Page 1 of 1

How to use 'Run As Specified User' credentials in my script further ?

Posted: Thu Feb 11, 2016 10:53 am
by ashish44s
Hi All,

Greetings !!!

I'm using PowerShell Studio 2012 to create one tool to perform different administrative tasks. I do not want to run the output tool.exe as an administrator. I want to run that as 'Run As Different User' and provide credentials at that time. Also, I want to use those credentials further in my script to perform several tasks on remote computers without providing them again and again during run-time.

Can you please help to suggest a method to do that ?

Thanks...

Re: How to use 'Run As Specified User' credentials in my script further ?

Posted: Fri Feb 19, 2016 2:08 am
by pringtef
Hey Ashish44,

Local script actions will run in the context of the user you have selected to run the executable. However, in order to use credentials remotely, you will need to pass in a pscredential object.

windows does not store the actual username and password, but a hash, so you're unable to manually 'grab' these to convert into a pscredential object.

If you create a credential object once in your script though, this can be stored and used for any of your remote processes, using the -credential parameter.

Here's a function i've written that you can use to return a pscredential object. For using it, you just need to do something like this :

$mycredentialobject = new-credential -username 'my username' -password 'my password'

And then you are free to use $mycredentialobject as you wish for remote sessions. Remember to set the scope accordingly though.


function New-Credential
{
[CmdletBinding()]

Param
(
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Username,
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Password
)

Process
{
$secpasswd = ConvertTo-SecureString -String $Password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($Username, $secpasswd)
$credential
}

}
[/pre]

Re: How to use 'Run As Specified User' credentials in my script further ?

Posted: Fri Feb 19, 2016 2:26 am
by jvierra
If you start an EXE with alternate credentials you will be able to access any remote resource that the alternate user has access to. There I so need to supply credentials. Windows authentication handles all of that. What you cannot do is use alternate credentials to remote with WMI to the current host.

Example:

PS C:\scripts> gwmi win32_bios -ComputerName alpha -Credential alpha\admin
gwmi : User credentials cannot be used for local connections
At line:1 char:1
+ gwmi win32_bios -ComputerName alpha -Credential alpha\admin

Re: How to use 'Run As Specified User' credentials in my script further ?

Posted: Fri Feb 19, 2016 2:40 am
by pringtef
Also depends on the authentication model you need to use though as well. Double hop will require CredSSP authentication, which requires a cred object.

Re: How to use 'Run As Specified User' credentials in my script further ?

Posted: Fri Feb 19, 2016 2:48 am
by jvierra
pringtef wrote:Also depends on the authentication model you need to use though as well. Double hop will require CredSSP authentication, which requires a cred object.
Try but the question is how to run all of the code under alternate credentials without reentering credentials. SSP should not be used in a domain without paying strict attention to securing all systems configured to use SSP. It passes credentials around and exposed them. Standard authentication (Kerberos) does NOT pass credentials around. This is why CredSSP is not configured by default. It I riskier.

Re: How to use 'Run As Specified User' credentials in my script further ?

Posted: Fri Feb 19, 2016 2:53 am
by pringtef
Agree. :-)

Re: How to use 'Run As Specified User' credentials in my script further ?

Posted: Fri Feb 19, 2016 8:18 am
by ashish44s
Thank you for all the helpful reply. Those are really good reference.

I'm launching EXE by just double-click and in script I've defined a global $cred variable and using/calling the same in whole script. It's solving my purpose for now and I didn't come across any issue yet :)

Re: How to use 'Run As Specified User' credentials in my script further ?

Posted: Fri Feb 19, 2016 12:44 pm
by dan.potter
Just a thought. Use splatting to add or exclude the credentials parameter on command.

put a checkbox on the form for alternate creds to be used or not. Set your options based on that checkbox.

not actual code: if($checkbox.checked){$options = @{foregroundcolor = 'green'}}else{$options = @{}}

write-host 'options' @$options

Re: How to use 'Run As Specified User' credentials in my script further ?

Posted: Fri Feb 19, 2016 12:51 pm
by dan.potter
Hopefully a better explanation.

$options = @{credential = $cred}

write-host get-aduser someone @options

$options = @{}

write-host get-aduser someone @options