I'm trying to automate a task using powershell and I need the computer to restart multiple times. I'm doing this by scheduling a job that runs at startup that executes different scripts, and after that I use Restart-Computer to reboot the pc.
My problem is that I want it to be completely autonomous, but right now I need to input username and password at startup to access my profile. I know that if there is a single user on the machine and if it doesn't have a password it gets logged in automatically, but there are two users on the machine. Is there a way to automatically login after a reboot to a pre-selected windows account with powershell? Thanks
EDIT: I also have to execute programs that have a GUI, so I need authentication anyways.
Related
Using PSEXEC and to run a VBS as LocalSystem account, to let the script run with admin rights.
VB script called prompts and GUIs are not visible if a person is connected to the computer via RDP.
You can see the script or GUI as a running process in task manager, but it is not visible.
Windows Security setting preventing this? Limitation of RDP?
Your script is running in an invisible desktop so you cannot run a denial of service attack on the interactive user of the physical computer.
This is normal.
State what your goal is rather than why your solution to an unknown problem doesn't work.
It doesn't matter your intentions.
This question is better suited to https://serverfault.com as you are trying to administer a network by programming rather than how it's designed to be administered.
Normally one uses logon scripts or group policy to set the RunOnce key.
I'm working on a monitoring app that is running on a vm and I want my colleagues to be able to use it without connecting on the vm. It works fine but I have one problem.
One of my goals is to start/stop services using a batch file or a cmd file (using Class Runtime in my back). The problem is that I need the administrator privileges to do that. All the methods I found (as Runas or some batch files) only works if the user is on the vm and enter the password or click on the "do you want to run this application as administrator" pop up. I would like to not use the task scheduler to always start cmd as an admin. I already know you can use softwares as "Sanur" but I prefer not to.
The only way to make it works is to start the app as an admin and it works fine (I'm using the "net start/stop" command). But I would like to let everyone start this app (in case I'm not here).
It's not a problem to write the login/password in the file.
Is there a way to do so?
The vm runs on Windows 7.
Thank you in advance.
You don't need to be Administrator to start and stop a service, you just need the privilege. With Windows 7 Professional you can do this through the built-in group policy editor.
With Windows 7 Home, there is not policy editor.
I use a tool called SetACL to do this, e.g:
setacl -on "service-name" -ot srv -actn ace -ace "n:betrand;p:start_stop"
Where "service-name" is the name of the service, and betrand is the user which you want to allow to start and stop the service.
A complete list of options is available on the website:
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/
Another option is the SubInACL tool directly from Microsoft.
I setup virtual servers with Windows Server 2008/2012. I want to automate the password setting process for the windows guest.
My script would run like:
bash setupwindows.sh <kvmid> <password>
Then setupwindows.sh would mount the LVM, place the powershell script into the autostart directory and start the server.
I can change the password over windows cmd with
net user Administrator password
My question is: in which directory at the windows guest i need to place the powershell script to get it started on boot, without an user to be logged in?
I think the problem here is that you're approaching this with a linux/Bash style approach, which can lead you around in circles big time when trying this in Windows, as the two platforms have inherent differences.
If you want to set your password at build time, and your machine is on a domain, then use Group Policy to set the default Admin Password using the setting found under Computer Configuration -> Expand Preferences -> Control Panel -> Local Users and Groups -> New - Local User -> Select Update as the action -> type Administrator into the User name text box.
If you're not on a domain, then the best tool to use is the Windows System Image Manager, which comes as part of the Windows Automated Install Kit. You use this to open up a Windows Install Image (.wim) and select the accompanying unattend.xml which is used to automate the Windows Install.
The value you want to change using SIM will be found under : Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword
Here you can set the default admin password to whatever you wish.
You could do this with a script, using the net use syntax, but the problem there is triggering the script to run. In my opinion, these two methods here represent the best approach to solving this problem.
My question is basically identical to this unanswered question: How to run an application as "run as administrator" from the command prompt?
I am working from within the Oracle Enterprise Manager, setting up a "user-defined metric", and using the "execute host command" feature to test things. In both cases one provides a single line that is fed to the command processor on the remote machine (Windows 7). The account on the remote machine is a machine-level account in the administrators user group but is not "administrator". I do not have access to the "administrator" account password. (I am a consultant working in an environment administered by the client.)
