13 Replies Latest reply on Nov 10, 2017 5:55 AM by Leon Evans

    NSH nexec elevating cmd or powershell?

      Share This:

      Hi there,

       

      Is there a way to 'run as admin' cmd or Powershell in an NSH script job using nexec?

       

      This line runs my powershell script absolutely fine, but the code within my powershell script requires elevated privileges so returns the wrong output as parts of it dont have the required admin rights to get the info.

       

      nexec -i -e cmd /c "echo . | powershell c:\tmp\myscript\myscript.ps1"

       

      -ExecutionPolicy Bypass and -InputFormat none make no difference.

       

      is there a way to elevate cmd (as if you elevate cmd and call powershell from cmd, powershell also runs elevated) or powershell so it runs as admin?

        • 1. Re: NSH nexec elevating cmd or powershell?
          Bill Robinson

          -ExecutionPolicy Bypass and -InputFormat none make no difference.

          and why would they?  neither of these have anything to do w/ running 'as administrator'

           

          is there a way to elevate cmd (as if you elevate cmd and call powershell from cmd, powershell also runs elevated) or powershell so it runs as admin?

          not sure why you are asking here.  you might want to ask that on a microsoft forum as powershell is their product, not ours.

          • 2. Re: NSH nexec elevating cmd or powershell?
            Greg Wojan

            Leon,

             

            We do this all the time without any elevated privileges issues as long as the role being used has admin privs on the target server. With that being said I never use nexec -e always opting to specify the target.

             

            nexec -i -ncq $TARGET powershell -noprofile -inputformat none -executionpolicy bypass -command c:/temp/psscriptfile.ps1

             

            I have never had a need to do the whole "cmd /c echo . |" thing. Also notice I use forward slashes instead of backslashes in my script path so I don't have to worry about nsh/bladelogic needing them to be escaped. PowerShell will happily use either...

            1 of 1 people found this helpful
            • 3. Re: NSH nexec elevating cmd or powershell?

              Hi Greg,

               

              Thanks for providing a useful answer!

               

              I'll try this and get back to you.

               

              Does your solution work on domain controllers where domain admin privileges are also required (such as where a powershell script is using dcdiag to get DC status info to output into a report)??

              • 4. Re: NSH nexec elevating cmd or powershell?
                Greg Wojan

                Honestly, I don't know if it will work in that use case. We don't have access to any of our domain controllers. However, I would imagine it would work just fine as long as the user on the DC has the proper rights.

                • 5. Re: NSH nexec elevating cmd or powershell?

                  Hi Greg,

                   

                  used the method you sugested but get the following error (even though the bladeLogic job completes successfully)

                   

                  Error 08-Nov-2017 16:13:12 nexec: Error accessing host powershell: I/O error

                  • 6. Re: NSH nexec elevating cmd or powershell?

                    I have an alternative but I dont think nsh likes the double 'double quotes' and i'm not familar with nsh syntax to know the correct formatting:

                     

                    nexec -i -e cmd /c "echo . | powershell -noprofile -command "&{start-process powershell -ArgumentList '-noprofile -file c:\tmp\BLAUTO_WINTEL_AD-HealthCheck\BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1' -verb RunAs}""

                    • 7. Re: NSH nexec elevating cmd or powershell?

                      You may try with –ncq option.

                       

                       

                      nexec -i –e -ncq cmd /c "echo . | powershell -noprofile -command "&{start-process powershell -ArgumentList '-noprofile -file c:\tmp\BLAUTO_WINTEL_AD-HealthCheck\BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1' -verb RunAs}""

                      • 8. Re: NSH nexec elevating cmd or powershell?
                        Greg Wojan

                        Can you provide the exact command you ran and full output of the errors? Are you running from nsh?

                        • 9. Re: NSH nexec elevating cmd or powershell?
                          Greg Wojan

                          From NSH with a role that has admin permissions on your server try this command and the appropriate server name. Do not CD to the server!:

                           

                          nexec -i -ncq "<YourServerGoesHere>" powershell -noprofile -inputformat NONE -executionpolicy bypass -command c:/tmp/BLAUTO_WINTEL_AD-HealthCheck/BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1

                           

                          What is the output you get?

                           

                          If I execute that exact command using one of my servers I get an error indicating that the script file doesn't exist which is exactly what I would expect. If executed against one of your servers it should just work because the script is present.

                          • 10. Re: NSH nexec elevating cmd or powershell?

