RunAs - Impersonate - Not Working As Expected

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
plautodfl
Posts: 24
Joined: Tue Apr 16, 2019 8:16 pm

RunAs - Impersonate - Not Working As Expected

Post by plautodfl » Mon Feb 03, 2020 3:04 pm

To help you better we need some information from you.

*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***
Product: PowerShell Studio 2020 (64 Bit)
Build: v5.7.172
OS: Windows 10 Enterprise (64 Bit)
Build: v10.0.17763.0

*** Please add details and screenshots as needed below. ***

We are attempting to embed some credentials into a build.
When we use the script with the credentials, the action works as expected.
When we use impersonate User or RunAs user and embed the credentials, the action fails.
2020-02-03_17-02-03.jpg
2020-02-03_17-02-03.jpg (55.35 KiB) Viewed 656 times
2020-02-03_17-02-03.jpg
2020-02-03_17-02-03.jpg (55.35 KiB) Viewed 656 times
DO NOT POST LICENSES, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM

User avatar
brittneyr
Site Admin
Posts: 306
Joined: Thu Jun 01, 2017 7:20 am

Re: RunAs - Impersonate - Not Working As Expected

Post by brittneyr » Mon Feb 03, 2020 4:37 pm

We will look into this and get back to you.
Brittney Ryn
SAPIEN Technologies, Inc.

User avatar
Alexander Riedel
Posts: 7210
Joined: Tue May 29, 2007 4:43 pm

Re: RunAs - Impersonate - Not Working As Expected

Post by Alexander Riedel » Mon Feb 03, 2020 10:27 pm

"When we use impersonate User or RunAs user and embed the credentials, the action fails."
That is a little bit too vague. What does 'fails' mean? What is the error message or behavior specifically?
"When we use the script with the credentials, the action works as expected." Again, what does that mean? It requires a bit more explanation. How exactly do you use the "script with credentials"?

Most commonly, the expectation is that using impersonation or runas will get you from an unprivileged and restricted user to full elevated admin rights in one step.
That is however not how Windows works. Doing that requires two steps. First from unprivileged user to privileged user and THEN to elevated state of said user.
You cannot impersonate and elevate at the same time, as elevation is processed BEFORE a process that would use impersonation or runas is even started.

Please see also https://www.sapien.com/blog/2017/01/19/ ... nistrator/
Alexander Riedel
SAPIEN Technologies, Inc.

plautodfl
Posts: 24
Joined: Tue Apr 16, 2019 8:16 pm

Re: RunAs - Impersonate - Not Working As Expected

Post by plautodfl » Tue Feb 04, 2020 6:42 am

What we are trying to do:
We have just purchased 3k computers. The computers need to be renamed to meet our naming convention.
We have hired contractors with very limited Active Directory security permissions.

What we want to do is use Powershell Studio to run the exe with embedded credentials that have the permissions to rename the computer and NOT give the contractor accounts these permissions.


Clarification oh now we attempted this.

The action we are trying to accomplish: rename a computer
How we dos this with Powershell ISE:
Launch Powershell ISE by right mouse click runAs another user corp\privledged account.

Open the below script from a share-

$OldComputer=Read-Host "Old Computer Name"
$Location=Read-Host "What Service Center?"
$a=(Get-WmiObject -computer $OldComputer -class win32_bios).serialnumber
$SN=$a.substring($a.length - 5, 5)
Rename-computer –computername “$OldComputer” –newname “LEN-$location-$SN” –force –restart

Result: The computer is renamed.

With Powershell Studio:
Take the same script:
Take the same Privileged Account used above:
Set the Below screenshot:
2020-02-03_17-02-03.jpg
2020-02-03_17-02-03.jpg (55.35 KiB) Viewed 603 times
Using this method the computer is not renamed.
Using this method the error log says the account used does not have permission to rename the computer.
Runmode:
Impersonate User - Computer Not Renamed
RunAs User - Computer Not Renamed
Current User - Computer Not Renamed (This is expected as the account running the compiled exe would not have the permissions.

User avatar
Alexander Riedel
Posts: 7210
Joined: Tue May 29, 2007 4:43 pm

Re: RunAs - Impersonate - Not Working As Expected

Post by Alexander Riedel » Tue Feb 04, 2020 7:09 am

When you do a runas on the ISE it elevates.
You need a packaged script that does a runas with your credentials.
That way you get to "be" the other user.
That then launches the other packaged script, which renames your computers. That second script needs to be packaged with an elevation manifest.
Alexander Riedel
SAPIEN Technologies, Inc.