- Powershell 2.0
- Windows Server 2008 or R2 (will work on others but steps will be slightly different)
- If signing script you know how to get a cert and basics about managing certs
Creating a signed script (optional)
- Ensure you have a valid code signing cert installed in your user store and that you're logged on as that user. This is easiest if your organization has PKI with a code signing template enabled. This user should NOT be the service account user, but rather the author of the script. (you I'm guessing)
- After finishing your script, execute:
- $cert=@(Get-Childitem cert:\CurrentUser\My -codesigning) (assuming you have only one code signing cert)
- Set-AuthenticodeSignature .\myscriptname.ps1 $cert
- Create the service account. To be controlled correctly this should be a domain account with no additional privileges above that of a standard user. For additional security, set it so the user can only log on to the computer you intend to run the script on. Use a good password.
- Give that user "Log on as a batch job" rights on the target server using the local security policy or group policy if applicable.
- Create the directory the script will be stored in. Give the service account READ access to that directory.
- Copy the script to the target directory
- Variable step if signing or not:
- If Signing:
- If signing execute as admin in powershell on the server: Set-ExecutionPolicy AllSigned
- Log onto the server with the service account and run the script manually. This will prompt powershell to ask if you want to trust the publisher based on the cert. Select that you will always trust this publisher. (which is you!) If you can't log on locally or on a VM console you'll need to temporarily grant the service acct RDP access.
- If not signing, execute as admin: Set-ExecutionPolicy Unrestricted
Setup Scheduled Task
- Open Task Scheduler and navigate to the folder you would like the task to reside in.
- In the right plane, right click->Create New Task...
- Give the Task a Name and Description. Don't skip the description, it'll save time having it there in the future.
- Select "Run whether user is logged on or not" and ensure the "Do not store password" box is NOT checked. Select "Run with highest privileges" ONLY if your script requires it. (Powershell itself does not)
- Click "Change User or Group" and enter the service account you created earlier.
- Select the "Triggers" tab and set triggers as appropriate
- Select the "Actions" tab and click "New..."
- Action: "Start a program"; Program/script: "powershell.exe" (full path shouldn't be necessary) ; Add arguments: "-NoLogo -NonInteractive -WindowStyle Hidden D:\path\to\your\script.ps1"
- Change settings on the "Settings" tab if desired
- Click "OK" and enter the password for the Service Account
Post a Comment