Skip to main content
Question

Worklet that interacts with GPO on a Domain Controller?

  • 3 July 2024
  • 2 replies
  • 38 views

Hello,

We’re encountering a problem where we are running a worklet to import a Group Policy object on a domain controller - the Automox worklet runs as System so has no domain permissions to be able to interact with Group Policy.  Has anyone found a way to run a set of PowerShell commands within a worklet as a domain user with elevated privileges, eg. Domain Admin?

Cheers,
Mark.

Hey @MRaybone!

While you are correct in that Worklets run as SYSTEM, we do have functions within the Worklet Development Kit that you can use to impersonate or run processes as a current user:

https://developer.automox.com/developer-portal/wdk/generated/win32/winsession/#start-processasactiveuser

 

That said, I think I’d need to learn more about what you are trying to achieve here.

 

Are you attempting to use the Import-GPO cmdlet to replicate a GPO backup to a new domain controller? If so, my first thought is you could use Start-Process to invoke powershell.exe and then pass the -Credential parameter to it.  Using Automox Shared Secrets, you could then pass your creds securely through the pipeline.

https://learn.microsoft.com/en-us/powershell/module/grouppolicy/import-gpo?view=windowsserver2022-ps


If you can share the script or methods you’re investigating, I’ll see how we can help!


Hi Jon!

We are applying a Group Policy to a large number of individual domains.  We created the group policy, backed it up, and intended to use Automox to import it to a domain controller in every domain we needed to hit.

The current user angle wouldn’t work as no user would be logged on to a domain controller, however the Start-Process with Secrets method you mentioned seems like a promising approach that we’ll look into using.

Cheers!
Mark


Reply