I want to run a batch file on all my domain clients via gpo(scripts/logon), but the problem is that to run a batch file, administrator privilege is required. I wanted to know is there any command or script to put the username and password of the admin in this batch file and when the file is going to run ,the admin privilege on clients automatically gives to the this file and execute file with this privilege ? By the way, this file is executed only once and after making the desired settings This gpo is completely deleted. I am aware of the risk of this, but I want to do it.
Asked
Active
Viewed 687 times
1 Answers
0
I'd recommend creating a Scheduled Task on each machine with a Logon Trigger so that it executes your script when any user logs on. The task itself can run under SYSTEM or Local Service or whatever.
You can configure your script so that it removes the Scheduled Task when it's done, although if it's supposed to run with every user that logs on (since you were enquiring re a logon script), that probably isn't necessary. In that case, ensure your script has some way to tell if the changes have been made first so it can exit gracefully.
If you might be updating your script regularly, you could configure your GPO to copy it to a local directory when the user logs on, while the Scheduled Task runs a simple batch after being triggered to loop around checking for the main script to be written to the local directory, then call it once it's there.
Here's an example of how to configure a Scheduled Task to run at logon (although I would not use the Administrator account to execute the task): https://sid-500.com/2017/07/26/how-to-automatically-start-powershell-at-every-logon/
Note that there are ways in which you can potentially cache a credential in a Powershell script, but it's complicated to seal it so it'll run on any computer. A Scheduled Task deployed to your machines at build time or pushed via some other process (like SCCM) is much easier.
LeeM
- 1,218
- 9
- 13