I want to switch 2 files in the SYSVOL Folder. For that I need to Invoke-Command a script on a Domain Controller from our schedule server.
$Server = Get-ADDomainController | select Name
Invoke-Command -ComputerName $Server.Name -ScriptBlock {
$Path = "c:\Windows\SYSVOL\sysvol\domain.com\scripts\Folder"
$Source = "$Path\backgrounddefault1.JPG"
$trg = "$Path\backgrounddefault.JPG"
Copy-Item -Path $Source -Destination $trg -Force
}
However if I do not promote the Service Account to Domain Admin, the script will get an access denied. Are there any other ways I could do this, or other groups that give him that specific right?
The group is called "Remote Management Users". Obviously, however, you'll also need permissions on the folder. Create a new group for those rights specifically, and make it a member of RMU. Make the service account a member of the new group. (Note that none of this is specific to DCs.)
If you wanted to do this without changing any permissions on a Sysvol subdirectory, the cleanest thing I can think of would be to create a scheduled task on the DC running under local system that performs only this operation, and grant the service account permission to start this task. (There is no interface for this, but you can manipulate the SecurityDescriptor of what you get with Get-ScheduledTask; see this question, for example).
If this task needs parameters/input, it gets trickier since you'll need to supply these in a file somehow. Because that task effectively has domain admin permissions, you'd have to take very good care to check your inputs and make sure the task has no exploitable vulnerabilities. Just tweaking the permissions on that one specific folder seems a lot easier and also safer to me.
Last but not least, when performing operations like these it's always worth investigating if what you're trying to do can't be done with Group Policy somehow, because it leaves a clear statement of intent (and an audit trail).