locked
Elevate a command by script RRS feed

  • Question

  • Discussion
    You cannot vote on your own post
    0

    Hello,

    How to elevate a command ?
    How to be sure that every command lines are elevated through every accounts inside the Administrators local group and also for the SYSTEM account ?
    The computer is NOT inside a Active Directory, then no GPO ...etc.
    Then no UAC prompt.
    Then no blocking point.
    Then, the command lines are executed by a REAL administrator.
    Of course, the command lines are done through scripts (BATCH, VBS and POWERSHELL).

    The goal is not to bypass the UAC prompt.
    The goal is to allow the SYSTEM account inside a script to do everything.
    EVERYTHING = all the available commands are allowed.
    And to do that, I suppose that disable UAC at the beginning of the script is the way to allow the SYSTEM account to do everything.
    But the computer need to be restarted to do disable UAC...
    Why the SYSTEM can't do everything on Windows 7 ?
    --
    I can't delete a file here :
    "C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown"
    --
    I can't create a folder a file here :
    "C:\WINDOWS\system32\GroupPolicy\Machine\"
    --

    On Windows Seven 7 :

    My need is to :
    + Run scripts (with command lines) (VBS, batch powershel : depends on the need)
    + Executed by a account inside the Administrators group and also SYSTEM account.
    + All the command lines must be allowed, with no restriction, like UAC or something like that ...
    --
    Please, the goal is not to bypass UAC for everyone, but it's to run all the command lines by the Administrators with no blocking point.

    A administrator don't have to be in the loop of UAC.
    UAC is for users, not Admins.
    --

    --

    Regards,

    Thursday, February 4, 2016 3:44 PM

Answers

  • Hello,

    The built-in Administrator account has the "FAR" and the UAC prompt is NOT displayed (== root).

    However, you can set a Policy for the others administrators on the computer:

    • via regedit: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
      Create a REG_DWORD: ConsentPromptBehaviorAdmin
      VALUE: 0

    this key sets the "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" policy to "Elevate without prompting."

    more info here: https://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx#BKMK_AdminPromptBehavior

    with this settings, the administrators accounts won't need to click "Yes" anymore when they run something as admin. However, they still need to explicitly run the program/script as admin (but the UAC prompt won't show up)

    In PowerShell, you can use Start-Process -FilePath YourExecutable.exe -Verb RunAs to start something as admin (and you will not see the UAC prompt if you created the previous registry key)

    • Proposed as answer by Steven_Lee0510 Monday, February 29, 2016 3:19 PM
    • Marked as answer by Steven_Lee0510 Monday, February 29, 2016 3:20 PM
    Friday, February 5, 2016 8:41 PM
    • Proposed as answer by Mike Crowley Wednesday, February 10, 2016 3:59 PM
    • Marked as answer by Steven_Lee0510 Monday, February 29, 2016 3:20 PM
    Thursday, February 4, 2016 4:02 PM
  • The solutions are done.
    Multiple things must be done to apply this kind of thing.
    I plan to build a documentation for that, in the future, less than 1 month.
    Regards,
    • Marked as answer by Cerkyr Friday, March 11, 2016 2:25 PM
    Friday, March 11, 2016 2:25 PM

All replies

    • Proposed as answer by Mike Crowley Wednesday, February 10, 2016 3:59 PM
    • Marked as answer by Steven_Lee0510 Monday, February 29, 2016 3:20 PM
    Thursday, February 4, 2016 4:02 PM
  • Hello,

    • How to be sure that every command lines are elevated through every accounts inside the Administrators local group

    You have to disable the UAC to do that (effective after a reboot), then, all the actions that you perform on your computer (with an admin account) are performed with the full admin rights.

    •  and also SYSTEM account

    You have to use psexec to run something as "system":

    psexec -i -s Powershell.exe

    • UAC is for users, not Admins.

    Definitively not. UAC *is* for admins: e.g: your web browser needs the full admin privileges? => no: Your account is an admin account, but the UAC ensures that your programs are running with User rights unless you need the admins rights to perform admin tasks


    • Edited by Swisstone Thursday, February 4, 2016 6:40 PM
    Thursday, February 4, 2016 5:00 PM
  • Then, in your answer, I don't find the way to enable the Full Access Rights for an account inside the Administrators group without disable the UAC.
    --
    user = Low Access Rights (LAR)
    admin = Full Access Rights (FAR)
    --
    in UNIX :
    if you are ROOT, you have the FAR, SUDO is NOT necessary.
    if you are not ROOT, you can SUDO, with the good password.
    if you are a user that don't know the password for the SUDO; then you are a user with LAR
    --
    Why Windows is not like that ?
    --
    Then, in your answer, I don't find the way to enable the Full Access Rights for an account inside the Administrators group without disable the UAC.


    • Edited by Cerkyr Friday, February 5, 2016 2:42 PM
    Friday, February 5, 2016 2:37 PM
  • Hello,

    The built-in Administrator account has the "FAR" and the UAC prompt is NOT displayed (== root).

    However, you can set a Policy for the others administrators on the computer:

    • via regedit: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
      Create a REG_DWORD: ConsentPromptBehaviorAdmin
      VALUE: 0

    this key sets the "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" policy to "Elevate without prompting."

    more info here: https://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx#BKMK_AdminPromptBehavior

    with this settings, the administrators accounts won't need to click "Yes" anymore when they run something as admin. However, they still need to explicitly run the program/script as admin (but the UAC prompt won't show up)

    In PowerShell, you can use Start-Process -FilePath YourExecutable.exe -Verb RunAs to start something as admin (and you will not see the UAC prompt if you created the previous registry key)

    • Proposed as answer by Steven_Lee0510 Monday, February 29, 2016 3:19 PM
    • Marked as answer by Steven_Lee0510 Monday, February 29, 2016 3:20 PM
    Friday, February 5, 2016 8:41 PM
  • The solutions are done.
    Multiple things must be done to apply this kind of thing.
    I plan to build a documentation for that, in the future, less than 1 month.
    Regards,
    • Marked as answer by Cerkyr Friday, March 11, 2016 2:25 PM
    Friday, March 11, 2016 2:25 PM