run script block as a specific user with Powershell

Question

I am not getting anywhere when using Start-Process / Start-Job cmdlets with -Credential $cred

Problem

I have a service account use in deployment (unattended mode). Previously it has been added to local administrator group. I want to reduce potential damage I could do by removing this user from admin group and explicitly assign folder permissions to this user.

I rather get a permission error than execute something that is reaching out by accident. Remove-Item "$notdefined\*"

However in this same powershell script i want to be able to elevate to execute things like:

sc.exe
app pool restart which requires an admin user.

One of my failed attempts

$job = Start-Job -ScriptBlock { 

param(
    [string]$myWebAppId
)

Import-Module WebAdministration

Write-Host "Will get the application pool of: IIS:\Sites\$myWebAppId and try to restart"
$appPoolName = Get-ItemProperty "IIS:\Sites\$myWebAppId" ApplicationPool 
Restart-WebAppPool "$($appPoolName.applicationPool)" 
Write-Host "restart of apppool succeeded."

} -Credential $cred -ArgumentList @("appname")

Write-Host "started completed"

Wait-Job $job

Write-Host "wait completed"

Receive-Job $job -Verbose

Write-Host "receive completed"

I found one possible solution http://powershell.com/cs/blogs/tobias/archive/2010/10/28/regular-users-running-admin-scripts-safe.aspx - although hoping there is a way to use $cred which i retrieve with a securestring — Leblanc Meneses, Aug 14 '12 at 09:18

score 1 · Answer 1 · answered Aug 14 '12 at 10:26

1

Hi this might be an example that might work for you let me know if it does.

$global:credentials = new-object -typename System.Management.Automation.PSCredential 


$job = Start-Job -ScriptBlock {Get-Service} -Credential $credentials

Wait-Job $job

Receive-Job $job

answered Aug 14 '12 at 10:26

justinf

1,246
2
19
39

Get-Service doesn't require elevated permissions - try Stop-Service $serviceName -Force . It doesn't work still... – Leblanc Meneses Aug 14 '12 at 17:25

score 1 · Answer 2 · answered Aug 14 '12 at 19:27

I ended up enabling WinRM using WinRM quickconfig

I was then able to use Invoke-Command

    $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Invoke-Command {
    param(
        [string]$WebAppName 
    )
     #elevated command here

} -comp $computerName -cred $cred  -ArgumentList @("$myWebAppId")

score 0 · Answer 3 · answered Aug 14 '12 at 21:43

While there's no quick and easy way to do this in PowerShell 2.0, version 3.0 (currently in RC, mostly likely RTW very soon given that Windows 8 RTW will appear on MSDN/Technet tomorrow) supports the notion of configuring remoting endpoints with a custom identity. This would be done with the Register-PSSessionConfiguration cmdlet on the computer where you want the command to run, which may be the local computer. Then, when using Invoke-Command, provide a session with the -Session parameter. The session is created using the New-PSSession cmdlet, which lets you specify the computer and the configuration name (which is tied to the custom identity.)

Clear as mud?

run script block as a specific user with Powershell

Problem

One of my failed attempts

3 Answers3

Linked