none
Get-ADObject command run as "Network Service" RRS feed

  • Question

  • I've got a real simple get-adobject script, that simply lists all my users who are persons. (Included below). I want to run this as "Network Service", but I can't seem to get it to. I'm using the -credential parameter, and have tried "nt authority\network service", "nt authority\networkservice", and various others...but it still always prompts me for the password, which obviously, there isn't one. I've also tried to set the credentials using a get-credential to a variable, but that too is prompting for the password. How can I do this?

    Get-ADObject-Filter{(ObjectClass-eq"User") -and(ObjectCategory-eq"person")} -Credential'nt authority\networkservice'|selectName,ObjectClass,ObjectCategory

    mpleaf

    Monday, January 6, 2014 8:19 PM

Answers

  • So, what's your question?

    You will need to explain enough of the context for your question to make sense.

    What query is your developer running, and in what context?

    How are you trying to duplicate it in PowerShell, and why?

    Bill

    Monday, January 6, 2014 9:26 PM
    Moderator

All replies

  • I want to run this as "Network Service"

    Why? (It's best to tell what you want to do, not how you think it should be accomplished.)

    Bill

    Monday, January 6, 2014 8:27 PM
    Moderator
  • ...as "I" am a domain admin, I see more than I would like at times. I am trying to emulate something my developer says he is doing in c#, so I want to do as he is, using network service to accomplish the results.

    :)

    mpleaf

    Monday, January 6, 2014 8:35 PM
  • I am just curious, why would you want a script, on a domain, with a username/password viewed in clear-text? I know this is off-topic of your post but seems like a risk.
    Monday, January 6, 2014 8:36 PM
  • I am trying to emulate something my developer says he is doing in c#

    And that is what?

    Bill

    Monday, January 6, 2014 8:36 PM
    Moderator
  • He is running as network service to pull a list of the AD users, and getting a conflict in the actual list, so I'm trying to do outside of his code, using powershell, to compare the lists.

    mpleaf

    Monday, January 6, 2014 9:01 PM
  • What does "getting a conflict in the actual list" mean?

    Bill

    Monday, January 6, 2014 9:02 PM
    Moderator
  • He's getting more users in the list than we anticipated. I get the same results, running as a domain admin. Meaning, I am seeing "users" that are not "people", such as mail groups.

    mpleaf

    Monday, January 6, 2014 9:05 PM
  • ...as "I" am a domain admin, I see more than I would like at times. I am trying to emulate something my developer says he is doing in c#, so I want to do as he is, using network service to accomplish the results.

    :)

    mpleaf


    The Network Service Account is merely a local account representing the computer (server) on the network.  It has most local privileges stripped as a security measure.

    Access to AD Objects is controlled by AD permissions.  Network Service uses its computer's credential to authenticate, so it's effectively the "computer" trying to access the AD Object.  You can easily figure out whether a computer has access to a certain AD object, by using Effective Permissions. You're a Domain Admin and it doesn't need me to say more.

    What you're trying to do, however, can be accomplished by creating a batch file that calls the PS Script, then create a dummy service that runs the batch under the "System" account.  On the network they're effectively the same thing.
    Monday, January 6, 2014 9:07 PM
  • Get-ADUser -Filter {ObjectClass -eq "user"} | SELECT Name

    Maybe that would help? Output Objects that are "user".

    or SELECT SamAccountName
    • Edited by RCCMG Monday, January 6, 2014 9:18 PM
    Monday, January 6, 2014 9:16 PM
  • That yields the same results, with exact same count of users. So, while it may be correct, it still isn't running as network service.

    mpleaf

    Monday, January 6, 2014 9:21 PM
  • So, what's your question?

    You will need to explain enough of the context for your question to make sense.

    What query is your developer running, and in what context?

    How are you trying to duplicate it in PowerShell, and why?

    Bill

    Monday, January 6, 2014 9:26 PM
    Moderator
  • That yields the same results, with exact same count of users. So, while it may be correct, it still isn't running as network service.

    mpleaf


    I would like to point out, Joe answered your question already on the Network Service account. I don't understand what you expect to see differently.
    Monday, January 6, 2014 9:29 PM
  • To simplify what Joe is saying.  You cannot impersonate the Network Service.  You can run as System.  That is all.

    You will get all of those accounts as they are all of the category and class you asked for.

    You failed to answer the bigger question.  Why does anyone need to list those accounts in the way you want them listed.  Why not just filter out the ones you  do not want to see.

    Get-ADUser already filters on this: -Filter { objectClass-eq 'User' -and objectCategory -eq 'person' }

    Adding it in as a filter does nothing useful.


    ¯\_(ツ)_/¯


    • Edited by jrv Monday, January 6, 2014 9:57 PM
    Monday, January 6, 2014 9:57 PM
  • Get-ADUser already filters on this: -Filter { objectClass-eq 'User' -and objectCategory -eq 'person' }

    Adding it in as a filter does nothing useful. 



    You are absolutely right, for some reason my brain isn't working today.
    Monday, January 6, 2014 10:00 PM
  • PSExec will let you run as the Network Service:

    psexec.exe -i -u "nt authority\network service" powershell.exe
    

    If you check your username, $env:username, it will show the machine account. Like Joe said, though, when doing network operations it will be treated the same as the SYSTEM account.

    Monday, January 6, 2014 10:15 PM