[英]Install as local admin user
I have a task of installing applications through Intune, 98% of all the installations are fine.我有一个通过 Intune 安装应用程序的任务,所有安装的 98% 都很好。 but I have an issue with some of them.但我对其中一些有疑问。
The issue is when an application can't be installed or just run by the system account.问题是当应用程序无法安装或仅由系统帐户运行时。
I've tried to create a local admin account, and then let the script start the other script as that account, but here the windows security kicks in - the system account is not allowed to run Start-Process我试图创建一个本地管理员帐户,然后让脚本以该帐户启动另一个脚本,但这里 windows 安全启动 - 不允许系统帐户运行 Start-Process
I use PSExec64.exe to start the powershell.exe我使用 PSExec64.exe 启动 powershell.exe
here is the code to do the install这是进行安装的代码
$InstallUser = "IntuneInstaller"
$password = -join ((33..126) | Get-Random -Count 32 | ForEach-Object {[char]$_})
$passwordSecure = ConvertTo-SecureString -AsPlainText $password -Force
$null = New-LocalUser "$InstallUser" -Password $passwordSecure -FullName "$InstallUser" -Description "Automated Install Account" -AccountNeverExpires -PasswordNeverExpires
Add-LocalGroupMember -Group "Administrators" -Member "$InstallUser" -ErrorAction SilentlyContinue
$Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($InstallUser,$passwordSecure)
Start-Process PowerShell.exe -Credential ($Credentials) -WorkingDirectory "c:\sysman" -ArgumentList "c:\SysMan\WriteMyNameInTheSand.ps1 -MyName $env:USERNAME -MyLocation c:\sysman -MyMessage $password" -Wait -WindowStyle Hidden
Remove-LocalUser -Name "$InstallUser"
It woks fine if I run it as adminstrator - but if I run it as Systemaccount I get the error:如果我以管理员身份运行它,它会很好 - 但如果我以 Systemaccount 身份运行它,我会收到错误消息:
Start-Process : This command cannot be run due to the error: Access is denied.
At C:\SysMan\RunInstallAsAdminUser.ps1:20 char:1
+ Start-Process Powershell.exe -Credential ($Credentials) -WorkingDirec ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException
+ FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
Anyone with a good sugestion?有人有好的建议吗?
The troubleshooting question here is:这里的故障排除问题是:
The point is that you take for the password all the characters between [char]33
and [char]126
which might include characters that might affect or even break the command line for the PowerShell.exe
command-line interface as eg a single quote ( '
):关键是您将[char]33
和[char]126
之间的所有字符作为密码,这些字符可能包括可能影响甚至破坏PowerShell.exe
命令行界面的命令行的字符,例如单引号 ( '
):
$Message = "te'st"
Start-Process PowerShell.exe -ArgumentList "-NoExit", "-Command Write-Host $Message" -Wait
The string is missing the terminator: '.该字符串缺少终止符:'.
+ CategoryInfo: ParserError: (:) [], ParentContainsErrorRecordException + 类别信息: ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId: TerminatorExpectedAtEndOfString + FullyQualifiedErrorId:TerminatorExpectedAtEndOfString
In other words, you might want to use a more sophisticated password generator as in this question换句话说,您可能想像这个问题一样使用更复杂的密码生成器
Creating a temporary account with a random password might be a smart thing to do here but passing a plaintext password to the C:\SysMan\RunInstallAsAdminUser.ps1
script isn't secure (someone might simply spoof that script and create a few other admin accounts).使用随机密码创建临时帐户可能是明智的做法,但将明文密码传递给C:\SysMan\RunInstallAsAdminUser.ps1
脚本并不安全(有人可能会简单地欺骗该脚本并创建一些其他管理员帐户).
As for ConvertTo-SecureString -AsPlainText $password -Force
statement, a SecureString shouldn't be used and if you do:至于ConvertTo-SecureString -AsPlainText $password -Force
语句, 不应使用 SecureString ,如果您这样做:
A SecureString object should never be constructed from a String , because the sensitive data is already subject to the memory persistence consequences of the immutable String class. The best way to construct a SecureString object is from a character-at-a-time unmanaged source, such as the Console.ReadKey method. SecureString object 永远不应从String构造,因为敏感数据已经受到不可变字符串class 的 memory 持久性后果的影响。构造SecureString object 的最佳方法是从一次一个字符的非托管源,例如Console.ReadKey方法。
Meaning instead of this:意思不是这个:
$password = -join ((65..90) | Get-Random -Count 32 | ForEach-Object {[char]$_})
$passwordSecure = ConvertTo-SecureString -AsPlainText $password -Force
It is safer to do this:这样做更安全:
$passwordSecure = [SecureString]::New()
(65..90) | Get-Random -Count 32 | ForEach-Object { $passwordSecure.AppendChar([Char]$_) }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.