Re:howto run script block as different user?

Andre24680 · ‎03-08-2018

Hi,

within a software component I need to run a setup.exe as a service account.

For some reason I get a "access denied" error whatever I try.

So I simplified it to avoid other factors and just try to run a "whoami | out-file c:\temp\who.log" as a different users. Still failing.

what I do:

$securePassword = ConvertTo-SecureString $Password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential "$domain\$account", $securePassword

start-job -ScriptBlock {whoami | out-file c:\temp\who.log} -Credential $credential | wait-job

I also tried start-process ..... -credential ....

with same result.

UAC is disabled via registry.

Any help would be highly appreciated.

Thanks

Andre

RvdNieuwendijk · ‎03-08-2018

Hi Andre,

I have tried your script and for me, it works fine. You might get an access denied because the service account does not have write rights on the c:\temp folder? Instead of the Start-Job cmdlet, you might consider using the Invoke-Command cmdlet.

For better exposure, I will move this thread to the PowerCLI community.

Blog: https://rvdnieuwendijk.com/ | Twitter: @rvdnieuwendijk | Author of: https://www.packtpub.com/virtualization-and-cloud/learning-powercli-second-edition

Andre24680 · ‎03-08-2018

how did you run it?

when I execute the code in a powershell on the VM - it's fine - but having it in a vRA software component I get a "access denied"

Andre24680 · ‎03-08-2018

please don't move to powerCLI - it works in powerCLI, it does NOT work in vRA software component

Andre24680 · ‎03-08-2018

please move back to vRA - it's vRA Software component specific - it works in powerCLI

RvdNieuwendijk · ‎03-08-2018

I have moved this thread back from powerCLI to vRealize Automation Tools. Will you remove the duplicate post in this thread?

Blog: https://rvdnieuwendijk.com/ | Twitter: @rvdnieuwendijk | Author of: https://www.packtpub.com/virtualization-and-cloud/learning-powercli-second-edition

daphnissov · ‎03-08-2018

What version of vRA and what user option did you select when you installed the guest/software agent inside your Windows template in use here?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

Andre24680 · ‎03-08-2018

It’s vRA 7. The templates are created by a different team and I haven’t installed the guest agent myself. Could you please elaborate a bit more about the “user option”?

daphnissov · ‎03-08-2018

Which version of vRA 7?

When you install the guest/software agent, there is an option in the wizard (on Windows) how the agent services should run. In 7.3, you have the option of specifying "localSystem". In previous versions, it would only run as a local user called "Darwin" (a hold-over from the AppD days) which had a different security context and was problematic for several types of system interactions. I'm asking which option was chosen when the agent was installed.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

Andre24680 · ‎03-08-2018

Local system

when I run a “whoami” in a script block it comes back as NTAuthority\system

i’ve manually started a powershell as local system and the code works fine.

is there anyway to turn up the logs?

daphnissov · ‎03-08-2018

Again, I ask what version of vRA 7?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

Andre24680 · ‎03-08-2018

7.3

Andre24680 · ‎03-08-2018

as a workaround the following works:

$st_taskname= "configuration_exe"

$st_trigger = New-ScheduledTaskTrigger -AtStartup

$st_action = New-ScheduledTaskAction -Execute "c:\Program Files (x86)\Microsoft BizTalk Server 2013 R2\Configuration.exe" -Argument "/s c:\temp\Biztalk_Server_Config.xml /l c:\temp\bizconfig_01.log /noprogressbar"

$st_task = Register-ScheduledTask -Action $st_action -Trigger $st_trigger -TaskName $st_taskname -User "$domain\$bizsvc" -Password $bizSvcPwd

Get-ScheduledTask $st_taskname | Start-ScheduledTask

While ((Get-ScheduledTask $st_taskname).State -notlike "Ready"){sleep 60}

Get-ScheduledTask $st_taskname | Disable-ScheduledTask

so all permissions for the user / files and so on are correct

why I am getting a "access denied" when I try to run it using "start-process ..... -credential"?

stumps me.

Cheers

Andre

vbranden · ‎11-15-2018

I ran into this issue while trying to automate cluster creation with the new-cluster command. I have the following working

function New-CredentialObject
{
param(
[parameter(Mandatory = $true)] [string] $user,
[parameter(Mandatory = $true)] [string] $pass
)
$secpasswd = ConvertTo-SecureString $pass -AsPlainText -Force
  $credential = New-Object System.Management.Automation.PSCredential ($user, $secpasswd)
return $credential
}
# Runs script block as a specific user on the local system
# This is required when running as the localSystem/nt authority
function Invoke-ScriptBlockAsUser
{
param(
[parameter(Mandatory = $true)] [string] $user,
[parameter(Mandatory = $true)] [string] $pass,
[parameter(Mandatory = $true)] [scriptblock] $scriptBlock
)
Enable-WSManCredSSP -Role Server -Force -ErrorAction SilentlyContinue
$cred = New-CredentialObject -user $user -pass $pass
Invoke-Command -Credential $cred -ComputerName . -Authentication Credssp -ScriptBlock $scriptBlock
Disable-WSManCredSSP -Role Server -ErrorAction SilentlyContinue
}
 
Invoke-ScriptBlockAsUser -user username -pass password -scriptBlock { New-Cluster -Name "myclustername" -node "node1","node2","node3"}

vbranden · ‎11-15-2018

Sorry for the bad formatting above

function New-CredentialObject

{

param(

[parameter(Mandatory = $true)] [string] $user,

[parameter(Mandatory = $true)] [string] $pass

)

$secpasswd = ConvertTo-SecureString $pass -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential ($user, $secpasswd)

return $credential

}

# Runs script block as a specific user on the local system

# This is required when running as the localSystem/nt authority

function Invoke-ScriptBlockAsUser

{

param(

[parameter(Mandatory = $true)] [string] $user,

[parameter(Mandatory = $true)] [string] $pass,

[parameter(Mandatory = $true)] [scriptblock] $scriptBlock

)

Enable-WSManCredSSP -Role Server -Force -ErrorAction SilentlyContinue

$cred = New-CredentialObject -user $user -pass $pass

Invoke-Command -Credential $cred -ComputerName . -Authentication Credssp -ScriptBlock $scriptBlock

Disable-WSManCredSSP -Role Server -ErrorAction SilentlyContinue

}

Invoke-ScriptBlockAsUser -user username -pass password -scriptBlock { New-Cluster -Name "myclustername" -node "node1","node2","node3"}

function New-CredentialObject

{

param(

[parameter(Mandatory = $true)] [string] $user,

[parameter(Mandatory = $true)] [string] $pass

)

$secpasswd = ConvertTo-SecureString $pass -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential ($user, $secpasswd)

return $credential

}

# Runs script block as a specific user on the local system

# This is required when running as the localSystem/nt authority

function Invoke-ScriptBlockAsUser

{

param(

[parameter(Mandatory = $true)] [string] $user,

[parameter(Mandatory = $true)] [string] $pass,

[parameter(Mandatory = $true)] [scriptblock] $scriptBlock

)

Enable-WSManCredSSP -Role Server -Force -ErrorAction SilentlyContinue

$cred = New-CredentialObject -user $user -pass $pass

Invoke-Command -Credential $cred -ComputerName . -Authentication Credssp -ScriptBlock $scriptBlock

Disable-WSManCredSSP -Role Server -ErrorAction SilentlyContinue

}

Invoke-ScriptBlockAsUser -user username -pass password -scriptBlock { New-Cluster -Name "myclustername" -node "node1","node2","node3"}

All

howto run script block as different user?