03/08/2018 1649 views

Windows 10 1709 client is running a script that looks up who the computer belongs to in a database and then adds that person as the local administrator using the Add-LocalGroupMember cmdlet.

The script is working fine embedded in our image and launched from setupcomplete.cmd and run as Local System. However, when I wrap the same .ps1 in a .bat shell script and set it in to run as Local System in Dell/Quest KACE the script errors saying that the Add-LocalGroupMember cmdlet is not recognized. If I launch an interactive PS session as Local System and run it, it runs fine.

I added "Get-Module -ListAvailable" to the script and turned on transcription to log everything and the Microsoft.PowerShell.LocalAccounts module is noticeably missing, but only when this script is instantiated via a KACE script, and the KACE script is really just a simple .bat which runs the .ps1: "powershell C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\886\addadminRunNow.ps1" I've tried a literal path to both x64 and x86 powershell executables and that has had no effect.

I ran the script from an interactive PS session running as Local System and, again, it ran find, and listed the module as available.

Does anyone have any idea what is going on?

1 Comment   [ + ] Show comment


  • Might be permissions.

    If you are using setupcomplete.cmd to run it, that means K2 is running it using the Local Admin that comes from the answer file... full power.

    VS. Running as System from the KACE agent...

    Have you tried using local credentials into that script and see if it makes any difference? or maybe running it as logged-in user?
    • It works when run as an online Kscript and passing local admin credentials. What's weird is that when it's run in that context "get-module -listavailable" still lists the localaccounts module as missing, but no error is thrown when Add-LocalGroupMember is run.

      This doesn't make much sense to me.
      • "and passing local admin credentials."
        That is what you are doing by using the K2 and setupcomplete.cmd, you are using the local admin account and it's password to run it.

        It looks like a permissions issue, very strange indeed, maybe a protection against remote execution scripts somehow?

        Is there any way to achieve this with GPO?
    • I'm not sure why I can't reply to your response below:

      Setupcomplete.cmd executes as local system according to Microsoft's documentation. (https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup) In any case, we still image with WDS, and that's what I was referring to when I mentioned imaging.

      As I said, I can run this script successfully as local system. So, it doesn't seem to me that this is a user permission problem. I just can't get it to run as local system when KACE is the one launching the process.
      • ah you are using WDS, I see, I thought that was the K2 SDA.

        Have you tried setting up that PS1 script using Example\Method Number 2 here:

        That is the one I use for Powershell... You could also build a test PS script and see if that works, to confirm the Kace agent is Summoning PS Scripts (or attempting to).
    • Why can't I respond to your responses? Comments don't nest deeper than three layers? This is a terrible format for any discussion.

      I've tried every method in that article.

There are no answers at this time

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login