question

JanusBarinan-8508 avatar image
0 Votes"
JanusBarinan-8508 asked JanusBarinan-8508 commented

gpo no admin rights but can ran scripts

Hi,

I'd like to implement a group policy for certain accounts where the rights for that users is OS admin of their servers(theirhost) but no interactive login, or No OS Admin rights but be able to run their scripts/apps with admin privilege (their script is a powershell that allows them to create A host records to DNS servers).

Here is the script:
$username = "accountusertocreatednsrecord"
$password = "randompassword"
$theirhost = "10.10.10.5"
Write-Host ""
Write-Host "currently executing script on host: " $pshost
Write-Host "Connecting to remote host/share via credSSP"
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
Invoke-Command -ComputerName $pshost -ScriptBlock { Add-DnsServerResourceRecord -A -IPv4Address 10.10.10.10 -Name testhost01 -ZoneName mydomain.com -ComputerName addns.mydomain.com } -Authentication CredSSP -credential $cred


I have tried delegating the accounts with DNS rights but however its not working. The script only worked when I added the users to local admin group.

Is there a way for these user to execute the script successfully without being admin to their servers?

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered JanusBarinan-8508 commented

Hi,
How about create a task schedule for the users, and give the user highest privileges to run the script.

82938-3311.jpg
Best Regards,



3311.jpg (132.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
 
Best Regards,

0 Votes 0 ·

The user should not have an "allow logon locally rights" or interactive login. But he has to be able to run the script. In your suggestion above, scheduled tasks will be used to run the script? There is not fixed time to run the script. Only as needed.

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered JanusBarinan-8508 commented

Hi,
If the user can't interactive login ,i'm afraid the user group policy can't be refresh.
Instead of the user configuration ,how about the computer configuration ?
You can select
84795-4062.jpg

And there are also settings for :
84796-4061.jpg
For the group policy , this is the only one i can think of.


4062.jpg (21.6 KiB)
4061.jpg (46.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Forget about task scheduler first.

How about the Run As feature?
Lets say account A will be use to login to the Server machine. Then inside the machine, applications will be ran using a different account using the RunAs feature. How can it be done? The user account for the "Run As another user" should have an admin rights to the machine right? This "run as another user" must have no interactive logon rights.

84868-image.png


0 Votes 0 ·
image.png (24.2 KiB)
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered JanusBarinan-8508 commented

Hi,

According to your point, how about the configure the following policy :
To assign users to log on as service :

85147-4074.jpg

Best Regards,


4074.jpg (132.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It did not work for me. Unable to Run AS different user. As long as there is that Deny Logon.

0 Votes 0 ·