开发者

Run Command as administrator in PowerShell script. UAC

开发者 https://www.devze.com 2022-12-20 02:43 出处:网络
OK here is my issue: I am trying to run a script remotely on a server. I am an administrator on both boxes, firewall exceptions are in place, remote admin is enabled, and everything else looks goo

OK here is my issue:

I am trying to run a script remotely on a server.

I am an administrator on both boxes, firewall exceptions are in place, remote admin is enabled, and everything else looks good that i can see.

invoke-command -ComputerName $ComputerName -ScriptBlock `
{
    cd C:\Windows\System32\inetsrv\; 
    ./appcmd.exe ADD vdir /app.name:<SiteName>/ /path:/<VDir Name> /physicalPath:<Path to files>
}

I keep getting the following error in return

ERROR ( hresult:80070005, message:Failed to commit configuration changes. Access is denied.

The server it is trying to run on is a server 2k8 R2 box and I am thinking the issue is a UAC problem. Is there anyway to get this to run as administrator without having to click yes on a UAC box?

This piece of code will eventual开发者_如何学JAVAly become a script that will have to be completely automated.

Any help would be greatly appreciated.


OK. After some research and testing I figured out the issue. After disabling UAC and the firewall and the script still not working I dug a little deeper and discovered that the main issue was the way invoke-command runs the commands. it uses the credentials of the person running the script to authenticate to the server then tries to use another account to run the permissions or lowers the privileges of the user so that certain commands cannot be run.

I added the -Credentials switch to the invoke command and everything is working great now. Corrected code sample below:

$user = New-Object Management.Automation.PSCredential("$UserName", $securePassword)
invoke-command -ComputerName $ComputerName -Credential $user -ScriptBlock ` 
{ 
    cd C:\Windows\System32\inetsrv\;  
    ./appcmd.exe ADD vdir /app.name:<SiteName>/ /path:/<VDir Name> /physicalPath:<Path to files> 
} 


This seems to indicate that you need to ensure you are a local admin on the remote machine (although admittedly this is for WMI specifically). According to this you can change a registry key to stop UAC applying to remote logons for administrators (search for LocalAccountTokenFilterPolicy). That shouldn't disable UAC just not filter the token if you use powershell/WMI remotely with an administrator account.


Set the option "EnableLUA" (DWORD value) found in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to 0 and reboot.

This will disable UAC without a problem, I would do it for all your users, whether with or without permission is up to you.

This trick works in Windows Vista and Windows 7 too.


Is there anyway to get this to run as administrator without having to click yes on a UAC box?

If this were possible it would entirely defeat the point of UAC.

Thus, it would appear your only real solution is to disable UAC on the box.

0

精彩评论

暂无评论...
验证码 换一张
取 消