2

I am not getting anywhere when using Start-Process / Start-Job cmdlets with -Credential $cred

Problem

I have a service account use in deployment (unattended mode). Previously it has been added to local administrator group. I want to reduce potential damage I could do by removing this user from admin group and explicitly assign folder permissions to this user.

  • I rather get a permission error than execute something that is reaching out by accident. Remove-Item "$notdefined\*"

However in this same powershell script i want to be able to elevate to execute things like:

  • sc.exe
  • app pool restart which requires an admin user.

One of my failed attempts

$job = Start-Job -ScriptBlock { 

param(
    [string]$myWebAppId
)

Import-Module WebAdministration

Write-Host "Will get the application pool of: IIS:\Sites\$myWebAppId and try to restart"
$appPoolName = Get-ItemProperty "IIS:\Sites\$myWebAppId" ApplicationPool 
Restart-WebAppPool "$($appPoolName.applicationPool)" 
Write-Host "restart of apppool succeeded."

} -Credential $cred -ArgumentList @("appname")

Write-Host "started completed"

Wait-Job $job

Write-Host "wait completed"

Receive-Job $job -Verbose

Write-Host "receive completed"
Improve this question
1

4 Answers 4

Reset to default
1

Hi this might be an example that might work for you let me know if it does.

$global:credentials = new-object -typename System.Management.Automation.PSCredential 


$job = Start-Job -ScriptBlock {Get-Service} -Credential $credentials

Wait-Job $job

Receive-Job $job
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Get-Service doesn't require elevated permissions - try Stop-Service $serviceName -Force . It doesn't work still...
1

I ended up enabling WinRM using WinRM quickconfig

I was then able to use Invoke-Command

    $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Invoke-Command {
    param(
        [string]$WebAppName 
    )
     #elevated command here

} -comp $computerName -cred $cred  -ArgumentList @("$myWebAppId")
Improve this answer

Comments

0

While there's no quick and easy way to do this in PowerShell 2.0, version 3.0 (currently in RC, mostly likely RTW very soon given that Windows 8 RTW will appear on MSDN/Technet tomorrow) supports the notion of configuring remoting endpoints with a custom identity. This would be done with the Register-PSSessionConfiguration cmdlet on the computer where you want the command to run, which may be the local computer. Then, when using Invoke-Command, provide a session with the -Session parameter. The session is created using the New-PSSession cmdlet, which lets you specify the computer and the configuration name (which is tied to the custom identity.)

Clear as mud?

Improve this answer

Comments

0

For the admin account, there is a quick and dirty solution:

$Var1 = 1
$Var2 = 2
$Var3 = 3

Start-Process -FilePath 'pwsh.exe' -Verb 'RunAs' "-Command & {
    Some-Command -Arg $Var1
    Some-Command -Arg $Var2
    Some-Command -Arg $Var3
}"

Creating a ScriptBlock and invoking it with arguments passed into it is a pain in comparison.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.