0

I'm trying to run a SharePoint Warm-up PowerShell script (spbestwarmup) from a Scheduled Task under/as a certain service account (also run when user is not logged on). This script tries to get elevated rights and outputs some logging to the Windows 'Application' Event Log.

I already tried everything mentioned in this SO answer here: How to run a PowerShell script from a batch file

The only way I got it to work was by pointing the scheduled task to a .bat file with the following content:

     powershell -command "& 'D:\SPBestWarmUp.ps1' "

which triggers the PowerShell script file. AND I had to add the service account to the local built-in 'Administrators' user group on my SharePoint server.

This last action, adding the user to the 'Administrators' group isn't allowed in my customers IT infrastructure, because of security reasons. They use, rightfully off-course, the law of least privilege. So my question is:

What MINIMAL rights/privileges/policies etc. does a service account need in this case? So I don't need to assign local Administrator rights to it.

Community
  • 1
  • 1
Maarten Docter
  • 1,029
  • 1
  • 13
  • 31
  • Well first question, can that `SPBestWarmUp.ps1` run outside of an Administrative PowerShell session (e.g. title bar for PowerShell showing `Administrator: Windows PowerShell`)? –  Feb 29 '16 at 16:40
  • No, it can't run in a 'normal' non-administrative PowerShell session. When I try to do so, it detects this non-elevated state, shows the following message 'Reloading the PowerShell with elevated rights.', displays an UAC confirmation window and starts a new Adminstrative PowerShell session/window to continue in... – Maarten Docter Mar 01 '16 at 10:11
  • The script you're using needs the command "Add-SPShellAdmin" (Note in the bottom of the page). And this command add the user specified in the group WSS_Admin_WPG. Wou'll have to convince the IT or use an another script. – Thibault Gandon Mar 01 '16 at 14:19

0 Answers0