Run BAT file as a Local User Account

0
votes

I pulled this from another question, but I cannot seem to make this work.

I need to run this .bat file as a local admin account. I want users to be able to run and install this without having local admin rights.

I'm not sure what's wrong though.

$username = 'localadmin'
$password = 'passwordforlocaladmin'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process -Filepath "p:\kaceInstaller\kaceinstall3.bat" -Credential $credential

The error I'm getting back is:

Start-Process : This command cannot be executed due to the error: The directory
name is invalid.
At P:\kaceInstaller\misc\kaceSetup.ps1:7 char:14
+ Start-Process <<<<  cmd -Credential $credential
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommandy
1
powershell
I am assuming that the P drive is a network drive? If so you may need to put a line in there regarding net use P: <path to share> I think the equivalent of this cmd in PS is New-PSDrive –Name “P” –PSProvider FileSystem –Root “\\touchsmart\share” –PersistDevnsyde
Thanks--the network drive is already mapped by group policy to P:. It's also calling the .bat file from the same working directory.superKing
The error makes me think it doesnt like something about that path, if you run it from C does it behave the same?Devnsyde
If Start-Process used with credentials is anything like running a shortcut with right click Run As Administrator then I THINK everything is run in the context of the hidden local admin account, which doesn't have the drive letter mapped. If you use a UNC path does it work?Gordon
@superKing, yep, the problem is with the network drive. It's mapped for the logged in user all right, but you are trying to start the process under a different user, who is not logged on, and thus for that use the drive is not mapped. I've seen this many times but I'm not aware of a work-around.Andrew Savinykh

1 Answers

1
votes

If you want to allow users to run something as a local administrator account without effectively giving them the password to the local admin account, I would suggest to create a scheduled task running as a local admin. Users can manually trigger that task, which will then be executed under the local admin account. Creating the task withoug saving the credentials should work, but even if you have to save the credentials they won't be accessible to your users.

For access to network shares you may need to connect/disconnect the share with explicit credentials from within the script that the scheduled task runs, though, because the local account usually doesn't have permission to access the network drives mapped by your domain user.

net use X: \\server\share\kaceInstaller password /user:DOMAIN\user
call X:\kaceinstall3.bat
net use X: /d

Make DOMAIN\user a dedicated account that has access only to \\server\share and nothing else to minimize risk.

Note that you must make sure that the script run by the task is not writable by regular users, otherwise they will be able to run arbitrary commands with admin privileges by simply modifying the script.