Run PowerShell Scripts using Account Operator account


Is it possible to run powershell scripts using "Account Operator" privileges. Example ---

1) A engineer in my team has Account Operator privileges.
2) I have assigned him the task to create users using script.
3) The script runs fine when I run it from Domain Admins credentials.

Can a person with Account Operator privilege run the user / group creation script ?

Mahesh BadgeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kanti PrasadCommented:

Account operators can create, modify, and delete accounts for users, groups, and computers but they won't have permission to modify the Administrators or the Domain Admins groups or modify the accounts for members of those groups.

Please look at the below link.
Mahesh BadgeAuthor Commented:
Thats fine Kanti and i am aware about it.

My question is what are the rights that I have to give so that the engineer can execute powershell scripts.
Kanti PrasadCommented:

If he cannot execute with the rights he has then temporarily give the admin rights and revoke it once the job is done.
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Can you post your script? There must be something in it that requires more privileges than the account has.
Mahesh BadgeAuthor Commented:
Import-Module ActiveDirectory
Import-Csv "E:\script.csv" | ForEach-Object {
 $userPrincinpal = $_."samAccountName" + ""
New-ADUser -Name $_.Name `
 -Path $_."ParentOU" `
 -SamAccountName  $_."samAccountName" `
 -UserPrincipalName  $userPrincinpal `
 -AccountPassword (ConvertTo-SecureString "MyPassword123" -AsPlainText -Force) `
 -ChangePasswordAtLogon $true  `
 -Enabled $true
#Add-ADGroupMember "Domain Admins" $_."samAccountName";
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I see that you have this line commented out:
#Add-ADGroupMember "Domain Admins" $_."samAccountName";

Account Operators would definitely not be able to do that. Could it be that your engineer uncommented the line?
Other than that it looks fine to me.

If you confirm with your engineer that they didn't uncomment that line, could you post the error that they're getting?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mahesh BadgeAuthor Commented:
Its me who have commented the line because the engineer will not have permissions to add any user to Domain Admins group.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
OK, what is the error your engineer is getting?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.