1

I have an .exe that needs to run via GPO. I attempted to do it via a batch script, however it needs to run on user machines and this requires elevation as they aren't local admins. Rather than touching each machine to setup a local admin and having the GPO run off that. I'd like to set up powershell script to start an elevated session, either PS or CMD it doesn't matter.

The big blocker is detecting the host name of each machine so I can use: 

New-PSSession hostname -Auth CredSSP -cred domain\adminuser

I toyed with the idea of having it detect the IP address and then do a DNS lookup for the user, but aside from the issues with that, I imagine this is far more work than necessary. I attempted to research on here for similar issues, but I'm unable to find a similar situation with that above blocker.

Batch File: 

@echo off
if exist "C:\Program Files\directorypath\service.*" goto END
if exist "C:\Program Files (x86)\directorypath\service.*" goto END
"\\SERVER\FOLDER\installer.exe" --mode unattended
:END

Using runas didn't seem entirely appropriate for this issue. And I'd rather like to avoid putting my password or a generic admin password in a plain-text file.

Thatsnotamuffin
  • 53
  • 1
  • 5
  • 1
    You seem to be in a domain, so what's the issue with having the scheduled task run as a domain user who happens to be part of the local administrator's group? I'm also confused about your issue with the New-PSSession - you said "the big blocker is detecting the host name of each machine." Are you saying you could use a central orchestrator, but don't have a list of computers you need to remote to run the install? The Computers OU doesn't have what you need? – Matthew Wetmore Dec 23 '16 at 18:53
  • Its my understanding that I would need it to point at the computer or user objects specifically via hostname. I want this to run via the assigned objects within an AD OU dynamically without relying on "hard coded" information. Truth be told, I'm not all that familiar with windows administration. So if I'm wrong on that, please correct me. – Thatsnotamuffin Dec 23 '16 at 18:57
  • 1
    Let's simplify your request - do I have it right? "On a bunch of machines, I need to run an installer. The installer itself, of course, needs to run elevated on the target machines. The installer is currently hosted on a remote share. I am in a domain, and the machines themselves are domain joined and already grouped into OUs." Anything I missed? – Matthew Wetmore Dec 23 '16 at 19:03
  • No you're good, thats the quick and dirty of it – Thatsnotamuffin Dec 23 '16 at 19:04
  • Does the installer need to run as a domain or other specific user, or is it completely a local install once you can contact the remote share? Katherine gives a suggestion that relies on the machine account having access to the share, but if the installer needs access to other network resources or to set up as a particular user, that wouldn't work. – Matthew Wetmore Dec 23 '16 at 23:35

1 Answers1

3

You can add your admin user to local administrators with a startup script of net localgroup administrators domain\adminuser /add.

I don't think that's necessary, though. I'd think that your batch script would run just fine as a startup script for computers. It would run as the computer account, so computer accounts would need access to the share.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
  • I unfortunately wasn't able to use this method due to some other security policies we have. Instead, I set up a blanket scheduled task to install the agent. I appreciate your help though. – Thatsnotamuffin Dec 27 '16 at 22:39