none
Batch files, Powershell, domains.....oh my! RRS feed

  • Question

  • I am trying to create a batch file, that will call a powershell script on my network. The below info in my batch file works, but only when I'm logged in as my on the domain. I am using the Master.ps1 script to call other powershell scripts for multiple things for new computers to our corporation.

    PowerShell.exe -NoProfile -Command "& {Start-Process PowerShell.exe -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""\\Location\Master.ps1""' -Verb RunAs}"

     Again, everything works fine when logged in on the domain as me, but I need it to work with an un-joined machine and generic local admin account.

    I have tried using: runas /user:domain\username PowerShell.exe -NoProfile -Command "& {Start-Process PowerShell.exe -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""\\Location\Master.ps1""' -Verb RunAs}"

    and it doesn't work. What I think the problem is, the credentials for the local machine are unable to get to the Powershell script on the network, but I also cannot get the computer to prompt me for the proper credentials.

    I am doing this as a batch file, so I don't have to change the execution policy on each machine before running the powershell script. I am new to scripting, so I really need help! Please someone tell me what I am doing wrong!

    Also, I am running the batch file as administrator, wish it were that easy!


    • Edited by NUFAN Thursday, September 1, 2016 6:53 PM
    Thursday, September 1, 2016 6:51 PM

Answers

  • JRV,

    I have found a solution. I placed net use "\\location" in front of the command shown earlier. This allowed me to enter my credentials for the location, and then run my old command, to run it all. The reason I am doing it this way is we do not currently use MDT. I have limited control over what can be implemented here, so I am looking for ways to work around our outdated setup. 

    Just wanted to share my solution with you in case you ran into any other similar questions.

    • Marked as answer by NUFAN Tuesday, September 6, 2016 11:31 AM
    Tuesday, September 6, 2016 11:31 AM

All replies

  • You cannot access resources on a network you are not authenticated on.

    Why are you running s many copies of PowerShell

    This is all you need.

    PowerShell.exe -File \\Location\Master.ps1


    \_(ツ)_/

    Thursday, September 1, 2016 10:43 PM
  • http://www.howtogeek.com/204088/how-to-use-a-batch-file-to-make-powershell-scripts-easier-to-run/

    That is where I have gotten the batch file information above. The method you gave me tells me the script hasn't been digitally signed. Also, the reason for the batch file code is to give all the admin access needed, bypass changing the execution policy on each machine, and helps remove the UAC prompts.

    Again, what I am trying to do is run a batch file(or whatever) to call a script that will call several other scripts. This Master.ps1 script is stored on a network drive, that I have permissions to, on my domain. I want to be able to run 1 single file that will automate the rest of my new machine setup. The new machine will NOT be on the domain, and will be logged into a generic local machine admin. I need my file to request a Username and Password to receive the network permissions, as I will not be the only person using it.  

    The reason I am calling a script, from a script, to call scripts is because I have separated all the tasks I may need to automate individually, but would like to be able to run them all at once when setting up a new machine.

    Again, when logged in as me on the domain my previous stuff would run just fine. That's why I am nearly positive it is a permissions issue. When I try the runas /user:admin\myUsername the computer will generally do nothing.


    • Edited by NUFAN Friday, September 2, 2016 5:15 PM
    Friday, September 2, 2016 5:06 PM
  • You cannot access domain resources from a non-domain account from a machine that is not on the domain.

    No matter where you got the batch file from it is wrong.

    YOu may be able to connect a drive if the domain allows foreign connections.

    In Master.ps1

    $cred = Get-Credential domain\adminaccount
    New-PsDrive -Name S -PSProvider FileSystem -Root \\server\folder -Credential $cred

    Now you can access domain resources if the domain allows the connection.


    \_(ツ)_/

    Friday, September 2, 2016 5:27 PM
  • The script I have does work, and isn't incorrect. Maybe not how you would do it, but not incorrect. And I am able to navigate to my network resource just fine through windows explorer, because I am prompted for access rights. I do appreciate the help, but please stick to what I am asking about. If you don't have the answer, fine. I do not want to edit the master.ps1, as that is the file I need to be able to call. I am unable to call it with a script, because I am not being prompted to enter username and password. That is my issue. That is what I need resolved.

