如何运行同时使用本地和提升权限的 powershell 脚本？

Question

我需要编辑两个注册表项。 一个需要由本地用户运行，另一个需要由具有提升权限的帐户运行。

如何编写以不同用户身份运行但仍可以访问本地用户凭据的脚本？

Answer 1

作为管理员，如果您可以获得该用户的 SID，您也可以为当前登录的用户设置注册表值。 有了它之后，您就可以通过HKEY_USERS配置单元访问本地用户注册表。

Import-Module ActiveDirectory

# set this to the registry path, property name and value you need to access
$regPath   = 'Software\SomePath\SomeKey'
$propName  = 'ThePropertyName'
$propValue = 'ThePropertyValue'
$propType  = 'String'           # use any of the `[Microsoft.Win32.RegistryValueKind]` enum values or names

# get the domain\username of the user currently logged in to the computer
$user = (Get-CimInstance -ClassName Win32_ComputerSystem).UserName
# get the SID for that user 
$sid = (Get-ADUser -Identity ($user -split '\\', 2)[0]).SID
if (!$sid) {
    throw "Could not determine the SID for user '$user'"
}

# Admin registry: HKEY_LOCAL_MACHINE
$path = Join-Path -Path 'HKLM:' -ChildPath $regPath
Set-Itemproperty -Path $path -Name $propName -Value $propValue -Type $propType

# Current user registry: HKEY_USERS
$path = Join-Path -Path "Registry::HKEY_USERS\$sid" -ChildPath $regPath
Set-Itemproperty -Path $path -Name $propName -Value $propValue -Type $propType

---

正如mklement0评论的那样，上面的代码使用ActiveDirectory模块通过Get-ADUser当前登录用户的 SID。
如果这对您来说是不可能的，或者您不在 AD 域中，以下辅助函数也可以获取 SID，而无需 ActiveDirectory：

function Get-UserSID {
    param (
        [Parameter(ValuefromPipeline = $true, Position = 0)]
        [Alias('Account', 'User')]
        [string]$UserName = $env:USERNAME,
        [string]$Domain   = $env:USERDOMAIN
    )
    if ($UserName.Contains("\")) { $Domain, $UserName = $UserName -split '\\', 2 }   #"# split on the backslash
    try {
        $objUser = New-Object System.Security.Principal.NTAccount($Domain, $UserName)
        $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
        $strSID.Value
    }
    catch [System.Security.Principal.IdentityNotMappedException] {
        Write-Warning "User '$UserName' does not exist in '$Domain'"
    }
    catch {
        throw
    }
}

把它放在你的脚本之上，然后用作：

# get the domain\username of the user currently logged in to the computer
$user = (Get-CimInstance -ClassName Win32_ComputerSystem).UserName
# get the SID for that user 
$sid = Get-UserSID $user

---

获取 SID 的第三种可能方法是读取注册表：

# get the domain\username of the user currently logged in to the computer
$user = (Get-CimInstance -ClassName Win32_ComputerSystem).UserName
# get the SID for that user by probing the registry
$sid = ((Get-ItemProperty -Path 'Registry::HKEY_USERS\S-*\Volatile Environment' |
         Where-Object { ('{0}\{1}' -f $_.USERDOMAIN, $_.USERNAME) -eq $user }).PSParentPath -split '\\')[-1]

Answer 2

您可以使用密钥“-credential”来设置将更改注册表的用户，例如：

New-Item –Path "HKCU:\dummy" –Name newregistrykey -Credential myuser@domain

或设置属性：

Set-Itemproperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'someProcess' -value 'C:\Program Files\someapp\myprogramm.exe' -Credential myuser@domain

您可以将两个信用保存到变量中，例如：

$localCred = Get-Credential
$domainCred = Get-Credential