Execute PowerShell script with administrator privileges on Windows 2012 R2 without user interaction

0
votes

We need to run a PowerShell script to set the IPv6 address of a Windows 2012 R2 server VM (vSphere 6.0 or 6.5) after the VM has been cloned and sys-prepped.

The script is uploaded to C:\windows\temp using VMware guest tools and is executed automatically using the credentials of a local administrator account. It gets executed in PowerShell but the functions called fail with an "access denied" error message.

UAC is active on the OS but the local security policy setting for "UAC: Behaviour of the elevation prompt for administrators in admin approval mode" is set to disabled. The script can be run manually in PS in any mode but only succeeds if the PS is started in administrator mode.

The question is, how can we get the script to run in Administrator mode without any user interaction at all, or being able to use a pre-stored credential set. The script also has to have 3 arguments passed to it.

All the answers I have found so far require user interaction (not possible) or storing an encrypted password, which doesn't work due to the sysprep following cloning.

2
powershellvmwarewindows-server-2012windows-server-2012-r2
Please format your question a bit as it's quite hard to read right now.Andrei Matracaru
For help with your code: show your code and the exact error message.Ansgar Wiechers
It is not the code that is the problem - that works fine if the powershell.exe is run (manually) as Administrator. It is about the Windows UAC settings required to be able to call powershell via the VMware Guest Tools without an interactive user session, i.e. using saved credentials for a local user that is not the local user called Administrator.user8499098
There may be something here that can assist you: blogs.msdn.microsoft.com/virtual_pc_guy/2010/09/23/…Paolis

2 Answers

1
votes

Try giving this a go: 

powershell -noprofile -command "&{ start-process powershell -ArgumentList '-noprofile -file C:\script\psfile.ps1' -verb RunAs}"

Source: https://social.technet.microsoft.com/Forums/ie/en-US/acf70a31-ceb4-4ea5-bac1-be2b25eb5560/how-to-run-as-admin-powershellps1-file-calling-in-batch-file?forum=winserverpowershell

0
votes

Solution we found:

The local or Domain Administrator accounts (and only these) have a preset UUID that tells the OS that this user can bypass the UAC settings for Admin users, it seems. Other Users in the local Administrators group or Domain Admins group do not have this and are therefore subject to UAC restrictions requiring interactive UI.

The change of Administrator password which is forced upon us by the vmware customization can be worked around by recording the new password in a variable in our application which is then used as a credential set for executing the powershell script call later in the same workflow.

It is annoying that Windows 2012R2 should force the use of this account name by not having any rule allowing other admin users to elevate their privileges for the execution of powershell cmdlets.