the -Credentials switch to the invoke command and everything is working great now. Corrected code sample below: 

$user = New-Object Management.Automation.PSCredential("$UserName", $securePassword)
invoke-command -ComputerName $ComputerName -Credential $user -ScriptBlock ` 
{ 
    cd C:\Windows\System32\inetsrv\;  
    ./appcmd.exe ADD vdir /app.name:<SiteName>/ /path:/<VDir Name> /physicalPath:<Path to files> 
}
Partiality answered 13/2, 2010 at 15:53 Comment(3)
So when scripting something that requires admin rights, there is not better way than to have the username and password in cleartext in the script? really? running the service as admin is not enough... What's the best practice to script, say, a windows service installation that requires admin rights?Eo
The alternative is to let the user enter the credentials via the Get-Credential cmdlet.Box
Tim, please, can you help here? https://mcmap.net/q/22615/-windows-10-after-gaining-remote-access-remotely-start-quick-assist-as-administrator-without-uac-or-temporarily-disable-uac/38108Joyjoya
P
0

This seems to indicate that you need to ensure you are a local admin on the remote machine (although admittedly this is for WMI specifically). According to this you can change a registry key to stop UAC applying to remote logons for administrators (search for LocalAccountTokenFilterPolicy). That shouldn't disable UAC just not filter the token if you use powershell/WMI remotely with an administrator account.

Pilsner answered 11/2, 2010 at 22:24 Comment(0)
E
-3

Set the option "EnableLUA" (DWORD value) found in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to 0 and reboot.

This will disable UAC without a problem, I would do it for all your users, whether with or without permission is up to you.

This trick works in Windows Vista and Windows 7 too.

Extravagance answered 29/7, 2010 at 15:9 Comment(2)
I don't think they are censoring you in the way you mean it. My best guess is you recommended something which may provide a security risk for a casual user. UAC is there for some reason whether this is achieved successfully or not is beyond the scope of this question ;)Thermomotor
@Thermomotor well yes, you are right, it is beyond the scope of this question, which is why i answered the question and included my other comment as a side comment. if something is done in such a horrid manner, it should be protested and disabled to teach the devs a lesson, and more importantly, because the disaster brought on by this far outweighs the security it provides, this was one of the main reasons why Vista was a colossal disaster.Extravagance
M
-4

Is there anyway to get this to run as administrator without having to click yes on a UAC box?

If this were possible it would entirely defeat the point of UAC.

Thus, it would appear your only real solution is to disable UAC on the box.

Moule answered 11/2, 2010 at 22:6 Comment(4)
Unfortunately Disabling UAC is not an option since it will be on high visibility servers. Hopefully someone can figure out a solution or workaround. Maybe I am just doing something wrong.Partiality
The other alternative would be to have whatever launches these scripts run elevated - then it can spawn other elevated processes without requiring another UAC confirmation.Moule
The only question i have with that is will it carry over remotely. This script will run different commands on multiple servers from a management server. So Server A (mgmt) runs commands remotely on servers 1, 2, and 3. If the Process is running as elevated on Server A is it going to run elevated on Servers 1, 2, and 3?Partiality
Of course you can disable uac if you are running in admin mode, whether you want to or not is a different issue. Read my answer.Extravagance

© 2022 - 2024 — McMap. All rights reserved.