To help you better we need some information from you.
*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***
Product: PowerShell Studio 2020 (64 Bit)
Build: v5.7.172
OS: Windows 10 Enterprise (64 Bit)
Build: v10.0.17763.0
*** Please add details and screenshots as needed below. ***
We are attempting to embed some credentials into a build.
When we use the script with the credentials, the action works as expected.
When we use impersonate User or RunAs user and embed the credentials, the action fails.
DO NOT POST LICENSES, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM
RunAs - Impersonate - Not Working As Expected
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Re: RunAs - Impersonate - Not Working As Expected
We will look into this and get back to you.
Brittney
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
- Alexander Riedel
- Posts: 8488
- Last visit: Tue Apr 16, 2024 8:42 am
- Been upvoted: 37 times
Re: RunAs - Impersonate - Not Working As Expected
"When we use impersonate User or RunAs user and embed the credentials, the action fails."
That is a little bit too vague. What does 'fails' mean? What is the error message or behavior specifically?
"When we use the script with the credentials, the action works as expected." Again, what does that mean? It requires a bit more explanation. How exactly do you use the "script with credentials"?
Most commonly, the expectation is that using impersonation or runas will get you from an unprivileged and restricted user to full elevated admin rights in one step.
That is however not how Windows works. Doing that requires two steps. First from unprivileged user to privileged user and THEN to elevated state of said user.
You cannot impersonate and elevate at the same time, as elevation is processed BEFORE a process that would use impersonation or runas is even started.
Please see also https://www.sapien.com/blog/2017/01/19/ ... nistrator/
That is a little bit too vague. What does 'fails' mean? What is the error message or behavior specifically?
"When we use the script with the credentials, the action works as expected." Again, what does that mean? It requires a bit more explanation. How exactly do you use the "script with credentials"?
Most commonly, the expectation is that using impersonation or runas will get you from an unprivileged and restricted user to full elevated admin rights in one step.
That is however not how Windows works. Doing that requires two steps. First from unprivileged user to privileged user and THEN to elevated state of said user.
You cannot impersonate and elevate at the same time, as elevation is processed BEFORE a process that would use impersonation or runas is even started.
Please see also https://www.sapien.com/blog/2017/01/19/ ... nistrator/
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
Re: RunAs - Impersonate - Not Working As Expected
What we are trying to do:
We have just purchased 3k computers. The computers need to be renamed to meet our naming convention.
We have hired contractors with very limited Active Directory security permissions.
What we want to do is use Powershell Studio to run the exe with embedded credentials that have the permissions to rename the computer and NOT give the contractor accounts these permissions.
Clarification oh now we attempted this.
The action we are trying to accomplish: rename a computer
How we dos this with Powershell ISE:
Launch Powershell ISE by right mouse click runAs another user corp\privledged account.
Open the below script from a share-
$OldComputer=Read-Host "Old Computer Name"
$Location=Read-Host "What Service Center?"
$a=(Get-WmiObject -computer $OldComputer -class win32_bios).serialnumber
$SN=$a.substring($a.length - 5, 5)
Rename-computer –computername “$OldComputer” –newname “LEN-$location-$SN” –force –restart
Result: The computer is renamed.
With Powershell Studio:
Take the same script:
Take the same Privileged Account used above:
Set the Below screenshot: Using this method the computer is not renamed.
Using this method the error log says the account used does not have permission to rename the computer.
Runmode:
Impersonate User - Computer Not Renamed
RunAs User - Computer Not Renamed
Current User - Computer Not Renamed (This is expected as the account running the compiled exe would not have the permissions.
We have just purchased 3k computers. The computers need to be renamed to meet our naming convention.
We have hired contractors with very limited Active Directory security permissions.
What we want to do is use Powershell Studio to run the exe with embedded credentials that have the permissions to rename the computer and NOT give the contractor accounts these permissions.
Clarification oh now we attempted this.
The action we are trying to accomplish: rename a computer
How we dos this with Powershell ISE:
Launch Powershell ISE by right mouse click runAs another user corp\privledged account.
Open the below script from a share-
$OldComputer=Read-Host "Old Computer Name"
$Location=Read-Host "What Service Center?"
$a=(Get-WmiObject -computer $OldComputer -class win32_bios).serialnumber
$SN=$a.substring($a.length - 5, 5)
Rename-computer –computername “$OldComputer” –newname “LEN-$location-$SN” –force –restart
Result: The computer is renamed.
With Powershell Studio:
Take the same script:
Take the same Privileged Account used above:
Set the Below screenshot: Using this method the computer is not renamed.
Using this method the error log says the account used does not have permission to rename the computer.
Runmode:
Impersonate User - Computer Not Renamed
RunAs User - Computer Not Renamed
Current User - Computer Not Renamed (This is expected as the account running the compiled exe would not have the permissions.
- Alexander Riedel
- Posts: 8488
- Last visit: Tue Apr 16, 2024 8:42 am
- Been upvoted: 37 times
Re: RunAs - Impersonate - Not Working As Expected
When you do a runas on the ISE it elevates.
You need a packaged script that does a runas with your credentials.
That way you get to "be" the other user.
That then launches the other packaged script, which renames your computers. That second script needs to be packaged with an elevation manifest.
You need a packaged script that does a runas with your credentials.
That way you get to "be" the other user.
That then launches the other packaged script, which renames your computers. That second script needs to be packaged with an elevation manifest.
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.