0

I looked at "PowerShell Running as Administrator not working?" but I must be missing something...

I need to run on Win 10 (PS version 5.1). The purpose of my powershell script 'Add2LocalAdministrators.ps1' is to add the current logged in user to the local administrators group. I need to run the script as the logged on user with elevated (local administrator) privilege's.

I can run it passing a plain text username and password or... I can first run another script to store it in a files as encrypted text.

Martin Haggarty
  • 1
  • How, from where, and under which security context are you running the script? What happens when you specify `-Verb RunAs`? Is the user not prompted for consent? Does it throw an error? – Mathias R. Jessen Feb 12 '21 at 17:42
  • Just run your script as a scheduled task, set it to run with an admin account to add the user to the local admin group. The user does not have to interact with that script at all. You only need the user name to add the user to a group. If you are saying you are creating a new user to then add to the group, then yes you need the user creds for that. Even with that, you can make that up and force the user to change it on the next logon. – postanote Feb 12 '21 at 20:23
  • Since you are not showing your script. Just know to add a user to a group, PowerShell has cmdlets for the. [Add-LocalGroupMember](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/add-localgroupmember?view=powershell-5.1). So, you don' tr really need a script, just this cmdlet in a scheduedl task. Or just use `net localgroup Administrator [username] /add`, in a schedueld task. – postanote Feb 12 '21 at 20:26
  • As for this... `I need to run the script as the logged on user with elevated (local administrator) privilege's.`. The user would need to know the admin creds to respond to the UAC prompt. If they know that, then why would they need to add their normal user account to the admin group. Putting credentials in a script plain text is a very bad idea and your security/risk management folks, will not be happy if this is discovered. There are better ways to do this. – postanote Feb 12 '21 at 20:31
  • You can use the System account (using psexec or software distribution), it does not need UAC to run elevated – Christophe Feb 13 '21 at 00:45

0 Answers0