To add the always on VPN profile via the script provided by MS you have to run this in an elevated shell. However of course this adds the VPN profile to the administrators profile.
How can I run a script as an admin against another user’s profile
To add the always on VPN profile via the script provided by MS you have to run this in an elevated shell. However of course this adds the VPN profile to the administrators profile.
How can I run a script as an admin against another user’s profile
Use PSEXEC and the system account. Works a dream.
This is what I used:
powershellCommand=“&{Start-Transcript -Path ‘%sourceWithoutQuotes%\PSExecOutput.log’; & ‘%sourceWithoutQuotes%New-AovpnDevice.ps1’ ‘%sourceWithoutQuotes%XMLFiles\VPN_Profile_Device_Secure.xml’ ‘AOVPN Device Tunnel’;Stop-Transcript; exit $LASTEXITCODE}”
PsexecPath=“%sourceWithoutQuotes%\PSEXEC\Psexec.exe”
%psexecPath% -accepteula -si %PowershellHome%\powershell.exe -ExecutionPolicy Bypass -noexit -Command %powershellCommand%
There are three ways that I know:
I am fairly confident that is it. We use method 2 here at my work.
Instead of running psexec in system context, I think you can run-as a different user context.
Runas /user:USERNAME “c:\program.exe”
You need to split this up.
First run program installations and such as system,
then create a task that runs in the user context which does hkcu things
This may be putting the cart before the horse, but at my last place I used JEA for configuring Azure P2S VPN as it required admin rights to modify routes.
So you might be able to so something similar:
Use PS Remoting (or DSC/GPO etc) to configure JEA.
Within the JEA configuration, it was set up with a function like Start-{companyName}VPN which just ran the commands that connected the VPN. Same deal for the “Stop” function.
There was some other jiggery pokery going on regarding the .pbk file for the VPN profile but other than that it was a case of providing them a way to run the command without too much thought i.e. a shortcut on the desktop etc.
I had similar issues and psexec didn’t seem to help. I adjusted my AlwaysOn VPN to be device based using machine certs. Love it.
https://4sysops.com/archives/configuring-and-deploying-always-on-vpn-device-tunnels/
Thanks I’ll try later.
And if you were born in 1995, boy are us dinosaurs in hot water! Maybe I should become a chef
I used this for the user tunnel too
powershellCommand=“&{Start-Transcript -Path ‘%sourceWithoutQuotes%\PSExecOutput.log’; & ‘%sourceWithoutQuotes%New-AovpnConnection.ps1’ ‘%sourceWithoutQuotes%XMLFiles\VPN_Profile_User_Secure.xml’ ‘Aovpn User’;Stop-Transcript; exit $LASTEXITCODE}”
set psexecPath=“%sourceWithoutQuotes%\PSEXEC\Psexec.exe”
%psexecPath% -accepteula -si %PowershellHome%\powershell.exe -ExecutionPolicy Bypass -noexit -Command %powershellCommand%
@echo %ERRORLEVEL%
howdy brookd1995,
reddit likes to mangle code formatting, so here’s some help on how to post code on reddit …
[0] single line or in-line code
enclose it in backticks. that’s the upper left key on an EN-US keyboard layout. the result looks like this
. kinda handy, that. [grin]
[on New.Reddit.com, use the Inline Code
button. it’s 4th 5th from the left hidden in the & looks like ...
"“more” menu</>
.
this does NOT line wrap & does NOT side-scroll on Old.Reddit.com!]
[1] simplest = post it to a text site like Pastebin.com or Gist.GitHub.com and then post the link here.
please remember to set the file/code type on Pastebin! [grin] otherwise you don’t get the nice code colorization.
[2] less simple = use reddit code formatting …
[on New.Reddit.com, use the Code Block
button. it’s 11th 12th from the left hidden in the , & looks like an uppercase ...
“more” menuT
in the upper left corner of a square.]
that will give you something like this …
- one leading line with ONLY 4 spaces
- prefix each code line with 4 spaces
- one trailing line with ONLY 4 spaces
the easiest way to get that is …
not complicated, but it is finicky. [grin]
take care,
lee
This is what we ran into as well. The user must be an admin to run the script in an elevated prompt. We switched to intune. Honestly the vpn works great but the management in intune is terrible, even custom Ike settings make the vpn settings gui useless and you have to switch to xml.
Intune is the way to go though, sccm would probably work but we don’t use it. Too bad there isn’t just a gpo.
I’ve found a hack. Run a scheduled task as system and amend the script to include the users SID. Of course that involves manually updating the script for every user. Will test your suggestions later
So replace the last bit with ./vpn_profile.ps1
Thanks will try
Ive found a hack. Run a scheduled task as system and adjust the vpn script to include the users sid. Im lost on your suggestion im afraid. Can you elaborate a little more please?
It’s a shame you need enterprise licensing!
This won’t work. It has to be in the context of the user and that user needs to be a local admin or another tool must be used if the escalation isn’t possible.
, I’ve got a lot of experiance for my age… Some would say it was a hard paper round
Thanks Lee, I’m fairly new to commenting and posting on Reddit so thanks for the info
amend the script to include the users SID. Of course that involves manually updating the script for every user.
No need to manually update the script. You can get the user’s SID dynamically by querying HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
I don’t think this will work as it is in the context of the user and if the user isn’t a local admin the same issues come up.