Reputation: 3091
run script block as a specific user with Powershell
I am not getting anywhere when using Start-Process / Start-Job cmdlets with -Credential $cred
Problem
I have a service account use in deployment (unattended mode). Previously it has been added to local administrator group. I want to reduce potential damage I could do by removing this user from admin group and explicitly assign folder permissions to this user.
- I rather get a permission error than execute something that is reaching out by accident. Remove-Item "$notdefined\*"
However in this same powershell script i want to be able to elevate to execute things like:
- sc.exe
- app pool restart which requires an admin user.
One of my failed attempts
$job = Start-Job -ScriptBlock {
param(
[string]$myWebAppId
)
Import-Module WebAdministration
Write-Host "Will get the application pool of: IIS:\Sites\$myWebAppId and try to restart"
$appPoolName = Get-ItemProperty "IIS:\Sites\$myWebAppId" ApplicationPool
Restart-WebAppPool "$($appPoolName.applicationPool)"
Write-Host "restart of apppool succeeded."
} -Credential $cred -ArgumentList @("appname")
Write-Host "started completed"
Wait-Job $job
Write-Host "wait completed"
Receive-Job $job -Verbose
Write-Host "receive completed"
Upvotes: 2
Views: 8337
Answers (4)
Reputation: 6363
For the admin account, there is a quick and dirty solution:
$Var1 = 1
$Var2 = 2
$Var3 = 3
Start-Process -FilePath 'pwsh.exe' -Verb 'RunAs' "-Command & {
Some-Command -Arg $Var1
Some-Command -Arg $Var2
Some-Command -Arg $Var3
}"
Creating a ScriptBlock and invoking it with arguments passed into it is a pain in comparison.
Upvotes: 0
Reputation: 52450
While there's no quick and easy way to do this in PowerShell 2.0, version 3.0 (currently in RC, mostly likely RTW very soon given that Windows 8 RTW will appear on MSDN/Technet tomorrow) supports the notion of configuring remoting endpoints with a custom identity. This would be done with the Register-PSSessionConfiguration cmdlet on the computer where you want the command to run, which may be the local computer. Then, when using Invoke-Command, provide a session with the -Session parameter. The session is created using the New-PSSession cmdlet, which lets you specify the computer and the configuration name (which is tied to the custom identity.)
Clear as mud?
Upvotes: 0
Reputation: 3091
I ended up enabling WinRM using WinRM quickconfig
I was then able to use Invoke-Command
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Invoke-Command {
param(
[string]$WebAppName
)
#elevated command here
} -comp $computerName -cred $cred -ArgumentList @("$myWebAppId")
Upvotes: 1
Reputation: 1298
Hi this might be an example that might work for you let me know if it does.
$global:credentials = new-object -typename System.Management.Automation.PSCredential
$job = Start-Job -ScriptBlock {Get-Service} -Credential $credentials
Wait-Job $job
Receive-Job $job
Upvotes: 1
Related Questions
- Run ScriptBlock with different credentials
- Running PowerShell as another user, and launching a script
- Need to run commands within a Powershell script as different user
- Run powershell script using different credentials
- How can I execute a line of code as another user?
- How to run powershell scriptblock as domain user?
- Run code block locally as a different user in powershell script
- Running script as admin with executionpolicy bypass starting from user
- Run Powershell script as a particular user in PHP
- Running powershell script as multiple users