                            Ok, so from the beginning:

                             

                             

                            Created an NSH Script item in the Depot for my AD-HealthCheck

                             

                             

                            The script is as follows:

                            COMPUTERNAME=`pwd | awk -F/ '{print $3}'`

                            blcli_execute Server printPropertyValue "${COMPUTERNAME}" CUSTOMER

                            blcli_storeenv CUSTOMER

                             

                            ### MAKE DIRECTORIES AND COPY SCRIPT ###

                            mkdir -p //BLOGIC-SERVER/D/Logs/BLAUTO/BLAUTO_WINTEL_AD-HealthCheck/$CUSTOMER/

                            mkdir -p /c/tmp/BLAUTO_WINTEL_AD-HealthCheck/

                            cp -f //BLOGIC-SERVER/D/Scripts/BLAUTO/BLAUTO_WINTEL_AD-HealthCheck/BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1 /c/tmp/BLAUTO_WINTEL_AD-HealthCheck/

                            cp -f //BLOGIC-SERVER/D/Scripts/BLAUTO/BLAUTO_WINTEL_AD-HealthCheck/BLAUTO_WINTEL_AD-HealthCheck_v1.0.bat /c/tmp/BLAUTO_WINTEL_AD-HealthCheck/

                             

                            ### POWERSHELL EXECUTION ###

                            nexec -i -e cmd /c "echo . | powershell c:\tmp\BLAUTO_WINTEL_AD-HealthCheck\BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1"

                            #nexec -i -ncq $TARGET powershell.exe c:\tmp\BLAUTO_WINTEL_AD-HealthCheck\BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1"

                            #nexec -i -ncq $TARGET powershell.exe -noprofile -inputformat none -executionpolicy bypass -command c:/tmp/BLAUTO_WINTEL_AD-HealthCheck/BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1

                            #nexec -i -e cmd /c "echo . | powershell -noprofile -command '&{start-process powershell -ArgumentList '-noprofile -file c:\tmp\BLAUTO_WINTEL_AD-HealthCheck\BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1' -verb RunAs}'"

                            #nexec -i -e cmd /c "echo . | c:\tmp\BLAUTO_WINTEL_AD-HealthCheck\BLAUTO_WINTEL_AD-HealthCheck_v1.0.bat"

                            #nexec -i –e -ncq cmd /c "echo . | powershell -noprofile -command "&{start-process powershell -ArgumentList '-noprofile -file c:\tmp\BLAUTO_WINTEL_AD-HealthCheck\BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1' -verb RunAs}""

                             

                            ### GATHER OUTPUT FILES ###

                            cp -f /c/tmp/BLAUTO_WINTEL_AD-HealthCheck/*.htm //BLOGIC-SERVER/D/Logs/BLAUTO/BLAUTO_WINTEL_AD-HealthCheck/$CUSTOMER/

                             

                            ### CLEANUP ###

                            rm -r /c/tmp/BLAUTO_WINTEL_AD-HealthCheck

                             

                             

                             

                             

                             

                             

                            Under Jobs, I then created the corresponding Job as an NSH Script Job, it has no targets.

                             

                             

                            I right click the job and use "Execute Against" and then select the server I want to execute the script against.

                             

                             

                            Under ### POWERSHELL EXECUTION ### the following lines **works:

                            nexec -i -e cmd /c "echo . | powershell c:\tmp\BLAUTO_WINTEL_AD-HealthCheck\BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1"

                             

                             

                            **works only in the sense that the scripts runs and produces my output html report which gets copied back to the bladelogic server.

                            The powershell script itself is using dcdiag to runs tests on all the DC's in the customers domain.

                            Because the powershell session is not elevated, some of the commands fail and my html report contains false failures.

                             

                             

                            This is why I need to elevate powershell in the nsh script.

                            None of the commented out alternatives are working.

                             

                             

                            The .bat files contains the following:

                            powershell.exe -noprofile -command "&{Start-Process powershell -ArgumentList '-noprofile -file c:\tmp\BLAUTO_WINTEL_AD-HealthCheck\BLAUTO_WINTEL_AD-HealthCheck_v1.0.ps1' -verb RunAs}"

                             

                             

                            I literally only started working with BladeLogic this week so NSH is a total unknown to me.

                            I'm running this past some of my colleagues who are more familiar with BL than I but they have their own workload and cant always respond the same day.

                            • 11. Re: NSH nexec elevating cmd or powershell?
                              Greg Wojan

                              Okay, gotcha! It seems to me if you have your roles defined properly you shouldn't be needing to elevate your privileges. What does your users.local and users file look like?

                               

                              Can you explain a little about your current RBAC model?

                              1 of 1 people found this helpful
                              • 12. Re: NSH nexec elevating cmd or powershell?

                                I'm asking the questions to my more knowledgable colleagues now

                                • 13. Re: NSH nexec elevating cmd or powershell?

                                  So it looks like I may have made some progress.

                                   

                                  It appears the customers I was running the script against have not had their Bladelogic configuration completed so the permissions are not completed yet.

                                  Also the MVP who wrote the base AD healthcheck script says that it shouldnt be run on DC's but on a member server... (bad for automation as not all customers have member servers with ad tools installed)

                                   

                                  Got my .bat file with elevated PS session working.

                                   

                                  the isuses I'm experiencing appear to be related to this specific script. I've created additional jobs for other PS scritps i've written and they all work fine (in working BL customers)

                                   

                                  thanks for all your assistance, if I have any future updates that are relevant, I'll update this thread (it might be helpful for someone else in the future)