Page 1 of 1

Powershell Studio: run specific command (safely) with other account?

Posted: Fri Sep 08, 2017 12:34 pm
by stevens
To help you better we need some information from you.

*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***

Product, version and build: 5.4.136
32 or 64 bit version of product: 64
Operating system: W2K12R2
32 or 64 bit OS: 64

*** Please add details and screenshots as needed below. ***

DO NOT POST SUBSCRIPTIONS, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM

Hi,

I have this form with some simple tools used by helpdesk.
Now I'd need to query a SQL database in a function of the form, but helpdesk doesn't have the rights to do so. How can I (safely) run this command without putting the password cleartext in the original code?

Thanks for your advise.
J.

Re: Powershell Studio: run specific command (safely) with other account?

Posted: Fri Sep 08, 2017 1:22 pm
by davidc
[TOPIC MOVED TO POWERSHELL GUIS FORUM]

Is the database accessed via Windows Authentication or a SQL username / password?

If you use Windows Authentication, you could package the script into an executable that uses alternate credentials.

Re: Powershell Studio: run specific command (safely) with other account?

Posted: Mon Sep 11, 2017 3:09 am
by stevens
It's a windows account. However, the rest of my form just should NOT use this account so I cannot set it in the exe (when creating it).

Re: Powershell Studio: run specific command (safely) with other account?

Posted: Mon Sep 11, 2017 8:05 am
by jvierra
There is really no way to do what you ask. A Process cannot be run in two different user contexts.

You can run a Job from the form that runs under alternate credentials.

Re: Powershell Studio: run specific command (safely) with other account?

Posted: Tue Sep 12, 2017 7:21 am
by pdearmen
I've been in your shoes before - my instance was I had a set of commands that had to run under different user accounts depending on the domain being interacted with - and the main form had to run as the logged in user. This also included interacting with SQL databases.

A workable way would to take the bit of code that interacts with the sql database and package that as an exe running under the necessary windows account - and the main form runs only under the standard user account. This limits what can be done with this other account. Just pass in the data you need as parameters to the background exe. Getting the data back to the form is a little more tricky - but there are a few ways to do that as well. I ended up needing to return objects so I exported the information as a clixml file, with a standard naming convention based on username and function so that the person running the script would always get their file back. I didn't have to worry about sensitive information being returned so this worked - if you do have to worry about information being returned that shouldn't be stored in plain text then you will need to figure out a different method for getting the data back.

Re: Powershell Studio: run specific command (safely) with other account?

Posted: Wed Sep 13, 2017 5:12 am
by stevens
Thanks, so bottomline is: use jobs(?)

Re: Powershell Studio: run specific command (safely) with other account?

Posted: Wed Sep 13, 2017 9:03 am
by pdearmen
jobs or packaged separate exe files - either one will get what you want. One consideration with using jobs - make sure not to store the password in plain text in the script. With script logging or transcription - that will be exposed.

Re: Powershell Studio: run specific command (safely) with other account?

Posted: Wed Sep 13, 2017 9:18 am
by stevens
Seperate exe files will complicate it for me, I guess.
Jobs is a bit more familiar :-). About storing password encrypted, could you give advise on howto do that the best way?

Re: Powershell Studio: run specific command (safely) with other account?

Posted: Wed Sep 13, 2017 10:31 am
by jvierra
There is no safe way to store an Admin password in a user session. If a user can use a password then they can decode the password. Using an EXE package uses a different form of encrypting to hide the password making it much more difficult for a user or any code running in a user session to decode the password.

Re: Powershell Studio: run specific command (safely) with other account?

Posted: Wed Sep 13, 2017 12:20 pm
by stevens
Ok, I'll have then to figure out how to make that exe work.