PowerShell 运行 缺少凭据参数时以不同用户身份执行命令
PowerShell run Command as different User when Credential Parameter is missing
我需要 运行 一个常用的 PowerShell 命令来触发远程计算机上工作流之外的组策略更新“gpupdate”。
系统用户上下文中的工作流 运行s,它没有客户端的本地管理员权限来强制执行远程“gpupdate”。
出于这个原因,我将带有“Import-CliXml”的 PowerShell 凭证安全字符串导入到 运行 该用户范围内的语句,该用户是客户端上的本地管理员。
但是,我要使用的命令不支持本机凭据参数。我需要为远程客户端使用一个参数。
Invoke-GPUpdate -Computer $client -RandomDelayInMinutes 0
我尝试了很多网上的方法,但都不适合我:
Start-Process powershell.exe -Credential $credentials -ArgumentList $ProcessCommand -WorkingDirectory $env:windir -NoNewWindow -PassThru
Start-Process powershell.exe -wait -Credential $credentials -ArgumentList "-command &{Start-Process Powershell.exe -argumentlist '$($cmnd)' -verb runas -wait}"
如果我测试将远程 gpupdate 发送出 PowerShell 控制台,该控制台由远程客户端上的本地管理员用户启动,它可以工作。
有人解决了这个问题吗?
非常感谢!
当我使用 PowerShell 连接到远程计算机以在这些计算机上执行命令时,我通常 运行 以下内容。我已经留下了我的代码示例供您用来执行 Invoke-GPUpdate
#Local Host Computer
#$RequestingServer = $env:COMPUTERNAME
#Server List From Text File
#$ServerList = Get-Content 'C:\temp\servicetest\servers.txt'
#Server List In Script
$ServerList = 'Computer1','Computer2','Computer3','Computer4'
#Domain Admin Account
[STRING]$DomainAccountName = (whoami)
[STRING]$DomainAccountName = $DomainAccountName.Split("\")[1]
[STRING]$DomainAccountPassword = "Password01" #Obviously Change Password
$DomainAccountSecurePassword = $DomainAccountPassword | ConvertTo-SecureString -AsPlainText -Force
$DomainCredentials = New-Object System.Management.Automation.PSCredential -ArgumentList $DomainAccountName, $DomainAccountSecurePassword
#Local Server Admin Account
[STRING] $LocalUser = "Administrator" #Obviously Change Account
[STRING] $LocalPassword = "Password01" #Obviously Change Password
$LocalSecurePassword = $LocalPassword | ConvertTo-SecureString -AsPlainText -Force
$LocalCredentials = New-Object System.Management.Automation.PSCredential -ArgumentList $LocalUser, $LocalSecurePassword
#If running on multiple computers / servers etc. - - See Lines 5 and 8
ForEach($ComputerName in $ServerList) {
#Update Windows Something Locally - See Line 2
#$DomainSession = New-PSSession -Computername $RequestingServer -Credential $DomainCredentials
#Update Windows Something Remotely - See Lines 5 and 8
$DomainSession = New-PSSession -Computername $ComputerName -Credential $DomainCredentials
Invoke-Command -Session $DomainSession -ScriptBlock {
#Some commands need the computername currently using localhost...
$GPUpdateServer = $Using:ComputerName
#$GPUpdateServer = $Using:RequestingServer
# enter code of what you plan to do...
Invoke-GPUpdate -Computer $GPUpdateServer -RandomDelayInMinutes 0
}
} End of ForEach Statement
#If running on multiple computers / servers etc. - - See Lines 5 and 8
ForEach($ComputerName in $ServerList) {
#Update Windows Something Locally - See Line 2
#$LocalSession = New-PSSession -Computername $RequestingServer -Credential $LocalCredentials
#Update Windows Something Remotely - See Lines 5 and 8
$LocalSession = New-PSSession -Computername $ComputerName -Credential $LocalCredentials
Invoke-Command -Session $LocalSession -ScriptBlock {
#Some commands need the computername currently using localhost...
