{"id":3838,"date":"2016-06-19T23:22:33","date_gmt":"2016-06-19T21:22:33","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=3838"},"modified":"2016-06-20T13:30:02","modified_gmt":"2016-06-20T11:30:02","slug":"vmware-execute-invoke-vmscript-as-administrator","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/vmware-execute-invoke-vmscript-as-administrator\/","title":{"rendered":"VMware: Execute scripts by Invoke-VMScript as Administrator"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_3838 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_3838')){$('.twoclick_social_bookmarks_post_3838').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"VMware%3A%20Execute%20scripts%20by%20Invoke-VMScript%20as%20Administrator\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Athis%20post%20addresses%20the%20issue%20that%2C%20when%20Windows%20UAC%20is%20enabled%2C%20you%20could%20not%20execute%20scripts%20with%20elevated%20Administrator%20permissions%20by%20PowerCli%27s%20Invoke-VMScript.%20In%20my%20opinion%20when%20I%20execute%20scripts%20on%20VMs%20in%20more%20then%2080%25%20of%20these%20cases%20I%20need%20elevated%20user%20rights.%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/vmware-execute-invoke-vmscript-as-administrator\\\/\",\"post_id\":3838,\"post_title_referrer_track\":\"VMware%3A+Execute+scripts+by+Invoke-VMScript+as+Administrator\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>this post addresses the issue that, when Windows UAC is enabled, you could not execute scripts with elevated Administrator permissions by PowerCli&#8217;s Invoke-VMScript. In my opinion when I execute scripts on VMs in more then 80% of these cases I need elevated user rights.<br \/>\n<!--more--><br \/>\nSome other workarounds like creating a schedule tasks and execute them, starting Powershell as noninteractive are not reliable enough.<\/p>\n<p>First of all I have no general solution for this topic. Just a workaround.<\/p>\n<p>The approach is<\/p>\n<ul>\n<li>To enable the Builtin Administrator Account and use it only for Invoke-VMScript and a create second login for the daily use.<\/li>\n<li>Rename the Administrator Account<\/li>\n<li>Use a strong password<\/li>\n<li>Disabled it as soon it is no longer requiered, i.e. execute scripts after cloning then disable it.<\/li>\n<li>Prevent the local Administrator to log in from network<\/li>\n<\/ul>\n<p>For the Builtin Administrator Account (SID: S-1-5-&#8230;-500) it is possible to disable UAC and leave it active for all others Users. The related policy is<br \/>\n<code><br \/>\nComputer Configuration\/Windows Settings\/Security Settings\/Local Policies\/Security Options<br \/>\nUser Account Control: Use Admin Approval Mode for the built-in Administrator account: Disabled<br \/>\n<\/code><br \/>\nTo prevent the Administrator to logon from network add it to the policy<br \/>\n<code><br \/>\nComputer Configuration\/Windows Settings\/Security Settings\/Local Policies\/User rights assignment<br \/>\nDeny access to this computer from the network<br \/>\n<\/code><br \/>\nFor example this makes it possible to rename the Windows Computername without doing a sysprep<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nInvoke-VMScript -VM win7vm1 -Guestuser win7adm -GuestPassword &quot;Password&quot; -ScriptType bat -Scripttext &quot;wmic path win32_computersystem where &quot;&quot;Name='%computername%'&quot;&quot; CALL rename name='win7vm1'&quot;\r\n----------------------------------------------------------------------------------------\r\n|  Method execution successful.\r\n|  Out Parameters:\r\n|  instance of __PARAMETERS\r\n|  {\r\n|      ReturnValue = 0;\r\n|  };\r\n----------------------------------------------------------------------------------------\r\n<\/pre>\n<p>After finshing all tasks disable the user<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nInvoke-VMScript -VM win7vm1 -Guestuser win7adm -GuestPassword &quot;Password&quot; -ScriptType bat -Scripttext &quot;net user win7adm \/Active:No&quot; -ErrorAction SilentlyContinue\r\n<\/pre>\n<p>If somebody has a better solution please let know!!<\/p>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, this post addresses the issue that, when Windows UAC is enabled, you could not execute scripts with elevated Administrator permissions by PowerCli&#8217;s Invoke-VMScript. In my opinion when I execute scripts on VMs in more then 80% of these cases I need elevated user rights.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,5],"tags":[868,867,869,215],"class_list":["post-3838","post","type-post","status-publish","format-standard","hentry","category-vmware","category-windowsknowhow","tag-elevate","tag-invoke-vmscript","tag-permission","tag-powercli"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/3838","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=3838"}],"version-history":[{"count":18,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/3838\/revisions"}],"predecessor-version":[{"id":3856,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/3838\/revisions\/3856"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=3838"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=3838"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=3838"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}