[英]PowerShell run Command as different User when Credential Parameter is missing
我需要运行一个常见的 PowerShell 命令来触发远程计算机上工作流之外的组策略更新“gpupdate”。 工作流在系统用户上下文中运行,它没有客户端上的本地管理员权限来强制执行远程“gpupdate”。 出于这个原因,我导入了一个带有“Import-CliXml”的 PowerShell 凭证安全字符串,以在客户端本地管理员用户的 scope 中运行该语句。
但是,我要使用的命令不支持本机凭据参数。 我需要为远程客户端使用一个参数。 Invoke-GPUpdate -Computer $client -RandomDelayInMinutes 0
我尝试了许多来自互联网的方法,但它对我不起作用:
Start-Process powershell.exe -Credential $credentials -ArgumentList $ProcessCommand -WorkingDirectory $env:windir -NoNewWindow -PassThru
Start-Process powershell.exe -wait -Credential $credentials -ArgumentList "-command &{Start-Process Powershell.exe -argumentlist '$($cmnd)' -verb runas -wait}"
如果我测试从 PowerShell 控制台发送远程 gpupdate,该控制台由远程客户端上的本地管理员用户启动,它可以工作。
有没有人有这个问题的解决方案? 非常感谢!
当我使用 PowerShell 连接到远程计算机以在这些计算机上执行命令时,我通常运行以下命令。 我留下了我的代码示例供您用来执行 Invoke-GPUpdate
#Local Host Computer
#$RequestingServer = $env:COMPUTERNAME
#Server List From Text File
#$ServerList = Get-Content 'C:\temp\servicetest\servers.txt'
#Server List In Script
$ServerList = 'Computer1','Computer2','Computer3','Computer4'
#Domain Admin Account
[STRING]$DomainAccountName = (whoami)
[STRING]$DomainAccountName = $DomainAccountName.Split("\")[1]
[STRING]$DomainAccountPassword = "Password01" #Obviously Change Password
$DomainAccountSecurePassword = $DomainAccountPassword | ConvertTo-SecureString -AsPlainText -Force
$DomainCredentials = New-Object System.Management.Automation.PSCredential -ArgumentList $DomainAccountName, $DomainAccountSecurePassword
#Local Server Admin Account
[STRING] $LocalUser = "Administrator" #Obviously Change Account
[STRING] $LocalPassword = "Password01" #Obviously Change Password
$LocalSecurePassword = $LocalPassword | ConvertTo-SecureString -AsPlainText -Force
$LocalCredentials = New-Object System.Management.Automation.PSCredential -ArgumentList $LocalUser, $LocalSecurePassword
#If running on multiple computers / servers etc. - - See Lines 5 and 8
ForEach($ComputerName in $ServerList) {
#Update Windows Something Locally - See Line 2
#$DomainSession = New-PSSession -Computername $RequestingServer -Credential $DomainCredentials
#Update Windows Something Remotely - See Lines 5 and 8
$DomainSession = New-PSSession -Computername $ComputerName -Credential $DomainCredentials
Invoke-Command -Session $DomainSession -ScriptBlock {
#Some commands need the computername currently using localhost...
$GPUpdateServer = $Using:ComputerName
#$GPUpdateServer = $Using:RequestingServer
# enter code of what you plan to do...
Invoke-GPUpdate -Computer $GPUpdateServer -RandomDelayInMinutes 0
}
} End of ForEach Statement
#If running on multiple computers / servers etc. - - See Lines 5 and 8
ForEach($ComputerName in $ServerList) {
#Update Windows Something Locally - See Line 2
#$LocalSession = New-PSSession -Computername $RequestingServer -Credential $LocalCredentials
#Update Windows Something Remotely - See Lines 5 and 8
$LocalSession = New-PSSession -Computername $ComputerName -Credential $LocalCredentials
Invoke-Command -Session $LocalSession -ScriptBlock {
#Some commands need the computername currently using localhost...
$GPUpdateServer = $Using:ComputerName
#$GPUpdateServer = $Using:RequestingServer
# enter code of what you plan to do...
Invoke-GPUpdate -Computer $GPUpdateServer -RandomDelayInMinutes 0
}
} End of ForEach Statement
更详细地面对这个问题,我用远程 PowerShell session 测试了上述方法。 这需要在域中进行更多准备,以便将所有必要的 GPO 设置部署到所有客户端以使 WinRM 正常工作。
远程 PowerShell 方法有效,但我发现Invoke-GPUpdate
命令仅在安装了 RSAT 的客户端上可用。 因此,仅适用于 IT 部门的少数客户。
$Session = New-PSSession -Computername $clientname -Credential $domainAccountWithLocalAdminRights
Invoke-Command -Session $Session -ScriptBlock { Invoke-GPUpdate -Computer $env:ComputerName -RandomDelayInMinutes 0 }
$Session | Remove-PSSession
我切换到了另一种对我有用的方法,而无需使用远程 PS 会话。 在客户端完全静默,您只会在 Windows 事件查看器中找到触发的 gpupdates。
Invoke-Command -ComputerName $clientname -ScriptBlock { gpupdate } -Credential $domainAccountWithLocalAdminRights
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.