1

Is there a secure and practical way to give a group of users a powershell script to run on their laptops?

The users all have active directory accounts, but their computers are not joined to any domain.

The end goal is to get a basic hardware inventory of each laptop, minimum the amount of required user clicks and user interaction time. Of course there is hardware assert/inventory software, but it would be ideal to not spend a lot of admin time learning/setting it up, free it always nice.

The powershell script I have (glad to share) collects everything and e-mails it to any address. It only took 15 minutes to write, but now need to get it sent out to users.

Client laptops are guaranteed Windows 10 fully updated.

Edit:

  • The email is sent using user credentials. A script command uses a system challenge the request uid/pwd from the user, so they are never part of the script.

  • One security concern I didnt mention is how to allow them to run the script? Seems you can't download and double-click to run a ps script, is there a way to sign them that would allow this? I've found a util to compile it to an .exe, which may work but seems to encourage bad habits.

  • I can't walk around and run it myself because the users are all over the country.

whitneyland
  • 153
  • 5
  • Can the user edit the script? :) – Mark Buffalo Aug 31 '17 at 01:55
  • 1
    [You can digitally sign Powershell scripts](https://blogs.technet.microsoft.com/heyscriptingguy/2010/06/17/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2/) – Polynomial Aug 31 '17 at 09:55
  • You needn't walk around _physically_. Windows 10, 8, and 7 all come with Windows Remote Assistance built into the OS. [Here’s how to use the feature](https://www.technipages.com/windows-send-remote-assistance-invitation). – JosefZ Oct 05 '17 at 14:19

1 Answers1

3

From a security perspective there is no issue, aside from maybe an awareness problem (e.g. users being taught to execute scripts they might not understand). Do note that most computers may not allow the execution of PowerShell scripts by default, it is something that must be enabled.

One thing to note: how does it actually email all of those things back to you? Does it open their Outlook or does it generate a file that they send back to you? You would not want to hardcode credentials in the script.

The best way would actually be to visit each user, and run the script yourself manually.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196