$GPUpdateServer = $Using:ComputerName
#$GPUpdateServer = $Using:RequestingServer
# enter code of what you plan to do...
Invoke-GPUpdate -Computer $GPUpdateServer -RandomDelayInMinutes 0
}
} End of ForEach Statement
更详细地面对这个问题,我用远程 PowerShell 会话测试了上面的方法。这需要在域中进行更多准备,以便将所有必要的 GPO 设置部署到所有客户端以使 WinRM 正常工作。
远程 PowerShell 方法有效,但我发现 Invoke-GPUpdate 命令仅适用于安装了 RSAT 的客户端。所以只适用于 IT 部门的少数客户。
$Session = New-PSSession -Computername $clientname -Credential $domainAccountWithLocalAdminRights
Invoke-Command -Session $Session -ScriptBlock { Invoke-GPUpdate -Computer $env:ComputerName -RandomDelayInMinutes 0 }
$Session | Remove-PSSession
我切换到另一种方法,这种方法在不使用远程 PS 会话的情况下对我有效。在客户端上完全没有提示,您将仅在 Windows 事件查看器中找到触发的 gpupdates。
Invoke-Command -ComputerName $clientname -ScriptBlock { gpupdate } -Credential $domainAccountWithLocalAdminRights
我需要 运行 一个常用的 PowerShell 命令来触发远程计算机上工作流之外的组策略更新“gpupdate”。 系统用户上下文中的工作流 运行s,它没有客户端的本地管理员权限来强制执行远程“gpupdate”。 出于这个原因,我将带有“Import-CliXml”的 PowerShell 凭证安全字符串导入到 运行 该用户范围内的语句,该用户是客户端上的本地管理员。
但是,我要使用的命令不支持本机凭据参数。我需要为远程客户端使用一个参数。
Invoke-GPUpdate -Computer $client -RandomDelayInMinutes 0
我尝试了很多网上的方法,但都不适合我:
Start-Process powershell.exe -Credential $credentials -ArgumentList $ProcessCommand -WorkingDirectory $env:windir -NoNewWindow -PassThru
Start-Process powershell.exe -wait -Credential $credentials -ArgumentList "-command &{Start-Process Powershell.exe -argumentlist '$($cmnd)' -verb runas -wait}"
如果我测试将远程 gpupdate 发送出 PowerShell 控制台,该控制台由远程客户端上的本地管理员用户启动,它可以工作。
有人解决了这个问题吗? 非常感谢!
当我使用 PowerShell 连接到远程计算机以在这些计算机上执行命令时,我通常 运行 以下内容。我已经留下了我的代码示例供您用来执行 Invoke-GPUpdate
#Local Host Computer
#$RequestingServer = $env:COMPUTERNAME
#Server List From Text File
#$ServerList = Get-Content 'C:\temp\servicetest\servers.txt'
#Server List In Script
$ServerList = 'Computer1','Computer2','Computer3','Computer4'
#Domain Admin Account
[STRING]$DomainAccountName = (whoami)
[STRING]$DomainAccountName = $DomainAccountName.Split("\")[1]
[STRING]$DomainAccountPassword = "Password01" #Obviously Change Password
$DomainAccountSecurePassword = $DomainAccountPassword | ConvertTo-SecureString -AsPlainText -Force
$DomainCredentials = New-Object System.Management.Automation.PSCredential -ArgumentList $DomainAccountName, $DomainAccountSecurePassword
#Local Server Admin Account
[STRING] $LocalUser = "Administrator" #Obviously Change Account
[STRING] $LocalPassword = "Password01" #Obviously Change Password
$LocalSecurePassword = $LocalPassword | ConvertTo-SecureString -AsPlainText -Force
$LocalCredentials = New-Object System.Management.Automation.PSCredential -ArgumentList $LocalUser, $LocalSecurePassword
#If running on multiple computers / servers etc. - - See Lines 5 and 8
ForEach($ComputerName in $ServerList) {
#Update Windows Something Locally - See Line 2
#$DomainSession = New-PSSession -Computername $RequestingServer -Credential $DomainCredentials
#Update Windows Something Remotely - See Lines 5 and 8
$DomainSession = New-PSSession -Computername $ComputerName -Credential $DomainCredentials
Invoke-Command -Session $DomainSession -ScriptBlock {
#Some commands need the computername currently using localhost...
$GPUpdateServer = $Using:ComputerName
#$GPUpdateServer = $Using:RequestingServer
# enter code of what you plan to do...
Invoke-GPUpdate -Computer $GPUpdateServer -RandomDelayInMinutes 0
}
} End of ForEach Statement
#If running on multiple computers / servers etc. - - See Lines 5 and 8
ForEach($ComputerName in $ServerList) {
#Update Windows Something Locally - See Line 2
#$LocalSession = New-PSSession -Computername $RequestingServer -Credential $LocalCredentials
#Update Windows Something Remotely - See Lines 5 and 8
$LocalSession = New-PSSession -Computername $ComputerName -Credential $LocalCredentials
Invoke-Command -Session $LocalSession -ScriptBlock {
#Some commands need the computername currently using localhost...
$GPUpdateServer = $Using:ComputerName
#$GPUpdateServer = $Using:RequestingServer
# enter code of what you plan to do...
Invoke-GPUpdate -Computer $GPUpdateServer -RandomDelayInMinutes 0
}
} End of ForEach Statement
更详细地面对这个问题,我用远程 PowerShell 会话测试了上面的方法。这需要在域中进行更多准备,以便将所有必要的 GPO 设置部署到所有客户端以使 WinRM 正常工作。
远程 PowerShell 方法有效,但我发现 Invoke-GPUpdate 命令仅适用于安装了 RSAT 的客户端。所以只适用于 IT 部门的少数客户。
$Session = New-PSSession -Computername $clientname -Credential $domainAccountWithLocalAdminRights
Invoke-Command -Session $Session -ScriptBlock { Invoke-GPUpdate -Computer $env:ComputerName -RandomDelayInMinutes 0 }
$Session | Remove-PSSession
我切换到另一种方法,这种方法在不使用远程 PS 会话的情况下对我有效。在客户端上完全没有提示,您将仅在 Windows 事件查看器中找到触发的 gpupdates。
Invoke-Command -ComputerName $clientname -ScriptBlock { gpupdate } -Credential $domainAccountWithLocalAdminRights