-
Notifications
You must be signed in to change notification settings - Fork 7.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JEA for non IT technician ? #9752
Comments
@tlsalex Hmmm - wouldn't wrapping the commands in a small script suffice? The user would run |
@bpayette , thank you. But in other case, for some security reason ,PowerShell is disabled via policy by security team , and a non IT technician user sometimes need to run some apps that required elevated rights, I look for a way to solve this situation for a long time , RUNAS is my current solution , but it not the best solution when we compare it with chmod u+s in linux |
You can digitally sign the script to make it work. However, if you don't have access to the private certificate of your company, or PowerShell is disabled, then you need to talk with the Administrators. |
@tlsalex To be clear, setuid is an operating system feature not a shell feature. You could try opening a bug on Windows itself to get the kernel team to add setuid support but that seems unlikely given that setuid is broadly considered a security risk. As @MovGP0 suggests, a better option would be to talk to the Admin team and see why they are blocking PowerShell. |
Dup #11343 |
OK ,this is my second time to ask the same question which is about how to let a normal user to run an app or cmdlet that require elevated rights.
Now I know how to define an JEA in a system. I will use bellow steps run a desired app(external command)
Enter-PSSession -ComputerName WS-FN -ConfigurationName finance_admins.
money.exe
invoice.exe
But if the user is not an IT technician , she is just a normal user from finance dept.
Should I just tell her type the first command , then type the app name to run it ?
It is not convenient at all.
However, in linux , we can use chmod to make an app always run as the owner of that file , let's say the owner is root .
chmod u+s /path/to/file/or/executable
Then other normal users just run it without any steps. this way is very convenient and handy.
Any good ideas ?
The text was updated successfully, but these errors were encountered: