Answers to questions

Bot will have administrative access on server?

That depends on you. Service can work with non administrative restricted user account or with Active Directory Managed Service Account. However you must be sure that user will have Read\Write access to infrabot installed folder and access to run PowerShell.

But if Bot will not have administrative access, how it will be able to execute tasks which need administrative permissions?

You will have to configure it in your script or executable. You can perform any administrative tasks using credentials in your script. Example:

							#Administrative account
$CredentialUser = "DOMAIN\admin_user"
#Password
$CredentialPassword = ConvertTo-SecureString "my_strong_password" -AsPlainText -Force
#Creating Credential variable to pass to any command
$Credential = New-Object System.Management.Automation.PSCredential ($CredentialUser, $CredentialPassword)

#Now you can pass $Credential to any command
#For example invoke command on remote server using administrative account
Invoke-Command -ComputerName my_server -ScriptBlock { hostname } -Credential $Credential
							
						

Is infrabot safe?

Absolutely, but security depends on how will you configure it. If you want the safest option, then you have to configure telegram user access restrictions, use AD Managed Service account, switch to SignedAll powershell execution policy. Bot will execute commands only from specified by you users (see telegram_allowed_chats_id on Config Overview page).

But what about commands which bot can execute?

This also depends on you. Bot knows only those commands which are installed via plugins. You can create any plugin and give any functionality you want. If you delete .plug file of the appropriate command in plugins directory, that command will be deleted and will not be available for using, however there are several common default commands, which could not be deleted but could be turned off or given access to, using the configuration file.