Elevated function()

rated by 0 users
This post has 4 Replies | 3 Followers

Not Ranked
Posts 2
musch Posted: 07-10-2012 4:12 AM

Is it posible to elevate a single function call? I know the credentiels for the AD user i want to elevatem so is it possible to do somting like this:

Function RunAsElevated() {
  $credential = New-Object System.Management.Automation.PsCredential($username,$securePassword)
  ElevateSessionRights($credential)
  // Do somthing as elevated user
  ClearSessionElevated()
}

Top 25 Contributor
Posts 341
Top Contributor

Wouldn't it be easier to just ask the admin to run the whole script elevated??

Not Ranked
Posts 2

I am afraid that is not an option. My challenge is that this function, it is part of a larger script. And due to security reasons, I need to run the majority of the script with a minimum of privileges, and just a tiny bit with as a different account. But I guess I have to split it in to separate scripts and do a “run as different user” on the shell.  

Top 10 Contributor
Posts 1,748
Microsoft MVP
Top Contributor

Thomas: easier - yes, according to the best practices - no.

Musch: Any process is assigned its privileges at startup. Elevating a process is not actually done on the process itself, but on a newly created process that is assigned appropriate privilege. A great source of information is this link http://weblogs.asp.net/kennykerr/archive/2006/09/29/Windows-Vista-for-Developers-_1320_-Part-4-_1320_-User-Account-Control.aspx where the UAC and the mechanisms behind it are thoroughly described.

I am afraid that creating a new process is the only option but still you can pass a [scriptblock] to the newly created powershell process.

---- Although I am not sure is this is you case but be aware that it is possible to convert secure string to readable string within the user context hence saving an administrator password that is known to the user who uses the script is ok, but passing another users credentials is not safe at all.

 

Jakub Jares

Top 25 Contributor
Posts 341
Top Contributor

I'm not so clear on the best practice point. If you need to run something as an admin, then run it as an admin. It's not so much a best practice as a necessity! If you see what I mean.

In addition to creating a new process, you could also write a web service to run locally and send messages to the service to get it to do things.

But at the end of the day, running admin-necessary scripts as admin seems to be to be by far the easiest! I guess I'm just pragmatic.

Of course, I'd also tell the admins: one strike and you're out - one mistake using that script and they can find a new job somewhare else. :-)

 

 

Page 1 of 1 (5 items) | RSS
Copyright 2012 PowerShell.com. All rights reserved.