I am writing a function to verify a service is running before passing a variable to another function and right now it only works because I have been given local admin rights, but when this goes live, it will be ran by users that do not get and will not get local admin rights. I found some articles online that said you can create a local group and give that group invoke rights and assign users to the local group, but that didn’t work either. Any suggestions as to how else I can accomplish this?
Windows is pretty unwilling to let non-administrators have access to that kind of information, especially remotely, because it’s a huge potential security hole. Opening the kind of access you’re talking about would make it vastly easier for a bad actor to collect information about the entire environment - and, because that’s the case, Windows doesn’t make this easy.
The right way to do this is to use PowerShell Remoting. On the machine where the service runs, you set up a Remoting endpoint that allows just the users you want, runs under a different (admin) credential, and only includes the Get-Service command (for example). “Secrets of PowerShell Remoting” discusses this. It does require the server to have PowerShell 3 (you can do it in 2, but it’s harder) and that the server permit incoming Remoting connections.
I recently changed how a couple of our developers do some of their work. I did this by removing their dependence on my team, as a part of their workflow. A part of the project included creating PowerShell constrained endpoints.
I brought one server up to .NET 4 (as it is a PS 3.0 requirement) and then installed PowerShell 3.0 on both (Don’s right. It’s much easier). I limited the visible cmdlets and functions that can be used in the session, set the endpoint to runAs a domain account that has local admin privileges on the servers, and edited the permissions on the endpoint, so my developers are able to connect to it and use it. With the help of two functions I wrote, they can return the status of two services (only!) – the ones I want them to see – and stop, start, and restart (only!) those two services, too. You can start learning New-PSSessionConfigurationFile on your own computer (PS 3.0 and greater). Once you have a .pssc file created by that command, you can register it using Register-PSSessionConfiguration and unregister it with Unregister-PSSessionConfiguration. I am planning to do a write up on this recent project, so I can share the entire process – from beginning to end – for those it may help.
I just remembered, I added a picture of the endpoint/functions in action recently. Here it is on Twitter: https://twitter.com/thetommymaynard/status/598215657876893696