Hi All,
Greetings !!!
I'm using PowerShell Studio 2012 to create one tool to perform different administrative tasks. I do not want to run the output tool.exe as an administrator. I want to run that as 'Run As Different User' and provide credentials at that time. Also, I want to use those credentials further in my script to perform several tasks on remote computers without providing them again and again during run-time.
Can you please help to suggest a method to do that ?
Thanks...
How to use 'Run As Specified User' credentials in my script further ?
Forum rules
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Re: How to use 'Run As Specified User' credentials in my script further ?
Hey Ashish44,
Local script actions will run in the context of the user you have selected to run the executable. However, in order to use credentials remotely, you will need to pass in a pscredential object.
windows does not store the actual username and password, but a hash, so you're unable to manually 'grab' these to convert into a pscredential object.
If you create a credential object once in your script though, this can be stored and used for any of your remote processes, using the -credential parameter.
Here's a function i've written that you can use to return a pscredential object. For using it, you just need to do something like this :
$mycredentialobject = new-credential -username 'my username' -password 'my password'
And then you are free to use $mycredentialobject as you wish for remote sessions. Remember to set the scope accordingly though.
function New-Credential
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Username,
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Password
)
Process
{
$secpasswd = ConvertTo-SecureString -String $Password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($Username, $secpasswd)
$credential
}
}
[/pre]
Local script actions will run in the context of the user you have selected to run the executable. However, in order to use credentials remotely, you will need to pass in a pscredential object.
windows does not store the actual username and password, but a hash, so you're unable to manually 'grab' these to convert into a pscredential object.
If you create a credential object once in your script though, this can be stored and used for any of your remote processes, using the -credential parameter.
Here's a function i've written that you can use to return a pscredential object. For using it, you just need to do something like this :
$mycredentialobject = new-credential -username 'my username' -password 'my password'
And then you are free to use $mycredentialobject as you wish for remote sessions. Remember to set the scope accordingly though.
function New-Credential
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Username,
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Password
)
Process
{
$secpasswd = ConvertTo-SecureString -String $Password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($Username, $secpasswd)
$credential
}
}
[/pre]
Re: How to use 'Run As Specified User' credentials in my script further ?
If you start an EXE with alternate credentials you will be able to access any remote resource that the alternate user has access to. There I so need to supply credentials. Windows authentication handles all of that. What you cannot do is use alternate credentials to remote with WMI to the current host.
Example:
PS C:\scripts> gwmi win32_bios -ComputerName alpha -Credential alpha\admin
gwmi : User credentials cannot be used for local connections
At line:1 char:1
+ gwmi win32_bios -ComputerName alpha -Credential alpha\admin
Example:
PS C:\scripts> gwmi win32_bios -ComputerName alpha -Credential alpha\admin
gwmi : User credentials cannot be used for local connections
At line:1 char:1
+ gwmi win32_bios -ComputerName alpha -Credential alpha\admin
Re: How to use 'Run As Specified User' credentials in my script further ?
Also depends on the authentication model you need to use though as well. Double hop will require CredSSP authentication, which requires a cred object.
Re: How to use 'Run As Specified User' credentials in my script further ?
Try but the question is how to run all of the code under alternate credentials without reentering credentials. SSP should not be used in a domain without paying strict attention to securing all systems configured to use SSP. It passes credentials around and exposed them. Standard authentication (Kerberos) does NOT pass credentials around. This is why CredSSP is not configured by default. It I riskier.pringtef wrote:Also depends on the authentication model you need to use though as well. Double hop will require CredSSP authentication, which requires a cred object.
Re: How to use 'Run As Specified User' credentials in my script further ?
Thank you for all the helpful reply. Those are really good reference.
I'm launching EXE by just double-click and in script I've defined a global $cred variable and using/calling the same in whole script. It's solving my purpose for now and I didn't come across any issue yet
I'm launching EXE by just double-click and in script I've defined a global $cred variable and using/calling the same in whole script. It's solving my purpose for now and I didn't come across any issue yet
- dan.potter
- Posts: 709
- Last visit: Wed Nov 14, 2018 11:39 am
Re: How to use 'Run As Specified User' credentials in my script further ?
Just a thought. Use splatting to add or exclude the credentials parameter on command.
put a checkbox on the form for alternate creds to be used or not. Set your options based on that checkbox.
not actual code: if($checkbox.checked){$options = @{foregroundcolor = 'green'}}else{$options = @{}}
write-host 'options' @$options
put a checkbox on the form for alternate creds to be used or not. Set your options based on that checkbox.
not actual code: if($checkbox.checked){$options = @{foregroundcolor = 'green'}}else{$options = @{}}
write-host 'options' @$options
Last edited by dan.potter on Fri Feb 19, 2016 12:51 pm, edited 1 time in total.
- dan.potter
- Posts: 709
- Last visit: Wed Nov 14, 2018 11:39 am
Re: How to use 'Run As Specified User' credentials in my script further ?
Hopefully a better explanation.
$options = @{credential = $cred}
write-host get-aduser someone @options
$options = @{}
write-host get-aduser someone @options
$options = @{credential = $cred}
write-host get-aduser someone @options
$options = @{}
write-host get-aduser someone @options