• State Verified Answer
  • Replies 18 replies
  • Subscribers 97 subscribers
  • Views 2350 views
  • Users 0 members are here
Options
Related

Executing Powershell script specifying the user

l tonelli
11 months ago

Hello everyone,

I'd like to execute a Powershell script that creates a folder, but I need to run it with a specific user that has the right permissions. The idea is to execute the script in a way that resembles the "run as user:\ ..." in the cmd.

I made a process that executes the script but I don't know how to recall the credentials, that I stored in the configuration parameters as encrypted.

Can someone help me find a way?

Thank you in advance,

Lucrezia

  • 0 10 months ago in reply to l tonelli

    Hi

    Yes, if you use the custom function option then it needs to be available in Powershell on the machine that you are using to execute the command.

    Slightly drifting into a Powershell configuration topic here.

    Powershell Functions are typically put inside a Powershell script module (psm1) so they can be called without knowing the physical location.

    If you are intending to put your function into a module, then you could install the custom module (Install-Module) or

    Import the module on your local machine (Import-Module). You could use a Powershell profile to import the custom module for each Powershell session.

    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-5.1

  • 0 10 months ago in reply to Steve.Knott

    Hello again Steve :)

    It seems like I'm proceeding but not reaching the objective. For now the code of my function is this.

    function New-HomeFolderMain

{

param(

[parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true)]

[ValidateNotNullOrEmpty()]

[String]$Username,

[parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true)]

[ValidateNotNullOrEmpty()]

[String]$Password
)

$SecurePassword = convertto-securestring -AsPlainText -Force -String $Password

$cred = New-object System.Management.Automation.PSCredential -ArgumentList($Username, $SecurePassword)

Invoke-Command -ComputerName localhost -Credential $cred ScriptBlog ${function:New-HomeFolder}

    In the function "New-HomeFolder" the domain controller is called and then a folder is created. The issue here is that the Active Directory domain is not found (command "Get-ADDomain"), while if I run it in the shell it finds the name of domain.

    I don't want to ask too many Powershell technical things, I was just wondering if this is the right way to call a function from One Identity? Is the credentials object working in the right way? Maybe One Identity is calling again the function with Local System Account?

    Thank you again,

    Lucrezia

  • 0 10 months ago in reply to l tonelli

    The Powershell command is started in the context of the Job Service, then it is started in the context of the user running the Job Service.

  • 0 10 months ago in reply to Markus Weiss-Ehlers

    Hello Markus,

    thanks for the answer. I checked the contexts and the function New-HomeFolder, called with Invoke-Command, is correctly invoked with the user I want (the one present in the $cred variable). 
    From the shell this user can retrieve the ADDomain, but when the script is called from One Identity it won't happen.

    What's the difference?

  • 0 10 months ago in reply to l tonelli

    I do not want to dive into details of PowerShell but the commands executed by invoke-command are executed on the remote server with the credentials you are specifying. But the AD management module is not imported in that session.

  • 0 10 months ago in reply to Markus Weiss-Ehlers

    My script contains the import of AD module (e.g. Import-Module ActiveDirectory)
    The problem here is that when the script is called from One Identity it won't read the domain, but when it's called from the shell it will; both operations done with the same credentials.

  • +1 10 months ago in reply to l tonelli

    Hi

    If you are using the powershell AD module then it sounds as though your use case is a bit more than your original post: "creating a folder on a localhost in the context of specific user." 

    Creating a folder "locally" under the context of a specific user is possible using the Invoke-command. I am not sure what commands you are running in your script.

    Maybe delving into PS a bit but for sure you need to have the modules available to the sessions and also I am not 100% sure you can use the localhost as the computer name when running AD module commands in a non interactive session.

    You could try using the domain controller FQDN. 

    function New-CustomFolder  
{
    
    param(
		    [parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true)][ValidateNotNullOrEmpty()][String]$User,
			[parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true)][ValidateNotNullOrEmpty()][String]$Password,
			[parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true)][ValidateNotNullOrEmpty()][String]$ScriptblockString
        )
			# credentials of the specific user
			$SecurePassword = convertto-securestring -AsPlainText -Force -String $Password
			$cred = New-object System.Management.Automation.PSCredential –ArgumentList ($User,$SecurePassword)	
			# convert the string into scriptblock
      		$Scriptblock = [scriptblock]::Create($ScriptblockString)
			# run the command in the scriptblock in the context of the specific user
    		Invoke-Command -ComputerName <domain controller FQDN> -Credential $Cred -ScriptBlock $Scriptblock
 }

  • 0 10 months ago in reply to Steve.Knott

    Hello Steve,

    this was the piece of information I was missing! I'm sorry for the misunderstanding, I have difficulties explaining as I know very little about these matters. With "locally" I meant that the script exists in the local machine and the call to the script has to happen locally (I was said remote execution is not permitted in this architecture). Probably I confused the concepts.

    All your feedbacks allowed me to find the solution, so, thank you all!

    Lucrezia