top of page

OUR PRECONDITIONS

  • The old network infrastructure, referred to as OldNet:
    Doesn’t support 802.1x.
    Two domains on different VLAN’s with a one way trust, referred to as Enterprise and Educational.
    The two domains have their own network infrastructure, different IP Helpers, DNS, DHCP and so on.

  • The new infrastructure, referred to as NewNet:
    802.1x is required using CISCO ISE and Layer 3 switches.
    Only one fallback net with its own IP range, common for both domains, which also supports WebAuth guest access.
    The two domains still have their own IP range, DHCP, DNS etc. but will use the same PXE-server since PXE boot is taking place on the fallback network.

  • Both the old and the new network infrastructure will be used to deploy Windows 10 x64 and Windows 7 x86.

  • MAB will not be used during OSD, the network team don’t want to spread a special OSD VLAN so clients will get an IP address according to its current location and only certificate-based authentication is allowed.

  • The task sequence needs to support both the new computer and refresh scenario as well as BIOS to UEFI conversion regardless of the currently installed operating system.
    The scripts used for managing 802.1x needs to support Windows 7 and its PowerShell version.

Search
Writer's picturesomeguy100
Sep 22, 20192 min read

Target and impersonate users with sccm’s run script Part 1 – The Poc

Updated: Sep 23, 2019

There will be a use-case, but as for now, here’s an early version of the engine. What it allows you to do:

  • Run scripts as the user rather than system. (If you want to. Got a param for it)

  • Target users logged on to a computer (sort of) using the fast channel.

UserWrapper.ps1 -> Import this script in the SCCM-console. This is the wrapper for every script that you might deploy and it will be static, no need to import another version of it just to deploy a new script. This of course have security impacts. Every user that has a role which allows the user to run scripts (but not to create nor approve them) can bypass those restrictions by calling this script.

So I recommend creating some kind of countermeasure, like a security scope or such which only allows users that can create scripts to run this one.

I’ve created a function within the script which prevents it to execute the downloaded script if the client OS is anything but a workstation. Once you’ve experienced a required deployment targeting a user resource you know why. ;P

Msgbox3.ps1 -> The script that this POC will download and trigger. Nothing out of the ordinary, shows a msgbox top most if launched interactively or writes the same text to the log if it’s not.

Invoke-SCCMScriptUserTarget.ps1 -> This is the script to run and edit to automatic things. Passes the script to download, the hash of it and some other stuff to the UserWrapper. I’m using @johnsson_r Invoke-SCCMRunScript.ps1 since Invoke-CMScript doesn’t support passing parameters, at least not in 1810 which is our current version.


The use case might seem vague, but there’s a reason this is called Part 1 =)



616 views0 comments

Comments

bottom of page