Hi, I wrote several advanced functions and put them into the script module. Everything works fine but I want to "give" some of these functions to my colleagues who are not domain admins allowing them to run these functions which make changes to target computers. These changes require administrative rights on target computers (any domain computer) i.e. domain admins privileges which of course they should not be given to.

Is it possible to "impersonate" domain admin account inside advanced function so when "ordinary" user runs function it will be executed under domain admin account under the hood? I know it is possible to do similar thing with custom endpoint configuration where I can specify what someone can do and at the same time to do that under account with elevated privileges - for example to allow ordinary user to enable/disable ad account without delegating permission to do that in Active Directory.

• Edited by BoxiKG 17 hours 45 minutes ago

Hi,

this is usually not recommended - if someone should do something, he should have the privileges to do so.

However, you can do this by ...

• Writing down the password somewhere (DON'T!)
• Setting up a task on the users computer that can be triggered by the user (through the module or manually) that runs under different credentials and has the specified permissions.
• Granting targeted permissions on the target system. Many things that "need administrator privileges" don't really need them. They just need a fraction of them, which you can setup. This is usually the method I recommend.

Cheers,
Fred

Hmmm, this means concept of custom endpoint configurations and example of AD actions I wrote are not recommended.

• Edited by BoxiKG 17 hours 30 minutes ago

Hmmm, this means concept of custom endpoint configurations and example of AD actions I wrote are not recommended.

Functions are not custom endpoints.  We can create an endpoint with specific capabilities and we can give an account access to the endpoint but we still have to delegate the rights to the account for access to restricted resources.  Custom endpoints are designed to restrict and not to override.

Windows security is based on the concept of delegated authority.  This is foundational and you should not try to subvert it.  That is how hackers gain control.