Why you should almost never need to run anything as Admin in Automate

By far the biggest trap that people fall into when they start leveraging the capabilities of Automate scripting, commands and all other sorts of goodies, is they choose to run those features as Admin. There are a significant amount of functions that allow you to run as Admin. Most people try these functions and they don’t work as they expect them to. These functions include:

  1. Process Execute As Admin
  2. File Copy as Admin
  3. File Delete as Admin
  4. File Rename as Admin
  5. Folder Create as Admin
  6. Folder Delete as Admin
  7. Powershell Command as Admin
  8. Shell as Admin
  9. Any Execute Script with Run As Admin Selected

There’s a number of reasons why this is both unnecessary and doesn’t normally work. Before we get into those reasons, here is the reason they are unnecessary: the Automate Service almost always runs under the context of the System Account. The System Account is the big daddy of all permissions, it basically gives you the ability to do ANYTHING on a local agent. Typically, SYSTEM has permission to everything, including all files, all Windows functions and all services. You cannot get a higher privileged account in Windows. Because the Automate service runs under the context of SYSTEM, it inherits all of the abilities of the SYSTEM account allowing you PHENOMENAL COSMIC POWER itty bitty living space. Essentially, you can do pretty much anything with a standard function without needing to Run as Admin because the Automate service runs under this account.

When you use one of the Automate functions to Run as Admin, there are usually two hurdles:

  1. The function will extract the Admin credentials set at the Location level and attempt to use them – if they are wrong, all those functions will fail
  2. Even if you successfully manage to pass the first hurdle, you end up in a completely backwards position when UAC is enabled on an agent, because when Automate launches the task as the user, the NON elevated token is used. This is by Microsoft’s design, because UAC is supposed to prevent unauthorised changes. Even though you are starting as SYSTEM and launching as an Administrator with valid credentials, you will not have Administrator rights. If you think that sounds stupid, you’re right. There is strong and active feedback on this back to ConnectWise in the LabTech Geek community. What this means is ironically you often end up having less ability than if you would have just run the script function without the “As Admin”.

When would you actually need to us the “As Admin” commands? One usage would be when you need to copy something to a UNC Path. The computer account (SYSTEM) doesn’t tend to have permission to access shares, but the user does not need to be elevated for a file copy or similar operation.

Remember this best practice advice from our Lord and Saviour ART:

 

 

2018-03-02T23:30:43+00:00

Leave A Comment