    Also, just to clarify, the machine is on the same network, just not connected to the domain. One of the scripts being called will, or should, join it to one of the domains. (We have 3, and thousands of users with several specific needs. That is why the scripts are in modules, able to be called separately, and one that will call them all.)

    • Edited by NUFAN Friday, September 2, 2016 5:40 PM
    Friday, September 2, 2016 5:34 PM
  • The script I have does work, and isn't incorrect. Maybe not how you would do it, but not incorrect. And I am able to navigate to my network resource just fine through windows explorer, because I am prompted for access rights. I do appreciate the help, but please stick to what I am asking about. If you don't have the answer, fine. I do not want to edit the master.ps1, as that is the file I need to be able to call. I am unable to call it with a script, because I am not being prompted to enter username and password. That is my issue. That is what I need resolved.

    Then you will need to clarify what it is you are asking.  It seems you are saying that you cannot access you scripts on the remote network from a non-joined system. You have posted no error messages and no scripts.  You posted only a very badly structures line from a batch file which is not a script. It is just  command line.

    You correctly note that local credentials won't work.  Of course they won't work connecting to a domain.  Only domain credentials will work.

    So you can see your question is vague and you seem to not have training in security in a domain environment.  Use a mapped drive to gain access to the files on the network.  Post the complete error message or exact code that causes your issue.

    You have to be clear.  We cannot see or guess what you are doing.

    Also you cannot RunAs a domain account from a non-domain system.


    \_(ツ)_/

    Friday, September 2, 2016 5:45 PM
  • My question is very clear.  My batch file needs to call a script, on the domain. I need my batch file to prompt for domain username and password. That has been stated many times, and very clear. I am very experienced in a lot of things, and don't need someone trying to degrade me. You, for some reason, can't understand a question, which has been stated very clearly multiple times. I need a solution, or to be pointed in the right direction. Please stop responding if you are going to try to talk down to me and not help.  My batch file listed above works just fine when logged in my domain account.

    I will state my issue 1 more time as clear as possible.

    I open a box, with a brand new computer. I set it up with a generic Admin user account. I need a file that will call my script located on my domain. I am able to type in the address in the run box, be prompted for credentials, and access it. I don't want to go through even that. I want to run, probably from a flash drive, a single file that will handle everything. So to be even more clear, and the only thing that needs a response: How can I make my batch file request domain credentials, when the computer is not joined to the domain?

    Also, I don't want to map the drive, because the computer will not be in my hands very long. I don't need permanent access to the resource, just 1 time access.

    I don't know how to make the question any more clear.


    • Edited by NUFAN Friday, September 2, 2016 6:30 PM
    Friday, September 2, 2016 6:28 PM
  • Sorry but what you are asking can really only be done from powershell. 

    powershell -command {$cred = Get-Credential domain\adminaccount;New-PsDrive -Name S -PSProvider FileSystem -Root \\server\folder -Credential $cred -Persist}

    This will authenticate you on the domain and you will be able to access files on the share.

    You are trying to use a very Rube Goldberg way of deploying a system.  Study how to use the MDT tools as they have many methods to automate this task.

    You act like mapping a drive is a permanent thing.  It can easily be unmapped and the drive will only be visible to teh admin account if you don't un-map it.

    https://technet.microsoft.com/en-us/windows/dn475741.aspx


    \_(ツ)_/

    Friday, September 2, 2016 7:30 PM
  • JRV,

    I have found a solution. I placed net use "\\location" in front of the command shown earlier. This allowed me to enter my credentials for the location, and then run my old command, to run it all. The reason I am doing it this way is we do not currently use MDT. I have limited control over what can be implemented here, so I am looking for ways to work around our outdated setup. 

    Just wanted to share my solution with you in case you ran into any other similar questions.

    • Marked as answer by NUFAN Tuesday, September 6, 2016 11:31 AM
    Tuesday, September 6, 2016 11:31 AM