• State Verified Answer
  • Replies 18 replies
  • Subscribers 97 subscribers
  • Views 2336 views
  • Users 0 members are here
Options
Related

Executing Powershell script specifying the user

l tonelli
11 months ago

Hello everyone,

I'd like to execute a Powershell script that creates a folder, but I need to run it with a specific user that has the right permissions. The idea is to execute the script in a way that resembles the "run as user:\ ..." in the cmd.

I made a process that executes the script but I don't know how to recall the credentials, that I stored in the configuration parameters as encrypted.

Can someone help me find a way?

Thank you in advance,

Lucrezia

  • 0 11 months ago

    Hi Lucrezia

    I am not sure which process component you are using in your process, but I assume you may be using a remote PS session to create the folder.

    PowershellComponentNet4 components provide a number of options to run Powershell commands and scripts, including ExecuteRemoteHostScript which already has remote PS session parameters in the component.

    It is the job server that executes the process step and can decrypt values using the private key. If encrypted parameter values are used, the job server needs to know which parameters to decrypt.

    The encrypted configuration parameter value can be passed into the process step and then the encrypted parameter needs to be marked as encrypted.

    hth 

  • 0 11 months ago in reply to Steve.Knott

    Hi Steve,

    unfortunately this component is not the one we've been looking for, as we want to execute the script locally. We weren't able to find another component that takes as input username and password but executes scripts locally, you know if it does exist?

    Thank you for your answer,

    Lucrezia

  • 0 11 months ago in reply to Niels de Groot

    I tried and I get the error:
    The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: [localhost] Connecting to remote server localhost failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x8009030e occurred while using Negotiate authentication: A specified logon session does not exist. It may already have been terminated.

    I must say remote script execution is not permitted in this architecture.

    Thank you,

    Lucrezia

  • 0 11 months ago in reply to l tonelli

    For a not-so-elegant solution. Just to get it working until somebody comes with a better solution
    You could install a second JobService exclusively for this use case and configure the service logon account with the account you want to use.

    P.s. I hope Markus does not read this ;-)

  • 0 11 months ago in reply to Niels de Groot

    Thank you Niels, but this way to set up the process is already a solution to not install a second Job Service... so this does not help me.

    I hope somebody comes up with another solution Slight smile

    Lucrezia

  • 0 11 months ago in reply to l tonelli

    Hi Lucrezia

    OK, so this needs to be executed locally on the job server. Can I ask what version of OneIM you have? You said you have a process working, are you using the PowershellComponentNet4 - ExecuteScript task? Are you able to share the PS script that you are using?

    In the meantime, you might find this discussion useful. It an old discussion but should still be relevant.

     RE: Decrypt value in process task "PowerShellComponent - Execute Script" 

    There is an option to create a script process step to decrypt the password and pass it as an OUT variable to your PS script. There are some disadvantages with this option as you see discussed in the link.

    There may also be an option to create a custom function form your code. You could then use the ExecuteCommand process task passing in the credentials using these parameters. This option would, most likely, be the most secure.

    Both of these options are discussed in the link.

    hth

  • 0 10 months ago in reply to Steve.Knott

    Hi Steve,

    sorry for the late answer. Your link was very useful, now I'm trying to use the ExecuteCommand task as suggested by Markus, and fill the variables using the job parameters. 

    Now my issue is: how I pass the parameters in the script? I have two parameters in the process step, called "Param_username" and "Param_password", the latter is hidden and encrypted.

    For now, I'm trying with this script but I'm getting the error "The term is not recognized as a name of a cmdlet":

    Imports System
Imports System.Collection.Generic
Dim script As New StringBuilder()

script.Append(String.Format("$$securepassword = ConvertTo-SecureString {0} -AsPlainText -Force", "$args[0]"))
script.Append(Environment.NewLine)
script.AppendLine(String.Format("$$credential = New-Object System.Management.Automation.PSCredential -ArgumentList ({0}, $$securePassword)", "$args[1]"))

Value = script.ToString()

  • 0 10 months ago in reply to l tonelli

    Hi Lucrezia

    The code is creating a powershell script which is used in the ExecuteScript task and not in the ExecuteCommand task.

    In the ExecuteCommand task there is the Command parameter to enter a cmdlet or function.

    I do not know the Powershell commands that you want to execute but as indicated in the article you could create a custom Powershell function that addresses your requirement and then pass in the parameters to the function.

     

     

    If you are using the New-Item cmdlet then I think the -credential parameter is not supported

    New-Item (Microsoft.PowerShell.Management) - PowerShell | Microsoft Learn

    hth

  • 0 10 months ago in reply to Steve.Knott

    Hello,

    I created the function as you suggested, but where do I have to save it? Do I have to import it in any way? 
    I trivially saved it in a folder but obviously OneIM doesn't know how to find it and returns me the error "The term New-CustomerFolder is not recognized as the name of a cmdlet".

    Lucrezia