cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

FEATURE REQUEST - Powershell component - run as administrator

FEATURE REQUEST - Powershell component - run as administrator

Hello

This one is (in my head at least) quite simple and straight forward, how come we can't have a powershell component run with administrator permissions on a node with an agent installed?

My request should in theory be quite simple to add, just a checkbox in the powershell component saying "Run as administrator", and then it will do just that.

You should already have code that does just that only requiring minor adjustments, while remote deploying an agent you require the installer to run with administrator elevation to install.

My specific use-case is monitoring a scheduled task that is in a custom folder that requires local admin permissions, but there are many other scenarios where administrator permissions could be required to monitor something.

This request could also be extended to the "Windows Script monitor" and "Linux/Unix Script Monitor" (SUDO instead of administrator obviously)

Edit:

Specifically I mean a powershell session elevated to full administrator permissions, a way to test this is with the script below:

$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())

if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {

write-host "Message:This powershell session does have administrator permissions"

write-host "Statistic:0"

} else {

write-host "Message:This powershell session does NOT have administrator permissions"

write-host "Statistic:100"

}

This will only return with statistic 0 if the powershell session is elevated to administrator permissions.

pastedImage_0.png

15 Comments
Product Manager
Product Manager

This should already be possible today using the 'Run the script under specific account' option.

pastedImage_0.png

Level 8

Yes you can run the script with the USER administrator, but that does not mean the script have administrator ELEVATION, there is a little difference regarding what permissions you have there.

Take a look at this little script:

$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())

if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {

write-host "Message:This powershell session does have administrator permissions"

write-host "Statistic:0"

} else {

write-host "Message:This powershell session does NOT have administrator permissions"

write-host "Statistic:100"

}

Try running that in APM and see if you can get it to return that it has administrator permissions. (or just try it on your PC)

This will only return with statistic 0 if the powershell session is elevated to administrator permissions.

pastedImage_0.png

Yes, we've run into this issue before as well. One of our teams wrote a script that required to be 'run as administrator', but the existing options in SAM didn't quite get us what we needed.

I think I did as well and cheated by running it on the Orion polling engine as a remote session to the server I needed data from, something like:

     Invoke-Command -ComputerName Server01 -ScriptBlock {<Your data>}

I think I had it return an array with the results and then I took the block output and mapped it to desired Orion output. I can't seem to remember which application I did it on to give you the exact code, but if I find it I will post it.

Level 8

mrxinu​, you're quite the powershell expert. Any insights?

MVP
MVP

I do like me some PowerShell, but this is more of a SolarWinds agent thing than a PowerShell thing.

Level 8

yes this is a possible workaround to the issue by running the code remotely from the Orion polling engine, however there are multiple instances where remote code execution is either not possible (fx: Powershell remoting [WinRM] is blocked by a firewall for security reasons) or simply just very impractical to resolve a monitoring need.

Level 7

What you are stating is not just firewall for "security reasons". Windows (Microsoft) has worked hard to stop random code from executing. I believe you may be conflating local user/file permissions with global permissions. If your script is to figure out if you are using Administrator in Powershell; it'd just be simpler to use the command "whoami" and "net localgroup administrators"

Code execution occurs at the shell level or if you set the shell execution to administrator within registry, GPO, or services. Most of these I would not recommend as this process is probably occurring on a production server. If this is just to elevate the script to execute; there are much simpler methods to automate this process. Could you elaborate on what it is you are trying to achieve?

Level 16

I got around the code execution issues by adding the Solarwinds Orion server as a user on the remote machine. Select Object Types, then click on Computer then add the hostname of your Orion server.

Then your Orion server can have admin rights when it runs it's scripts against the remote machine.

Level 16

pastedImage_0.png