One of the important things we have to remember when Administering our Networks is a little Segregation. Separation of our Administrative selves and Personal selves.
Yes as an Administrator you require rights to do your job. I completely understand and accept this. I do this daily.
But it’s just as important to make sure you only use the network ID that HAS those rights when you need it. Whether you have an actual Domain account with those rights or you use good old fashioned “Administrator”
In Windows 7 and Vista this is incredibly easy. Make your own user a NON Administrator.
Now before you grab out pitchforks and form a mob to have me hanged as a witch, remember this is about security. Does your user ID (Your PERSONAL ID) need to be running as a Domain Admin?
No absolutely no. You NEED those rights when working on users and administering machines. You DON’T need those rights to run Microsoft Word or the Corporate applications. If you do, then you should mitigate that issue with the Application Compatibility Toolkit.
So with Powershell we can easily Administer a network WITHOUT our personal credentials being Domain Administrators or Enterprise Administrators. In fact it doesn’t even have to change our scripts or workflow.
In Vista and Windows 7 all you need to do is check off a little box
Go into the Properties of your Friendly Neighbourhood Powershell Shortcut and find the “Shortcut” tab
Click on the “Advanced” Button and you’ll see an option to “Run as Administrator”, check that box off then click “OK”
Now the fun (and scary part for some Administrators) – REMOVE YOUR USER ID FROM THE LOCAL ADMINISTRATORS GROUP and any Domain Admin groups!
You can take the paper bag off your head. This is ok to do.
It’s ok as long as you DO have another ID that can be a Domain Administrator (Like Administrator) or possibly create an Administrative account (always a good idea) that has rights matching what you need.
What will happen now is whenever you go to launch Powershell for Administrative purposes is you will get prompted for an ID that has Administrative rights. The new Shell will launch will all the rights you need to do Domain Administration.
Another option to remember when coding your scripts is you can leveraging the need for credentials in your scripts VERY easily. Most Powershell CmdLets have the –credential parameter which is incredibly easy to leverage
You can use a sequence as simple as this
$CREDS=GET-CREDENTIAL –credential CONTOSOUsername
GET-WMIOBJECT WIN32-BIOS –computername TEST –credential $CREDS
This will popup a secure box asking for the password to the “CONTOSOUsername” account. those Credentials in the example above will be passed to the “GET-WMIOBJECT” Cmdlet allowing it to be used to authenticate to the Computer called “TEST”
The neat part, this is not “Theory”. This is how I do my job daily. Securely. Safely.
You of course will have to ensure your modules are ported over to that user ID or possibly (what I do) is move them to a common profile.
Administration with Powershell – Both Safe and SECURE
The Power of Shell is in YOU
The Energized Tech