locked
How to "hardcode" the RunAs functionality in Powershell script RRS feed

  • Question

  • I have Powershell script that will extract an IP address and output the current user logged on only if I use the domain service account by using Run-As, i.e. Shift+Right-Click on the cmd.exe and invoke powershell, etc, etc.

    ~~~BUT~~~

    This powershell code will be invoked by an external third-party software program that is not running in the context of the domain service account, which means I have to incorporate it into the script.

    I am puzzled as how to do this.

    So far, I have been reading "Powershell Tip - Storing and Using Password Credentials" and "PowerShell ASP: Using Invoke-Command with New-PSSession" (sorry I am unable to include the links)

    These pages explain

    1. Store password in a separate file

    PS C:\> read-host -assecurestring | convertfrom-securestring | out-file C:\cred.txt

    2. Draw password back into script

    PS C:\> $password = get-content C:\cred.txt | convertto-securestring

    3. Create credential object

    PS C:\> $credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "myusername",$password

    But I am just not sure how I use this to make the script run in the context of these user credentials when they are invoked by the third-party software.

    FYI, here is the powershell code so far:

    $line_array = @()
    $multi_array = @()
    [hashtable]$my_hash = @{}
    foreach ($i in $args){
       $line_array+= $i.split(" ")
    }
    foreach ($j in $line_array){
        $multi_array += ,@($j.split("="))
    }
    foreach ($k in $multi_array){
        $my_hash.add($k[0],$k[1])
    }
    $Sender_IP = $my_hash.Get_Item("sender-ip")
    $eventList = @()
    Get-EventLog "Security" -computername $Sender_IP `
        | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$"} `
        | Select-Object -First 2 `
        | foreach-Object {
            $row = "" | Select UserName, LoginTime
            $row.UserName = $_.ReplacementStrings[5]
            $row.LoginTime = $_.TimeGenerated
            $eventList += $row
            }
    $userId = $eventList[0].UserName
    $userId

    It can be invoked with

    PS D:\script> .\FOO.ps1 sender-ip=10.2.3.3 sender-name=joe

    • Moved by Bill_Stewart Thursday, August 22, 2013 10:06 PM Abandoned thread
    Thursday, August 8, 2013 4:14 PM

Answers

  • typically i stored pass would be used among the lines like this

    Capture encrypted password once and store to file
    $passwd = Read-Host "Enter password" -AsSecureString
    $encpwd = ConvertFrom-SecureString $passwd
    $encpwd > $path\password.bin
    # Afterwards always use this to start the script
    $encpwd = Get-Content $path\password.bin
    $passwd = ConvertTo-SecureString $encpwd
    $cred = new-object System.Management.Automation.PSCredential 'domain\username',$passwd
    Start-Process PowerShell -Cred $cred -ArgumentList '-noexit','-File','path-to-script' 

    or $cred variable could be passed to whatever thats requesting admin rights in powershell script

    i had an issue where i stored an admin pass but it only worked for me since i stored it, not other users so not sure if storing pass is going to work for you.

    • Edited by ImMax Thursday, August 8, 2013 4:28 PM
    • Marked as answer by Happy and Cheery Thursday, August 29, 2013 6:48 PM
    Thursday, August 8, 2013 4:27 PM

All replies

  • typically i stored pass would be used among the lines like this

    Capture encrypted password once and store to file
    $passwd = Read-Host "Enter password" -AsSecureString
    $encpwd = ConvertFrom-SecureString $passwd
    $encpwd > $path\password.bin
    # Afterwards always use this to start the script
    $encpwd = Get-Content $path\password.bin
    $passwd = ConvertTo-SecureString $encpwd
    $cred = new-object System.Management.Automation.PSCredential 'domain\username',$passwd
    Start-Process PowerShell -Cred $cred -ArgumentList '-noexit','-File','path-to-script' 

    or $cred variable could be passed to whatever thats requesting admin rights in powershell script

    i had an issue where i stored an admin pass but it only worked for me since i stored it, not other users so not sure if storing pass is going to work for you.

    • Edited by ImMax Thursday, August 8, 2013 4:28 PM
    • Marked as answer by Happy and Cheery Thursday, August 29, 2013 6:48 PM
    Thursday, August 8, 2013 4:27 PM
  • It is very unsafe to store domain creds in a file.  They are not as secure as expected.  Yu can forward security events needed to a custom subscriber log and give the users read permission on this log.  This will easily circumvent the need to alter security and will allow for a mode flexible solution.

    ¯\_(ツ)_/¯

    Thursday, August 8, 2013 6:23 PM