locked
How can I launch an executable that requires Admin rights with encrypted credentials? RRS feed

  • Question

  • We are migrating from windows 7 to windows 10. Before the migration starts, the user will be required to run a business related executable not related to the migration, however this executable needs to be run as an administrator.
    Is there a way to run it from a power shell script with encrypted credentials?

    TIA


    -- Adam


    • Edited by Adam F Kings Wednesday, October 25, 2017 2:18 AM
    Wednesday, October 25, 2017 2:18 AM

All replies

  • hi Adam,

    is it important that it is run by the user account?

    If not you could create a GPO to run the executable on logon of a user - the programme will be run as SYSTEM-account.

    KR

    Guenther


    • Edited by gpunktschmitz Thursday, October 26, 2017 5:41 AM link to wrong howto
    Wednesday, October 25, 2017 4:07 AM
  • a logon script is NOT run as system.  It is run as the user.  "Startup" and "Shutdown" scripts are run as system.


    \_(ツ)_/

    Wednesday, October 25, 2017 8:45 AM
  • You could tie it to a scheduled task that executes on logon with SYSTEM perms, which could also be deployed via GPO.
    Wednesday, October 25, 2017 9:22 AM
  • I know how to use a GPO, however that is not what I would like to do. I would like the user to trigger the executable just before he starts the migration itself. 

    How about if I wanted to run a powershell script self elevated? is it possible?


    -- Adam


    • Edited by Adam F Kings Wednesday, October 25, 2017 7:28 PM
    Wednesday, October 25, 2017 7:15 PM
  • Hi Adam,

    Based on my research, you could have a try with the following demo scripts to run powershell with the specific credential. Hope it is helpful to you:
    $username = 'domain\username'
    $password = ConvertTo-SecureString -String 'password' -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($username,$password)
    
    Start-Process -FilePath powershell.exe -Credential $credential -ArgumentList {-NoExit Get-Process}

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 26, 2017 2:20 AM
  • Hi Adam,

    Based on my research, you could have a try with the following demo scripts to run powershell with the specific credential. Hope it is helpful to you:
    $username = 'domain\username'
    $password = ConvertTo-SecureString -String 'password' -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($username,$password)
    
    Start-Process -FilePath powershell.exe -Credential $credential -ArgumentList {-NoExit Get-Process}

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    That will not solve the issue as the encryption is per user. Only the user account that encrypted the string can decrypt it.  It cannot be given to a second user and decrypted.  Try it to see what I mean.


    \_(ツ)_/

    Thursday, October 26, 2017 9:06 AM
  • The end game was an SCCM task sequence which deployed the app and wrote a registry key,  and let the user know time was up, the migration TS started 10 minutes later, if the key was present.

    -- Adam

    Sunday, October 29, 2017 4:01 AM
  • Hi,

    Good to hear that you have solved this issue by yourself. In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 30, 2017 8:56 AM