Hi

I'm in desperate need of some help or ideas having spent a few days now on trying to resolve this issue.

I am working on a generic laptop build (Win7 x64) which is heavily locked down with security compliance measures as per the recommendations. This is a standalone machine with no internet access.

There is a requirement to execute a simple .ps1 script that changes the IP address of the net adaptor before executing a application that requires that change. The script however has to run elevated to allow the changing of the IP address (AFAIK). It does not change the IP address otherwise if run without elevation.

The script works fine for all administrators but the machine also has two standard user accounts (machine will be used by several personnel). The scripts will execute and run without elevation but produce the following error if using the -verb RunAs command.

Start-Process : This command cannot be run due to the error: This program is blocked by group policy. 
At line:1 char:3
+ &(Start-Process PowerShell -Argumentlist 'Set-ExecutionPolicy Restricted

I've tried RSOP to determine which policy is having an effect but so far no good. UAC has been turned off.

If I turn on UAC, the standard user is prompted for elevated credentials and all is good and the script runs without issue. UAC has to be turned off though in our scenario.

So far I have been fruitless with my search...

Any help greatly appreciated.

Hi Juslisnen,

just set up a task that runs as admin and make it triggerable by users. Triggering a task does not require elevation.

Cheers,
Fred

There's either a 'software restriction policy' or Applocker if you've an Enterprise SKU.

Applocker logs can be found and reviewed with:

Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL"

Get-WinEvent -LogName "Microsoft-Windows-AppLocker/MSI and Script"

Thanks Fred

I will give this a try. It does need to be triggerable and not timed.

I've exhausted all other known methods. I even removed AppLocker rules in their entirety and disabled its service. So it's definitely GPO related.

Thanks Emin but I removed Applocker and disabled the service. SRP  has never been configured.

I will give the Task method a try.

Sadly I still can't get this to work.

I can create a task to run standard .ps1 or .bat files using Admin but when it comes to elevation I get blocked by access denied or group policy is blocking due to the restrictions in place.

I have so far selected a Admin account and have to select 'Run whether user is logged in or not' as 'switch user' is disabled (requirement). But...I cannot store passwords as there is a additional GPO requirement for another application which relates to:

Network Access: Do not allow storage of passwords and credentials for network authentication. [Enabled]

I have also tried selecting the Group: Administrators, but that produces "access denied" when running the task for both administrators and users.

So I'm a bit stumped!

Hi Juslisnen,

the user account you will want to use is "SYSTEM".

Also be sure to check the "Run with highest privileges" Box (or is that what's blocked?)

Cheers,
Fred

PS: You can also create the task on an unblocked computer, export it to XML and then try importing it from xml using schtasks.exe.

Hi Fred,

Thanks for the heads up. I did try 'SYSTEM' however the task is still producing "[taskname] access is denied" when using either "Run with highest privileges" or not.  It's not your standard GPO access denied GUI error. it briefly flashes up in the process window.

Nothing is produced in the schedule task logs other than the task ran. And the event log is showing very little unless I am looking in the wrong location.

It's knowing where to relax the clamps without compromising the hardened build.

The only other option I can think of is to promote the other standard users to Admin but that is not favourable. There are 4 users in total that will utilise this machine. 2 admin and 2 users.