Always on VPN script from MS

To add the always on VPN profile via the script provided by MS you have to run this in an elevated shell. However of course this adds the VPN profile to the administrators profile.

How can I run a script as an admin against another user’s profile

Use PSEXEC and the system account. Works a dream.

This is what I used:

powershellCommand=“&{Start-Transcript -Path ‘%sourceWithoutQuotes%\PSExecOutput.log’; & ‘%sourceWithoutQuotes%New-AovpnDevice.ps1’ ‘%sourceWithoutQuotes%XMLFiles\VPN_Profile_Device_Secure.xml’ ‘AOVPN Device Tunnel’;Stop-Transcript; exit $LASTEXITCODE}”

PsexecPath=“%sourceWithoutQuotes%\PSEXEC\Psexec.exe”

%psexecPath% -accepteula -si %PowershellHome%\powershell.exe -ExecutionPolicy Bypass -noexit -Command %powershellCommand%

There are three ways that I know:

  1. Make the user a local admin temporarily and run it that way
  2. Use ConfigMGr to push it as a package
  3. Use InTune services.

I am fairly confident that is it. We use method 2 here at my work.

Instead of running psexec in system context, I think you can run-as a different user context.

Runas /user:USERNAME “c:\program.exe”

You need to split this up.

First run program installations and such as system,
then create a task that runs in the user context which does hkcu things

This may be putting the cart before the horse, but at my last place I used JEA for configuring Azure P2S VPN as it required admin rights to modify routes.
So you might be able to so something similar:

Use PS Remoting (or DSC/GPO etc) to configure JEA.
Within the JEA configuration, it was set up with a function like Start-{companyName}VPN which just ran the commands that connected the VPN. Same deal for the “Stop” function.

There was some other jiggery pokery going on regarding the .pbk file for the VPN profile but other than that it was a case of providing them a way to run the command without too much thought i.e. a shortcut on the desktop etc.

JEA

I had similar issues and psexec didn’t seem to help. I adjusted my AlwaysOn VPN to be device based using machine certs. Love it.

https://4sysops.com/archives/configuring-and-deploying-always-on-vpn-device-tunnels/

Thanks I’ll try later.
And if you were born in 1995, boy are us dinosaurs in hot water! Maybe I should become a chef

I used this for the user tunnel too

powershellCommand=“&{Start-Transcript -Path ‘%sourceWithoutQuotes%\PSExecOutput.log’; & ‘%sourceWithoutQuotes%New-AovpnConnection.ps1’ ‘%sourceWithoutQuotes%XMLFiles\VPN_Profile_User_Secure.xml’ ‘Aovpn User’;Stop-Transcript; exit $LASTEXITCODE}”
set psexecPath=“%sourceWithoutQuotes%\PSEXEC\Psexec.exe”

%psexecPath% -accepteula -si %PowershellHome%\powershell.exe -ExecutionPolicy Bypass -noexit -Command %powershellCommand%
@echo %ERRORLEVEL%

howdy brookd1995,

reddit likes to mangle code formatting, so here’s some help on how to post code on reddit …

[0] single line or in-line code
enclose it in backticks. that’s the upper left key on an EN-US keyboard layout. the result looks like this. kinda handy, that. [grin]
[on New.Reddit.com, use the Inline Code button. it’s 4th 5th from the left hidden in the ... "“more” menu & looks like </>.
this does NOT line wrap & does NOT side-scroll on Old.Reddit.com!]

[1] simplest = post it to a text site like Pastebin.com or Gist.GitHub.com and then post the link here.
please remember to set the file/code type on Pastebin! [grin] otherwise you don’t get the nice code colorization.

[2] less simple = use reddit code formatting …
[on New.Reddit.com, use the Code Block button. it’s 11th 12th from the left hidden in the ... “more” menu, & looks like an uppercase T in the upper left corner of a square.]

  • one leading line with ONLY 4 spaces
  • prefix each code line with 4 spaces
  • one trailing line with ONLY 4 spaces

that will give you something like this …

- one leading line with ONLY 4 spaces    
- prefix each code line with 4 spaces    
- one trailing line with ONLY 4 spaces   

the easiest way to get that is …

  • add the leading line with only 4 spaces
  • copy the code to the ISE [or your fave editor]
  • select the code
  • tap TAB to indent four spaces
  • re-select the code [not really needed, but it’s my habit]
  • paste the code into the reddit text box
  • add the trailing line with only 4 spaces

not complicated, but it is finicky. [grin]

take care,
lee

This is what we ran into as well. The user must be an admin to run the script in an elevated prompt. We switched to intune. Honestly the vpn works great but the management in intune is terrible, even custom Ike settings make the vpn settings gui useless and you have to switch to xml.

Intune is the way to go though, sccm would probably work but we don’t use it. Too bad there isn’t just a gpo.

I’ve found a hack. Run a scheduled task as system and amend the script to include the users SID. Of course that involves manually updating the script for every user. Will test your suggestions later

So replace the last bit with ./vpn_profile.ps1

Thanks will try

Ive found a hack. Run a scheduled task as system and adjust the vpn script to include the users sid. Im lost on your suggestion im afraid. Can you elaborate a little more please?

It’s a shame you need enterprise licensing!

This won’t work. It has to be in the context of the user and that user needs to be a local admin or another tool must be used if the escalation isn’t possible.

:rofl:, I’ve got a lot of experiance for my age… Some would say it was a hard paper round :grin:

Thanks Lee, I’m fairly new to commenting and posting on Reddit so thanks for the info

amend the script to include the users SID. Of course that involves manually updating the script for every user.

No need to manually update the script. You can get the user’s SID dynamically by querying HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

I don’t think this will work as it is in the context of the user and if the user isn’t a local admin the same issues come up.