locked
SCCM executing script on clients under non system account/Run as account RRS feed

  • Question

  • Hey Gays,

    I have script which needs to be executed on client machine under domain account via SCCM agent, instead of local systems account. PowerShell script is accessing to network resources which is impossible under system account.

    I don’t want to include domain account and password into PowerShell script, it is not secure. 

    Do you have any idea?

    Monday, June 29, 2015 6:40 AM

Answers

  • Well, as another option you could use a task sequence and leverage the built-in Run As functionality of the Run Command Line step. But I don't think I understand what you're trying to do well enough to see if that's the best option. 
    • Proposed as answer by Todd Parkin Tuesday, July 7, 2015 12:43 PM
    • Marked as answer by Joyce L Wednesday, July 8, 2015 10:05 AM
    Monday, June 29, 2015 12:33 PM
  • So back to what was already said: why not using a 'run command line' step using a task sequence. There's the option to specify an account. 

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, June 30, 2015 9:57 AM
  • You can also use a task sequence outside OSD. Just a single step that contains 'run command line'.

    Torsten Meringer | http://www.mssccmfaq.de

    • Proposed as answer by Joyce L Tuesday, July 7, 2015 7:51 AM
    • Marked as answer by Joyce L Wednesday, July 8, 2015 10:05 AM
    Tuesday, June 30, 2015 11:22 AM

All replies

  • I would look at one of the following options:

    • Use multiple programs in your package. One program that runs as the user and copies the files and one program that does the installation.
    • Use a task sequence and use a Run command line step. In that step you can specify a user account.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Felyjos Monday, May 6, 2019 7:40 PM
    Monday, June 29, 2015 8:03 AM
  • Two additional suggestions:

    • If possible, you could grant the computer accounts read rights to the share in question. The "Domain Computers" group usually works well, and then every computer's SYSTEM account will rights without using RunAs.
    • If not, you could prevent putting a cleartext password in the script by encrypting the password inside the script (helpful blog post). It wouldn't prevent someone who found the script from repurposing the encrypted password in another script, but it's a step above cleartext. 
    Monday, June 29, 2015 11:52 AM
  • Thanks for feedback gays, but:

    @Peter, actually it network resource is not shared folder, it is server which needs to be called from the script.

    I don't want PowerShell encryption, looking for solution from SCCM.

    It is not a complex task, it is a general task which every SCCM admin meets in daily routine, and i think Microsoft must have solution for it via SCCM.

    All new ideas will be appreciated, thanks.

    Monday, June 29, 2015 12:14 PM
  • Well, as another option you could use a task sequence and leverage the built-in Run As functionality of the Run Command Line step. But I don't think I understand what you're trying to do well enough to see if that's the best option. 
    • Proposed as answer by Todd Parkin Tuesday, July 7, 2015 12:43 PM
    • Marked as answer by Joyce L Wednesday, July 8, 2015 10:05 AM
    Monday, June 29, 2015 12:33 PM
  • We have powershell script on the network which needs to be executed if user needs access to corporate application. Our support team connect to server via Invoke-command and execute script with client computer name as input parameter. Script execution access is granted only for support users. 

    now, i need to publish Program via SCCM and grant user access to that program. User will execute program via Application Catalog after that SCCM agent should perform the following command with appropriate credential:

    Invoke-Command -ComputerName ServerName -ScriptBlock ... and etc.

    I don't know how execute script under domain account


    Monday, June 29, 2015 12:56 PM
  • There is no solution in ConfigMgr for this (except maybe using the run as ability of a task sequence but this is problematic in different scenarios).

    How do you "call a server"? Sorry, that doesn't make sense. Accessing a network resource, regardless of what it is, is the same as far as authentication goes and is generally always the same as far as authorization goes (although that truly depends upon the resource): using the AD principal. In this case, as Peter pointed out, the local System account uses the AD computer account for the system it is on to access network resources and all AD computer accounts are part of the built-in Domain Computers group which can be used like any other group in AD for authorization purposes.

    Without knowing exactly what you are doing, it's hard to offer anything more.

    Finally, if its an administrative task, perhaps ConfigMgr is not the best tool for the job. Can't say without the details though.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, June 29, 2015 1:00 PM
  • Set the script to run as the user. That's built-in, no reason to do anything else.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, June 29, 2015 1:01 PM
  • Is it making sense to grand domain computers execute permission on corporate application? The application is critical for us, and it’s not making sense to grand such kind of access to domain computers, I assume that it could be done for one domain group (remediation group). Where computers will be added for installation period.

    As I got there is no other solution, except listed in this forum.

    Thanks gays for your time, I’ll encrypt pass in PowerShell script and use Ran As command.

    Monday, June 29, 2015 2:17 PM
  • At the time I wrote that, you hadn't posted any details of what you were doing so we had no idea. We still really have no idea so its hard to say what is the best path.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, June 29, 2015 2:31 PM
  • I'll try to describe with detail, as much as allowed.

    We have Act_OnSrv.ps1 script on the Server1. The Act_OnSrv.ps1 could NOT be copied to a client machine and executed as it uses a lot of PS modules and dependencies and must be executed only on Server1. So pls consider it as a rule "the Act_OnSrv.ps1 must be executed on the server". 

    Act_OnSrv.ps1 script waits for computer name as input .

    My task is:

    Execute below PS commands on client machine under domain account instead of system account.

    $Session = New-PSSession -ComputerName Server1 

    Invoke-Command -Session $session -ScriptBlock  {C:\_Script\Act_OnSrv.ps1}

    Note: Access to the server is restricted only for one user, domain\user1.

    if above described is note making a sense please don't hesitate to contact me.

    Tuesday, June 30, 2015 7:40 AM
  • There's the -Credential parameter available for Invoke-Command.

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, June 30, 2015 7:44 AM
  • The script must be executed on client side, so in order to use credential param i should encrypt password. At this stage i don't want, still looking for SCCM solution.
    Tuesday, June 30, 2015 9:28 AM
  • ConfigMgr does not have a solution for you. It will run the script as system.

    As mentioned you could use -Credential but this will use the password in clear text and is easily readable. 

    I'd be interested in seeing what method you use to encrypt the password. From personal experience every time I have attempted this I was able to decrypt the password with ease.


    Cheers Paul | http://sccmentor.wordpress.com

    Tuesday, June 30, 2015 9:48 AM
  • So back to what was already said: why not using a 'run command line' step using a task sequence. There's the option to specify an account. 

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, June 30, 2015 9:57 AM
  • @Paul, it is another topic for discussion. I suppose the will be solution, hope so.

    @Torsten, you are right in OSD case, how to do it in case program deployment.

    Tuesday, June 30, 2015 10:17 AM
  • You can also use a task sequence outside OSD. Just a single step that contains 'run command line'.

    Torsten Meringer | http://www.mssccmfaq.de

    • Proposed as answer by Joyce L Tuesday, July 7, 2015 7:51 AM
    • Marked as answer by Joyce L Wednesday, July 8, 2015 10:05 AM
    Tuesday, June 30, 2015 11:22 AM