How to Launch Elevated PowerShell Session from CMD in Server 2012 (Minimal Server Interface)


2 views

When working with Windows Server 2012 in Minimal Server Interface mode, administrators often need to execute PowerShell commands with full elevation privileges. The standard Run as Administrator option isn't always sufficient for certain operations like Enable-ServerManagerStandardUserRemoting, which requires complete UAC elevation.

To truly elevate PowerShell from Command Prompt, use this sequence:

cmd /c "powershell -Command Start-Process powershell -Verb RunAs -ArgumentList '-NoExit -Command Enable-ServerManagerStandardUserRemoting -UserContoso\\Nick'"

The Enable-ServerManagerStandardUserRemoting cmdlet specifically requires full elevation to modify these security groups:

  • Event Log Readers
  • Performance Log Users
  • Performance Monitor Users

After execution, verify group membership with:

Get-ADPrincipalGroupMembership "Contoso\\Nick" | Select-Object Name

For servers where you frequently need elevated PS sessions, create a shortcut with this target:

%windir%\system32\WindowsPowerShell\v1.0\powershell.exe -NoExit -Command "Start-Process powershell -Verb RunAs"

If group additions still fail, check:

  1. Domain Controller connectivity
  2. AD replication status
  3. Account lockout policies

When working with Windows Server 2012 in Minimal Server Interface mode, administrators often need to execute PowerShell commands with full elevation. The standard method of right-clicking to "Run as Administrator" isn't available without the full GUI shell. Here's how to properly escalate privileges directly from the command line.

Running PowerShell as an administrator account isn't the same as running with full elevation. The Enable-ServerManagerStandardUserRemoting cmdlet requires true elevation to modify security groups. You'll know elevation isn't sufficient when:

  • Commands execute but don't produce expected results
  • Security group modifications fail silently
  • You receive "Access Denied" for local security operations
powershell -Command "Start-Process powershell -Verb RunAs -ArgumentList '-NoExit', '-Command', 'Enable-ServerManagerStandardUserRemoting -UserContoso\\AdminUser'"

Breaking this down:

  • -Verb RunAs triggers UAC elevation
  • -NoExit keeps the window open for inspection
  • The nested quotes properly pass arguments through both command layers

After running your command, always verify the security context:

whoami /priv | findstr /i "SeIncreaseQuotaPrivilege"

Look for enabled privileges like SeSecurityPrivilege and SeTakeOwnershipPrivilege that only appear in fully elevated sessions.

For automated deployments, create a scheduled task with highest privileges:

schtasks /create /tn "ElevatedPS" /sc ONCE /st 00:00 /ru SYSTEM /rl HIGHEST /tr "powershell -File C:\\scripts\\enable_remoting.ps1"
schtasks /run /tn "ElevatedPS"

If users still aren't being added to required groups after proper elevation, check:

Get-LocalGroupMember -Group "Server Manager Management" | Format-Table
Get-LocalGroupMember -Group "Performance Monitor Users" | Format-Table

These are the key groups that Enable-ServerManagerStandardUserRemoting should modify. If they're missing, the cmdlet may need additional parameters for your environment.