How can I make PowerShell run a program as a standard user?

Question

Alright, so, I've been searching online forever, and I can't find anything on this at all.

Basically, what I want to do is run a program from an elevated PowerShell script, but I want the program to run as the standard user.

I need to do this because the program that I need to run requires access to a mapped network drive that the domain administrator accounts don't have access to. So, I basically need a line of code that will take the script out of elevated mode, or some extension to the Start-Program command that will make it run as the logged on user rather than the administrator account that the script is running from.

Answer 1

One way that I have used extensively in the past is to create a scheduled task on the fly specifying the currently logged user as the account that will run the task. The task would run some other script, command, etc. and it would occur in the context of the logged on user. This is possible by using Start-Process to call the schtasks.exe program that will...

1. Create the task (schtasks /create /tn "MyTask" /tr "powershell -file...." /ru "domain\username")
2. Run the task (schtasks /run /tn "MyTask")
3. Delete the task (schtasks /delete /tn "MyTask")

You would just need your script to get the current user, which can be done in a number of different ways. I've also put a 2 second pause in between those calls to schtasks just to ensure they all run.

Answer 2

The generally intended and accepted way to do this is to specify the network UNC path instead of the network drive. You can even re-map the drive in the elevated process if you need it. That's how you're supposed to do it. If you have an account running a process that needs access to a network location, the proper answer is to grant that account the access it needs to do it's job.

However....

Does this or this or this describe the problem you're actually having? It's very unclear what you're trying to do. You've eliminated all context from your question.

If you're trying to run a script that needs to run elevated and needs to access the user's network drive and you can't use a UNC path for whatever reason, then the above three links are what you probably want.

---

If you really, truly need to impersonate a logged on user -- and I really struggle to think of a situation where I'd need to do this from a script -- then read on.

The alternatives that don't require knowledge of user credentials are:

1. Use a user logon script instead of a computer startup script. If necessary, grant the local user the permissions they need to run the rest of the script. I can't imagine you haven't thought of this already.
2. Create a scheduled task which runs as "Domain Users" or some other group that represents the users in question and the "Only run when logged on" is checked. Again, you'd need to grant the user the permissions they need to run the rest of the script, but it wouldn't tie you down to logon only.
3. Write a program which calls ImpersonateLoggedOnUser, which requires SeImpersonatePrivilege (Administrators have this by default, IIRC). These are native Win32 calls, not .Net, so they will not be straightforward to use in PowerShell. It's been about a decade since I've looked at this, and it used to be a huge pain because it would sometimes still prompt for credentials. I have to think that the increased security in Vista and later (UAC, et al) would have made this even worse. I also have no idea if you have access to mapped drives (i.e., if the impersonation survives network hops). I would choose this method approximately never.

For anything else, I think you will require credentials of the current user. What you'd be doing is credential hijacking, and OS security is specifically designed not to allow that.

Answer 3

There are more ways to do it (probably some even better) I guess, but this should also work.

If you need to run an executable or script under currently logged in user from an elevated environemnt, you can use RunAs with USERNAME environment variable passed as user argument:

runas /user:%USERNAME% program.exe

USERNAME environment variable should contain currently logged in user even in an elevated environment.

Answer 4

you could use psexec

psexec -l powershell.exe -executionpolicy unrestricted -noexit -file c:\temp\checkelevated.ps1

-l : Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity.