如何使用Powershell远程以提升的权限启动批处理脚本
[英]How can I start a batch script with elevated permissions remotely with powershell
问题描述
I'm writing a script which needs to run a batch on multiple remote Computers. 
我正在编写一个脚本,该脚本需要在多台远程计算机上运行批处理。 That batch scripts needs to run with Domain Admin privileges. 该批处理脚本需要以Domain Admin特权运行。
Is it even possible to achieve this with the Invoke-Command cmdlet? 甚至可以使用Invoke-Command cmdlet实现此目的吗?
I already enabled WinRM on the remote machine so I don't think that's the problem. 我已经在远程计算机上启用了WinRM,所以我认为这不是问题。
$computername = Read-Host "Enter Hostname"
$user = "mydomain\administrator"
$pwd = Read-Host "Enter Password" -AsSecureString
$cred = New-Object System.Management.Automation.PSCredential ("$user", $pwd)
Invoke-Command -ComputerName $computername -Credential $cred -ScriptBlock {
$remoteuser = "mydomain\administrator"
$remotepwd = Read-Host "Enter Password" -AsSecureString
$remotecred = New-Object System.Management.Automation.PSCredential ("$remoteuser", $remotepwd)
$script = "\\path_to_script\script.bat"
Start-Process $script -Credential $cred1
}
I expect the script to run under the domain admin credentials on the remote machine. 我希望该脚本在远程计算机上的域管理员凭据下运行。 Instead I get this error: 相反,我得到这个错误:
CategoryInfo : NotSpecified: (:) [Start-Process], UnauthorizedAccessException FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.StartProcessCommand PSComputerName : mycomputername
1 个解决方案
解决方案1
2 2019-01-04 11:40:02
Your $cred1 variable doesn't exist, it should be $remotecred : 您的$cred1变量不存在,应该被$remotecred :
Start-Process $script -Credential $remotecred
The variable name $pwd is reserved for 'print working directory'. 变量名$pwd保留用于“打印工作目录”。
You can see this by running a new powershell console and querying it, you'll get a value for the current working directory: 您可以通过运行新的powershell控制台并对其进行查询来看到此信息,您将获得当前工作目录的值:
PS C:\WINDOWS\system32> $pwd
Path
----
C:\WINDOWS\system32
Use something different like $pass instead. 请改用$pass类的东西。
I would also call CMD and pass your batch file in using /c ( documentation link ): 我还将调用CMD并使用/c ( 文档链接 )传递您的批处理文件:
Start-Process CMD -ArgumentList "/c $script" -Credential $remotecred
Putting all this into practice: 将所有这些付诸实践:
$computername = Read-Host "Enter Hostname"
$user = "mydomain\administrator"
$pass = Read-Host "Enter Password" -AsSecureString
$cred = New-Object System.Management.Automation.PSCredential ($user, $pass)
Invoke-Command -ComputerName $computername -Credential $cred -ScriptBlock {
$remoteuser = "mydomain\administrator"
$remotepwd = Read-Host "Enter Password" -AsSecureString
$remotecred = New-Object System.Management.Automation.PSCredential ("$remoteuser", $remotepwd)
$script = "\\path_to_script\script.bat"
Start-Process CMD -ArgumentList "/c $script" -Credential $remotecred
}
If you are actually using the same credentials for the remote session as you are to launch the batch file, then you don't need the second set of credentials. 如果您实际上使用与启动批处理文件相同的凭据来进行远程会话,则不需要第二组凭据。
As the remote session is running as mydomain\\administrator any processes it spawns will also run as that user: 当远程会话以mydomain\\administrator身份运行时,它产生的任何进程也将以该用户身份运行:
$computername = Read-Host "Enter Hostname"
$user = "mydomain\administrator"
$pass = Read-Host "Enter Password" -AsSecureString
$cred = New-Object System.Management.Automation.PSCredential ($user, $pass)
Invoke-Command -ComputerName $computername -ScriptBlock {
$script = "\\path_to_script\script.bat"
Start-Process CMD -ArgumentList "/c $script"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.