Question

Worklet that interacts with GPO on a Domain Controller?

  • 3 July 2024
  • 1 reply
  • 18 views

Badge

Hello,

We’re encountering a problem where we are running a worklet to import a Group Policy object on a domain controller - the Automox worklet runs as System so has no domain permissions to be able to interact with Group Policy.  Has anyone found a way to run a set of PowerShell commands within a worklet as a domain user with elevated privileges, eg. Domain Admin?

Cheers,
Mark.


1 reply

Userlevel 3

Hey @MRaybone!

While you are correct in that Worklets run as SYSTEM, we do have functions within the Worklet Development Kit that you can use to impersonate or run processes as a current user:

https://developer.automox.com/developer-portal/wdk/generated/win32/winsession/#start-processasactiveuser

 

That said, I think I’d need to learn more about what you are trying to achieve here.

 

Are you attempting to use the Import-GPO cmdlet to replicate a GPO backup to a new domain controller? If so, my first thought is you could use Start-Process to invoke powershell.exe and then pass the -Credential parameter to it.  Using Automox Shared Secrets, you could then pass your creds securely through the pipeline.

https://learn.microsoft.com/en-us/powershell/module/grouppolicy/import-gpo?view=windowsserver2022-ps


If you can share the script or methods you’re investigating, I’ll see how we can help!

Reply