Logged in interactively on the remote machine, the account I am using can "run as administrator" a command window without supplying an administrator password, and can run my script successfully. I looked at the "runas" command and tried it out but I could not find a way to use it without supplying the "administrator" account password, which I do not have. The person who posted the other question (above) said he tried the /NOUAC and /elevate options with no success. I have not tried them.
FWIW, the command I am trying to run is a PowerShell v 2 one-liner that gets one WMI value.
Anyhow, it may be that what I am trying to do is by design impossible within the UAC world -- to do these operations one either is an administrator-group user working interactively or one is the administator.
create a batch file with following lines
start
and save it an a location of your choice.
Then right click on the batch file and select "Run as administrator" This would create a command prompt
as administrator
I have made a power shell script which loads pageant (a windows SSH authentication agent)
with my private keys. In short the script isn't much more than the following two lines:
$tool = "pageant.exe"
&$tool $files.ToArray()
$files is a list of strings which contains all my private keys which must be loaded.
I have no problem with the working of the script because it does its job perfectly when I execute this from my powershell
console.
I want to execute this script whenever I logon to my account and I do this by adding a powershell logon script
group policy with the group policy editor (gpedit.msc), the script also executes and in fact does load the pageant.exe tool.
However the tools utilising the pageant.exe tool (putty and plink) does not work. It doesn't recognizes the pageant authentication
agent.
So my first question is, what is the difference between starting the script from my own powershell console and starting the script
from a group policy (logon script)?
I also have dome some investigation and I see a couple of differences. The first is thing is that the started pageant tool has a UAC Virtualization flag in my task manager when I start the script from my own console. This property isn't flagged when it's started
from the logon script group policy.
The second thing is that when I disable the UAC the script does work from the logon script group policy. So I assume it has something to do with the UAC but I don't know how to solve this. I want the script to work when the UAC is
enabled as well.
The second question what is this UAC virtualization flag and how does it influence the working of a process? The third and last question is how can I get my script working?
It looks the thing is UAC virtualization. This flag means that all write attempts to protected system areas are redirected to VirtualStore in the user's profile: C:\Users\<username>\AppData\Local\VirtualStore. When UAC is disabled, this redirection is turned off.
When UAC is enabled, any attempts to write to Program Files, as an example, will be redirected to the corresponding directory in your VirtualStore. Later when programs read the files, they also see them from the redirected directory.
Yet your logon script runs without Virtualization enabled, and therefore its attempts to modify/read files do not go to the redirected VirtualStore but rather directly to Program Files.
So you have to make all your parties work without virtualized directories. If the executable has a manifest, preferrably declaring compatibility with Windows 7, then virtualization is turned off. But it may fail to work correctly without virtualization if it tries to write to Program Files.
Note: registry writes to HKLM are also virtualized.
There are a number of ways to turn off UAC virtualization; the simplest is to include an external manifest (in your case it would be named pageant.exe.manifest) in the same folder as the exe. This could suppress elevation, but then your writes would probably fail. The very fact that virtualization is affecting you means that pageant.exe must write to protected areas, and without virtualization or elevation, you'll get access denied.
Therefore what I would do is leave Group Policy out of it. Set up a Scheduled Task (click Start and type Task to launch task scheduler, then click Create Task on the right) that runs at logon (the Trigger tab, click new, change the top dropdown) to run your script (Actions tab, click new) and that runs elevated (General tab, check Run with highest privileges). You'll have to consent once to the UAC to set up the elevated task. Then you're done and pageant.exe will write to the protected area where the other apps can read it.
If, after you've got this set up, the other apps continue to read from the virtual store instead of the real one, just delete the files/folders in the virtual store.
For completeness I added the answers to my own questions.
What is the difference between starting the script from my own powershell console and starting the script from a group policy (logon script)?
A: The difference comes from the fact that my user is part of the Administrator group which will run the script with elevated rights. When you logon as a administrator, Windows will generate a standard user access token and a administrators access token. The last token will be used to run programs with elevated rights (this is without UAC virtualization). Now when I start the script from my own powershell console, which is started with the standard access token, the started pageant is run with UAC virtualization. If the tools which use pageant run with a different mode, then my problem occurs.
What is this UAC virtualization flag and how does it influence the working of a process?
A: Check out this link.
How can I get my script to work?
A: You can use the solution provided by Kate Gregory (do not check run with highest privilege option) or add a batch file to your startup folder which runs the powershell script. This will run the script with the standard user access token and with UAC virtualization enabled.