How to use 'Run As Specified User' credentials in my script further ?

Ask questions about creating Graphical User Interfaces (GUI) in PowerShell and using WinForms controls.
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 8 years and 1 month old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
ashish44s
Posts: 17
Last visit: Wed May 03, 2017 4:05 pm

How to use 'Run As Specified User' credentials in my script further ?

Post by ashish44s »

Hi All,

Greetings !!!

I'm using PowerShell Studio 2012 to create one tool to perform different administrative tasks. I do not want to run the output tool.exe as an administrator. I want to run that as 'Run As Different User' and provide credentials at that time. Also, I want to use those credentials further in my script to perform several tasks on remote computers without providing them again and again during run-time.

Can you please help to suggest a method to do that ?

Thanks...
pringtef
Posts: 45
Last visit: Mon Sep 23, 2019 11:00 am

Re: How to use 'Run As Specified User' credentials in my script further ?

Post by pringtef »

Hey Ashish44,

Local script actions will run in the context of the user you have selected to run the executable. However, in order to use credentials remotely, you will need to pass in a pscredential object.

windows does not store the actual username and password, but a hash, so you're unable to manually 'grab' these to convert into a pscredential object.

If you create a credential object once in your script though, this can be stored and used for any of your remote processes, using the -credential parameter.

Here's a function i've written that you can use to return a pscredential object. For using it, you just need to do something like this :

$mycredentialobject = new-credential -username 'my username' -password 'my password'

And then you are free to use $mycredentialobject as you wish for remote sessions. Remember to set the scope accordingly though.


function New-Credential
{
[CmdletBinding()]

Param
(
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Username,
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Password
)

Process
{
$secpasswd = ConvertTo-SecureString -String $Password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($Username, $secpasswd)
$credential
}

}
[/pre]
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: How to use 'Run As Specified User' credentials in my script further ?

Post by jvierra »

If you start an EXE with alternate credentials you will be able to access any remote resource that the alternate user has access to. There I so need to supply credentials. Windows authentication handles all of that. What you cannot do is use alternate credentials to remote with WMI to the current host.

Example:

PS C:\scripts> gwmi win32_bios -ComputerName alpha -Credential alpha\admin
gwmi : User credentials cannot be used for local connections
At line:1 char:1
+ gwmi win32_bios -ComputerName alpha -Credential alpha\admin
pringtef
Posts: 45
Last visit: Mon Sep 23, 2019 11:00 am

Re: How to use 'Run As Specified User' credentials in my script further ?

Post by pringtef »

Also depends on the authentication model you need to use though as well. Double hop will require CredSSP authentication, which requires a cred object.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: How to use 'Run As Specified User' credentials in my script further ?

Post by jvierra »

pringtef wrote:Also depends on the authentication model you need to use though as well. Double hop will require CredSSP authentication, which requires a cred object.
Try but the question is how to run all of the code under alternate credentials without reentering credentials. SSP should not be used in a domain without paying strict attention to securing all systems configured to use SSP. It passes credentials around and exposed them. Standard authentication (Kerberos) does NOT pass credentials around. This is why CredSSP is not configured by default. It I riskier.
pringtef
Posts: 45
Last visit: Mon Sep 23, 2019 11:00 am

Re: How to use 'Run As Specified User' credentials in my script further ?

Post by pringtef »

Agree. :-)
User avatar
ashish44s
Posts: 17
Last visit: Wed May 03, 2017 4:05 pm

Re: How to use 'Run As Specified User' credentials in my script further ?

Post by ashish44s »

Thank you for all the helpful reply. Those are really good reference.

I'm launching EXE by just double-click and in script I've defined a global $cred variable and using/calling the same in whole script. It's solving my purpose for now and I didn't come across any issue yet :)
User avatar
dan.potter
Posts: 709
Last visit: Wed Nov 14, 2018 11:39 am

Re: How to use 'Run As Specified User' credentials in my script further ?

Post by dan.potter »

Just a thought. Use splatting to add or exclude the credentials parameter on command.

put a checkbox on the form for alternate creds to be used or not. Set your options based on that checkbox.

not actual code: if($checkbox.checked){$options = @{foregroundcolor = 'green'}}else{$options = @{}}

write-host 'options' @$options
Last edited by dan.potter on Fri Feb 19, 2016 12:51 pm, edited 1 time in total.
User avatar
dan.potter
Posts: 709
Last visit: Wed Nov 14, 2018 11:39 am

Re: How to use 'Run As Specified User' credentials in my script further ?

Post by dan.potter »

Hopefully a better explanation.

$options = @{credential = $cred}

write-host get-aduser someone @options

$options = @{}

write-host get-aduser someone @options
This topic is 8 years and 1 month old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked