locked
Pipe input to executable RRS feed

  • Question

  • I want to pipe a password to the runas command in my Powershell script.

    I wish to use the credentials of a remote user.

    Simplified code extract:

    Decrypt-SecureString $pw | runas /noprofile /netonly /user:$u "powershell"

    The decrypt function returns a [string] object with the desired account password.

    Although the 'runas' command accepts the input, I still get invalid credentials when I try to do something as the user.

    Tuesday, July 3, 2018 12:02 PM

All replies

  • RunAs cannot take piped input in PowerShell.

    Start-Process powershell -Credentials $cred


    \_(ツ)_/

    Tuesday, July 3, 2018 12:19 PM
  • Start-Process does not seem to allow the credentials of a remote user.

    $cred = Get-Credential ("userid@ad.domain")
    [type password]
    Start-Process powershell -Credential $cred -ArgumentList "-noexit -noprofile"
    
    Gives the error: The user name or password is incorrect

    I am running the script from a non-domain joined machine and I wish to use domain credentials to connect to Active Directory from an interactive PowerShell window.

    Tuesday, July 3, 2018 12:39 PM
  • Assuming AD allows this connection type.

    All AD CmdLets allow for alternate credentials.

    Of course you cannot use AD credentials to start a process on the local system that is not in the domain.  Think about it.


    \_(ツ)_/

    Tuesday, July 3, 2018 12:43 PM
  • This what I can type from an elevated Powershell window:

    runas /noprofile /netonly /user:userid@ad.domain powershell

    I get prompted for the password and then a new window opens.

    From this window I can type commands like:

    Get-ADUser user -server ad.domain
    

    This will use the credentials I supplied to the runas executable and returns the desired result.

    What I want to do is automate the bit where I type the password (since I connect to a number of different domains).

    Tuesday, July 3, 2018 1:01 PM
  • From any PowerShell prompt just type this:

    Get-AdUser -filter * -Credential userid@ad.domain  -Server ad.domain


    \_(ツ)_/

    Tuesday, July 3, 2018 1:09 PM
  • I know I can supply the credentials to a cmdlet.

    I am also aware of $PSDefaultParameterValues - to specify defaults.

    But I would like to leverage the runas facility which allows me to start both cmdlets and MMC tools from the same console window because the credentials are already stored.

    If it allows me to type the password why can I not script this operation? [back to my question at the top]

    Tuesday, July 3, 2018 1:50 PM
  • Because "RunAs" does not allow that.  The password MUST be typed in by hand.


    \_(ツ)_/

    Tuesday, July 3, 2018 4:59 PM
  • Figured out how to do it - uses the slightly frowned upon sendkeys method but this fulfils my requirements for this script.

    # initialisation
    Add-Type -AssemblyName System.Windows.Forms
    
    
    # These variables are set for the desired target domain
    $user
    $domain
    $password     # Stored as Secure-String
    $command
    
    
    # Make the connection
    $u = $user + '@' + $domain
    $p = (Decrypt-SecureString $password) + "`r"
    
    Start-Process -FilePath "runas.exe" -ArgumentList "/noprofile /netonly /user:$u `"powershell -noexit -command $command`""
    Start-Sleep -Milliseconds 100
    [System.Windows.Forms.SendKeys]::SendWait($p)
    
    

    NB: This is pseudo-code and does not include the parts that setup the parameters for the connection.

    But I end up with a single PowerShell window where I can use cmdlets from the ActiveDirectory module and also start MMC snap-ins with the correct authentication for my target AD Domain.

    Wednesday, July 4, 2018 11:07 AM
  • Good luck as this method seldom works reliably.


    \_(ツ)_/

    Wednesday, July 4, 2018 11:09 AM