1

I'm attempting to run a Powershell script as the SYSTEM account as a scheduled task, and the task runs OK, but the script runs incorrectly because it does not load some Citrix Powershell snap-ins that are needed when run as SYSTEM, but runs OK as my user account.

The script does a check to load the Citrix snap-ins, but those do not appear to work when run as SYSTEM.

if ((Get-PSSnapin "Citrix.Common.Commands" -EA silentlycontinue) -eq $null) {
try { Add-PSSnapin Citrix.* -ErrorAction Stop }
catch { write-error "Error Citrix.* Powershell snapin"; Return }

Is there anything special I need to do to get those Snap-ins loaded correctly? I'm calling the script like this, if it matters: powershell.exe -executionpolicy bypass -file C:\path\to\script.ps1.

EDIT: From running (Get-PSSnapin -registered).count as both SYSTEM and my user account, I can see that the snap-ins are loaded correctly, but still can't figure out why the script behaves differently.

OS is Server 2016, version 1607, this is the script: https://gist.github.com/4oo4/85cec464e123d7f2793745e662d6e7ab

4oo4
  • 245
  • 3
  • 8
  • Why do you need all this tests? just do `Add-PSSnapin Citrix.*` if it already exist why do you care? it will just ignore them, also runing test on my machine with citrix servers: `(Get-PSSnapin -Registered).Count` has the same count with regular admin or with system account user, so it should'nt make a diffferent – Avshalom Jul 30 '18 at 18:31
  • Not sure why they have it that way, it's someone else's script that we've modified. I'll simplify it like you suggest and see if that helps. – 4oo4 Jul 30 '18 at 18:33
  • @Avshalom Thanks for the tip to check what Snap-ins are actually registered, the problem looks to be something different. I updated the question. – 4oo4 Jul 30 '18 at 18:51
  • Please specify the OS script is running on – Kahn Kah Jul 30 '18 at 19:09

1 Answers1

6

This isn't the answer why your specific script doesn't work under the SYSTEM account but explains how you might troubleshoot your (or any other) PowerShell Script under the SYSTEM account.

Give a man a fish, and you feed him for a day. Teach a man to fish, and you feed him for a lifetime.

The whole thing around this, is that you can actually open a interactive PowerShell command prompt under the SYSTEM account were you probably not aware of.

Run PowerShell as SYSTEM

There are a few ways to start a interactive PowerShell command prompt but probably the easiest one is using PsExec.

Using PsExec

  • Download PsTools
  • Extract PSTools.zip and just copy PsExec into your executable path
  • Run PowerShell as Administrator (accept the User AccountControl prompt)
  • In the PowerShell administrator window, give the command: .\PsExec -i -s -d PowerShell
  • A new PowerShell command window will open:
    PowerShell as SYSTEM
    (Type WhoAmI to confirm the current account)

From here you can troubleshoot the specific script:

  • Are there any errors when running the specific script?
  • Does it hang or crash at a specific command?
  • Are there any differences with running it under a user account?

If it appears that the script runs actually fine in the SYSTEM window, then I would check for any errors in the Task Scheduler:

  • Select Task Scheduler Local - Task Scheduler Library in the left pane
  • Select your task in the middle top pane
  • (Make sure you have Display All Task History in the right pane Enabled)
  • In the middle bottom pane check the events in the history tab
iRon
  • 20,463
  • 10
  • 53
  • 79
  • Thanks for the tip! By running the script interactively as SYSTEM, I can see that I was getting an "Insufficient Administrative Privileges" error. My mistake appears to be that the Citrix Delivery controller goes off of AD Permissions (and Roles/Scopes) versus the local accounts on the Delivery Controller itself. And you're right, I was way too vague with my question, and this will definitely help with troubleshooting in the future. – 4oo4 Jul 31 '18 at 16:59
  • I'm getting an error trying the above command: `Error establishing communication with PsExec service on XXXX: The specified network name is no longer available.` (I'm running from pwsh as Admin.) – not2qubit Oct 31 '20 at 12:31