locked
Running a command in a powershell script as a different user RRS feed

  • Question

  • I have a powershell script that does various automation for my server, and I am trying to simply run a command as an Administrator user instead of the default local service user. I can't seem to figure out how to call a command as an Administrator without having to have any user interaction. This is part of my automation so there can be no User input. Any help would be greatly appreciated, or some sort of lead on how I should go about this. 
    Friday, August 18, 2017 7:11 PM

All replies

  • You cannot locally run a command as another user.  You can use commands that accept credentials.  You can also run a new PowerShell session as a different user.

    Right click on the PowerShell icon and select "Run As Administrator"

    You can also use the "RunAs" system utility command:

    runas /?


    \_(ツ)_/

    Friday, August 18, 2017 7:38 PM
  • Or you can do a "Invoke-Command .... -Credential $credential" where $credential is a variable containing a PSCredential Object with a user who have Admin right.

    Example:

    $key = (3, 4, 2, 3, 56, 34, 254, 222, 1, 1, 2, 23, 42, 54, 33, 233, 1, 34, 2, 7, 6, 5, 35, 43)
    
    $adUser = youradminaccount
    $adPassCrypted = thepasswordencrypted (see : https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Security/ConvertFrom-SecureString?view=powershell-5.0)
    $adPassSecured = ConvertTo-SecureString -String ($adPassCrypted) -Key $key
    $adCredential = (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($adUser, $adPassSecured))

    At this point, if the $adCredential object has admin right you can do whatever you want without entering anything.

     

    Remark : It is NOT a completely secured script because if a person take you script and knows a little bit of PowerShell, he could reverse the encryption to have the password in plain text.


    Friday, August 18, 2017 9:38 PM
  • It is a very bad idea to place passwords into a script.  YOU might as well just publish it in a newspaper.


    \_(ツ)_/

    Friday, August 18, 2017 10:01 PM
  • For using passwords in PowerShell scripts. Encrypt the password with the ConvertTo-SecureString cmdlet. In this way you can save credentials in a script. The password will be saved on the Server you on. When you use this password fom another PC/server, it will fail.

    ConvertTo-SecureString

    https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-5.1

    for Example:

    "PASSWORD" | ConvertTo-SecureString -AsPlainText -force | ConvertFrom-SecureString | Out-file "./securepassword.txt"

    To call the password in the script use:

    $file = ".\securepassword.txt"


    Sincerely, Martien van Dijk. Please remember to mark the replies as answers if they help and unmark them if they provide no help. Check out My Blog!


    Saturday, August 19, 2017 7:43 AM
  • For using passwords in PowerShell scripts. Encrypt the password with the ConvertTo-SecureString cmdlet. In this way you can save credentials in a script. The password will be saved on the Server you on. When you use this password fom another PC/server, it will fail.


    Anyone who can use the script can decode the password.  This is not a secure method an it can only be used in one user account as the encryption is account specific.  You do NOT want to place passwords for admins in any script.  If you are running at government or financial  work this would be a violation of federal standards.

    \_(ツ)_/

    Saturday, August 19, 2017 7:56 AM
  • "YOU might as well just publish it in a newspaper." => YOU don't have to be rude, sir. If you read completely my answer, you would read "this is NOT a secure method".

     

    As far as I know the question was "how to run an elevated cmd into a script ?". I just answer the question. It IS a way to do the trick. Is it the best way ? NO. I NEVER said him that, and I will never say that.

     

    If the security has the same priority as me (the most important thing), I would recommend to never enter any admin username or password informations into a script.

    The production script have to be signed with trusted certficate, and obfuscate and environment should be set to AllSigned policy, but this is another debate.

    Saturday, August 19, 2017 8:40 PM