Elevate/De-elevate

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 7 years and 1 month old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
syscouk89
Posts: 56
Last visit: Fri Aug 25, 2023 8:25 am

Elevate/De-elevate

Post by syscouk89 »

Hi,

I have a form which performs quite a few actions, one of which requires elevation. I've set the script to run as an elevated user, but another of the functions is to print a particular file - obviously this tries to run the print job as the RunAs user.

What would be the best way of running code as admin and non-admin selectively? I've tried to run the required code in a scriptblock Job with credentials but it doesn't function properly.

Thanks
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Elevate/De-elevate

Post by jvierra »

It is not possible in Windows to run a process as two different users. YOU could use a standard process to start a scheduled job and retrieve the data from the job for printing.
  1. $opt = New-ScheduledJobOption -RunElevated
  2. $job = Register-ScheduledJob -Credentialuserid -RunNow -ScriptBlock {....}  -ScheduledJobOption $opt
  3. $jobdata = $job | Wait-Job | Receive-Job
User avatar
syscouk89
Posts: 56
Last visit: Fri Aug 25, 2023 8:25 am

Re: Elevate/De-elevate

Post by syscouk89 »

Thanks for the reply. It's actually the other way around... the compiled exe will be running elevated but I will need to print as the local user.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Elevate/De-elevate

Post by jvierra »

Why? Just print. You cannot execute an impersonated session as a normal user. You can allow a user to use other credentials to launch a session but that session cannot impersonate the launching user

Use a job to run the elevated session and retrieve the data for the user to print.
User avatar
syscouk89
Posts: 56
Last visit: Fri Aug 25, 2023 8:25 am

Re: Elevate/De-elevate

Post by syscouk89 »

If I print in the elevated EXE it runs the print dialog as the elevated user. The elevated user doesn't have that printer installed and we use print management to identify print jobs by user code so wouldn't work anyway.
User avatar
Alexander Riedel
Posts: 8478
Last visit: Tue Mar 26, 2024 8:52 am
Answers: 19
Been upvoted: 37 times

Re: Elevate/De-elevate

Post by Alexander Riedel »

Elevation is per process and determined before the process is even started. You cannot change elevation during runtime.
Since any other process you will launch from the elevate process will be elevated as well, I would suggest a starter process, running as a regular user.
This launches the elevated process, which saves the data needing to be printed. Once the elevated process terminates, you starter process can load the file and print it.
This is of course assuming this is a sequential process and not event controlled.
Alexander Riedel
SAPIEN Technologies, Inc.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Elevate/De-elevate

Post by jvierra »

If the elevated process launches a program that prints then print it to a file that the normal users session can submit to the printer. Just save the print file to a common location.
This topic is 7 years and 1 month old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked