Powershell Studio: run specific command (safely) with other account?

Ask questions about creating Graphical User Interfaces (GUI) in PowerShell and using WinForms controls.
Forum rules
Do not post any licensing information in this forum.
Post Reply
User avatar
stevens
Posts: 286
Joined: Wed Jun 15, 2016 2:26 am

Powershell Studio: run specific command (safely) with other account?

Post by stevens » Fri Sep 08, 2017 12:34 pm

To help you better we need some information from you.

*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***

Product, version and build: 5.4.136
32 or 64 bit version of product: 64
Operating system: W2K12R2
32 or 64 bit OS: 64

*** Please add details and screenshots as needed below. ***

DO NOT POST SUBSCRIPTIONS, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM

Hi,

I have this form with some simple tools used by helpdesk.
Now I'd need to query a SQL database in a function of the form, but helpdesk doesn't have the rights to do so. How can I (safely) run this command without putting the password cleartext in the original code?

Thanks for your advise.
J.

User avatar
davidc
Posts: 4883
Joined: Thu Aug 18, 2011 4:56 am

Re: Powershell Studio: run specific command (safely) with other account?

Post by davidc » Fri Sep 08, 2017 1:22 pm

[TOPIC MOVED TO POWERSHELL GUIS FORUM]

Is the database accessed via Windows Authentication or a SQL username / password?

If you use Windows Authentication, you could package the script into an executable that uses alternate credentials.
David
SAPIEN Technologies, Inc.

User avatar
stevens
Posts: 286
Joined: Wed Jun 15, 2016 2:26 am

Re: Powershell Studio: run specific command (safely) with other account?

Post by stevens » Mon Sep 11, 2017 3:09 am

It's a windows account. However, the rest of my form just should NOT use this account so I cannot set it in the exe (when creating it).

User avatar
jvierra
Posts: 11265
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Powershell Studio: run specific command (safely) with other account?

Post by jvierra » Mon Sep 11, 2017 8:05 am

There is really no way to do what you ask. A Process cannot be run in two different user contexts.

You can run a Job from the form that runs under alternate credentials.

User avatar
pdearmen
Posts: 53
Joined: Sun Mar 03, 2013 12:42 pm

Re: Powershell Studio: run specific command (safely) with other account?

Post by pdearmen » Tue Sep 12, 2017 7:21 am

I've been in your shoes before - my instance was I had a set of commands that had to run under different user accounts depending on the domain being interacted with - and the main form had to run as the logged in user. This also included interacting with SQL databases.

A workable way would to take the bit of code that interacts with the sql database and package that as an exe running under the necessary windows account - and the main form runs only under the standard user account. This limits what can be done with this other account. Just pass in the data you need as parameters to the background exe. Getting the data back to the form is a little more tricky - but there are a few ways to do that as well. I ended up needing to return objects so I exported the information as a clixml file, with a standard naming convention based on username and function so that the person running the script would always get their file back. I didn't have to worry about sensitive information being returned so this worked - if you do have to worry about information being returned that shouldn't be stored in plain text then you will need to figure out a different method for getting the data back.

User avatar
stevens
Posts: 286
Joined: Wed Jun 15, 2016 2:26 am

Re: Powershell Studio: run specific command (safely) with other account?

Post by stevens » Wed Sep 13, 2017 5:12 am

Thanks, so bottomline is: use jobs(?)

User avatar
pdearmen
Posts: 53
Joined: Sun Mar 03, 2013 12:42 pm

Re: Powershell Studio: run specific command (safely) with other account?

Post by pdearmen » Wed Sep 13, 2017 9:03 am

jobs or packaged separate exe files - either one will get what you want. One consideration with using jobs - make sure not to store the password in plain text in the script. With script logging or transcription - that will be exposed.

User avatar
stevens
Posts: 286
Joined: Wed Jun 15, 2016 2:26 am

Re: Powershell Studio: run specific command (safely) with other account?

Post by stevens » Wed Sep 13, 2017 9:18 am

Seperate exe files will complicate it for me, I guess.
Jobs is a bit more familiar :-). About storing password encrypted, could you give advise on howto do that the best way?

User avatar
jvierra
Posts: 11265
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Powershell Studio: run specific command (safely) with other account?

Post by jvierra » Wed Sep 13, 2017 10:31 am

There is no safe way to store an Admin password in a user session. If a user can use a password then they can decode the password. Using an EXE package uses a different form of encrypting to hide the password making it much more difficult for a user or any code running in a user session to decode the password.

User avatar
stevens
Posts: 286
Joined: Wed Jun 15, 2016 2:26 am

Re: Powershell Studio: run specific command (safely) with other account?

Post by stevens » Wed Sep 13, 2017 12:20 pm

Ok, I'll have then to figure out how to make that exe work.

Post Reply