none
Script for non IT folks RRS feed

  • Question

  • OK, well I'm a system Admin for my company and a new Powershell scripter, rather was elected the new scripter that is.

    I have recently learned Powershell, and have been asked to automate certain tasks in our environment.

    So far, with a number of different sites, Scripting Guys included... I have been able to get scripts out there.

    But one has me at a roadblock.

    I have been asked to create a script that will allow a non IT user who does not have access to AD, nor is going to get access to AD, to assign AD users to a security groups for our company.

    I have the script created, and even created a GUI for it with listboxes for both our user list and the OU that contains the groups they will be adding to.

    Now, the script works like a charm on a domain controller or workstation that has the Active Directory tools installed.

    But when I move to a workstation that doesn't, or to a user that does not have AD rights is where I am stymied.

    I know about using Powershell remoting, and I think I figured out the AD rights portion.

    But, there was an added requirement. We do not want the script code to be visible.

    So is there a way, to "hide" the code and still make it executable?

    I was even thinking of calling the script from within a .bat file.

    Thanks. :)


    Thursday, May 7, 2015 6:26 PM

Answers

  • 1. If the user that runs the script doesn't have access to AD, then how can they assign users to groups? They will get "access denied" errors for anything they do.

    2. You can't really hide the code of a PowerShell script and still allow a user to execute it. Embedding your script in an executable or running it from a shell script (batch file) merely executes the script indirectly but does not hide it.


    -- Bill Stewart [Bill_Stewart]

    Thursday, May 7, 2015 7:41 PM
    Moderator

All replies

  • 1. If the user that runs the script doesn't have access to AD, then how can they assign users to groups? They will get "access denied" errors for anything they do.

    2. You can't really hide the code of a PowerShell script and still allow a user to execute it. Embedding your script in an executable or running it from a shell script (batch file) merely executes the script indirectly but does not hide it.


    -- Bill Stewart [Bill_Stewart]

    Thursday, May 7, 2015 7:41 PM
    Moderator
  • Since you are new to Windows technologies you might want to spend a little time studying Windows security and how it is implemented and why.  Look at how we would delegate authority to a user to manage objects in AD. 

    As for access you can either use ADSI from any workstation or server with no added components of you can install the RSAT tools.

    Yes it is possible to use remoting however you still would have to delegate the user permissions to remote since we don't want to had out admin credentials.

    Learning WIndows is the best place to start.  Don't assume it Is like Unix or the Mac.  Windows has specific and preferred ways to do thigs.  Once you understand them everything becomes much easier.

    Here is one place to start: https://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx


    \_(ツ)_/

    Thursday, May 7, 2015 9:20 PM