lockworld
6/28/2017 - 3:27 PM

Run a script with an administrator's account without any user interaction

Run a script with an administrator's account without any user interaction

In this gist, we see how to run any .bat file (or any executable at all) either elevated ("Run as administrator") or with specific user credentials, all without any interaction from the user.

This is particularly useful in creating a GPO to pass out to network users to run a patch or script that requires specific permissions.

Steps

Create a batch file that will be pushed out to users via GPO, following the example in "RunAsOther script.bat" (below)

  • Replace {TaskName} with a unique name for your task. I suggest including a datestamp
  • Replace {\path\to\my.bat} with the path to your .bat file or executable that needs to be run on the user's machines.
  • Replace {domain\username} with the domain and username of the account you want to use to run this task. [OPTIONAL]
  • Replace {password} with the password for the domain user account you want to use to run this task. [OPTIONAL]

Basically, what happens is that we create a new scheduled task to run the desired .bat file or executable with elevated permissions with the designated credentials, run the task, then delete the task immediately without any user interaction.

CREATE

  • /TN is the task name
  • /SC is the schedule…in this case, only run it ONCE
  • /ST is the start time. It is required, but we don’t use it in this case
  • /TR is the path to the script or program to run
  • /RL is the elevation level to run the task
  • /RU is the domain username
  • /RP is the domain user’s password

RUN

  • /TN is the task name

DELETE

  • /TN is the task name
  • /F suppresses the confirmation asking the user if they want to delete the task

This script, then, will call the .bat file or executable using the credentials specified for the temporary elevated account, but will not prompt the user for credentials or UAC confirmation before running the script. It does require providing the username and password in plain text in a script file, but I don’t know if there’s any way around that if you want to script a task to run with specific credentials.

If you just wanted the file to be “Run As Administrator,” you can leave out the /ru and /rp parameters in the “schtasks /create” line to create and run the task as the logged in user. The “/rl highest” parameter is the same as selecting “Run As Administrator.”

If you do specify the credentials to run the task with, the user won’t see any interface at all. The script will just run in the background without any impact on the user. If you don’t specify the credentials, the user will see any GUI elements that are involved with running the script.

schtasks /create /tn {Taskname} /sc once /st 00:00:00 /tr {\\path\to\my.bat} /rl highest /ru {domain\username} /rp {password}

schtasks /run /tn {TaskName}

schtasks /Delete /tn {TaskName} /f