none
Run a script as admin from within the script

    Question

  • Hi,

    I am trying to create a NetFirewallRule to allow network Discovery through the domain profile.

    I have managed to create a script that works but only when i start Powershell as administrator.

    Is there a way to run Powershell as a standard user and then elevate to admin within the script?

    Thank you in advance

    Ben

    Tuesday, June 12, 2018 9:14 AM

Answers

  • Just enable network discovery in Group Policy.  No need for the users to do this.

    No.  There is no way to allow standard users to do this.  If users could change the firewall rules what would be the point of the firewall requiring admin at an elevated prompt?

    Only an admin can elevate.  A user cannot become an admin without giving them the admin password.


    \_(ツ)_/

    • Marked as answer by Ben1996 Monday, June 18, 2018 7:40 AM
    Friday, June 15, 2018 11:40 AM
    Moderator

All replies

  • No.  The firewall is protected and can only be changed by an administrator in an elevated session.


    \_(ツ)_/

    Tuesday, June 12, 2018 9:31 AM
    Moderator
  • I use this little piece of code to achieve elevation (prompts for credentials, you still need to have an account with admin rights to authenticate with)

    # Get the security principal for the administrator role
    $adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator;
    
    # Check to see if we are currently running as an administrator
    if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole($adminRole))
    {
        # We are running as an administrator, so change the title and background colour to indicate this
        $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)";
        $Host.UI.RawUI.BackgroundColor = "DarkBlue";
        Clear-Host;
    }
    else {
        # We are NOT running as an administrator, so relaunch as administrator
    
        # Create a new process object that starts PowerShell
        $newProcess = New-Object System.Diagnostics.ProcessStartInfo "PowerShell";
    
        # Specify the current script path and name as a parameter with added scope and support for scripts with spaces in it's path
        $newProcess.Arguments = "& '" + $script:MyInvocation.MyCommand.Path + "'"
    
        # Indicate that the process should be elevated
        $newProcess.Verb = "runas";
    
        # Start the new process
        [System.Diagnostics.Process]::Start($newProcess);
    
        # Exit from the current, unelevated, process
        Exit;
    }
    
    # Put Code to execute here

    Thursday, June 14, 2018 8:55 PM
  • That will not allow a standard user access. 


    \_(ツ)_/

    Thursday, June 14, 2018 9:28 PM
    Moderator
  • I never claimed it would. In fact, I specifically said that an administrator account is required in order to elevate. The question was "Is there a way to run PowerShell as a standard user and then elevate to admin within the script?" The answer is "Yes, if you run the code I provided, and have an administrator account to authenticate with" The OP's question could be worded a bit more clearly, but I didn't interpret it as elevating the standard user to an admin, just asking "Is there a way to elevate from within the script" My example does just that. 
    Thursday, June 14, 2018 11:55 PM
  • Still won't work.  "RunAs" elevates an admin account an not a standard account which is what the OP asked for.

    Besides you can just use.

    Start-Process powershell -Verb RunAs

    This will prompt an admin account for elevation.

    The following can allow a user to open PS as any user but the session will not be elevated.

    Start-Process powershell -Credential testnet\admin

    Of course from that session you could run a script that prompts for elevation.

    This would cause you to have to give the standard user the admin password.  Not a very good idea.


    \_(ツ)_/

    Friday, June 15, 2018 12:05 AM
    Moderator
  • Hi Ben1996,

    This is the piece of script wich I use when i want to use a Powershell Script in an elevated session:

    #checks if powershell is in Administrator mode, if not powershell will fix it   
    if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {      
        $arguments = "& '" + $myinvocation.mycommand.definition + "'"   
        Start-Process powershell -Verb runAs -ArgumentList $arguments   
        Break   
    }   


    Cheers,

    Martien van Dijk

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Check my Blog: https://windowstechblog.nl

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 15, 2018 6:20 AM
  • Hi All,

    I now realise I should have put a bit more context to the question (Apologies).

    This is my script

    Get-NetFirewallRule -DisplayGroup 'Network Discovery'|Set-NetFirewallRule -Profile 'Domain' -Enabled true -PassThru

    My plan is to allow network discovery on all of our domain computers. The script works when I open powershell as admin and then run. But when it comes to deploying my script to all computers (probably via Group policy) it will fail because the users don't have admin rights. Is there a way for me to be able to do this rather than going on to each individual machine?

    Hope this helps.

    Ben

    Friday, June 15, 2018 11:34 AM
  • Just enable network discovery in Group Policy.  No need for the users to do this.

    No.  There is no way to allow standard users to do this.  If users could change the firewall rules what would be the point of the firewall requiring admin at an elevated prompt?

    Only an admin can elevate.  A user cannot become an admin without giving them the admin password.


    \_(ツ)_/

    • Marked as answer by Ben1996 Monday, June 18, 2018 7:40 AM
    Friday, June 15, 2018 11:40 AM
    Moderator
  • Point taken. I have already enabled the network discovery in Group policy but the "Turn on Network Discovery" radio button still says off?
    Friday, June 15, 2018 1:22 PM
  • Post in GP forum for help fixing GP issues.


    \_(ツ)_/

    Friday, June 15, 2018 1:34 PM
    Moderator