6

I'm trying to run start-process from a powershell script with given credential. Nevertheless the command fail with the following error:

Start-Process : This command cannot be executed due to the error: Access is denied

Here is the full error log:

18-Jun-2015 11:48:54    Start-Process : This command cannot be executed due to the error: Access is den
18-Jun-2015 11:48:54    ied.
18-Jun-2015 11:48:54    At C:\Windows\system32\config\systemprofile\AppData\Local\Temp\PRISMA-AMR-JOB1-
18-Jun-2015 11:48:54    87-ScriptBuildTask-8569094554411403512.ps1:38 char:18
18-Jun-2015 11:48:54    +     Start-Process <<<<  C:\Windows\System32\cmd.exe -arg "/C" -Credential $cr
18-Jun-2015 11:48:54    edential
18-Jun-2015 11:48:54        + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOp 
18-Jun-2015 11:48:54       erationException
18-Jun-2015 11:48:54        + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C 
18-Jun-2015 11:48:54       ommands.StartProcessCommand

Here is what the the faulty powershell call looks like:

Start-Process C:\Windows\System32\cmd.exe -arg "/C" -Credential $credential

If I open a command prompt with the appropriate credential on the machine where the script is executed, running cmd /C does well. If it's on the powershell script on behalf of start-process it fails.

Maybee I should say that when I manually run the command prompt with targeted credential I was logged as administrator while the powershell looks to be run under the system account.

Looks really like something is wrong with some permissions... Any idea what's going on here ?

Edit: From what is been said in https://serverfault.com/questions/185813/which-ad-permission-is-required-to-allow-impersonation-of-an-account/193717#193717
I checked the permission ofr impersonation in Local Policies -> User Rights Assignment. System is present, and for the sake of completeness I also added the computer account. Restarted. But with no luck, problem still there !

Community
  • 1
  • 1
John-Philip
  • 3,392
  • 2
  • 23
  • 52
  • Check if your credentials are valid. Say start `notepad`. Also check what credentials you use when running a scheduled task. – Vesper Jun 18 '15 at 10:11
  • @Vesper, I checked what the script is using as credential and the value of both user and password are correctly set. As said the credential used on the machine to run the powershell script is the computer account. Could this be the cause of the error ? – John-Philip Jun 18 '15 at 11:39
  • Yes, it's likely, as the default screen to display the cmd window would be a system-local "secure" desktop, this is considered a security error of type "elevation of privilege", therefore is prohibited. Try saving your user's creds in that task and try again. – Vesper Jun 18 '15 at 11:45
  • @Vesper, not sure to understand what you mean. Nevertheless I added the -NoNewWindow parameter to the start-process call with no more luck. – John-Philip Jun 18 '15 at 12:13
  • I've said you should change the task in Windows Task Manager to not run under local system. – Vesper Jun 18 '15 at 12:19

1 Answers1

11

Ok, I finally got it. It seems that for security reason the System account can not initiate impersonation. The solution here was to change the account running the script, from system to a custom account. And then to allow impersonation for this account in security policies as said here:

https://serverfault.com/questions/185813/which-ad-permission-is-required-to-allow-impersonation-of-an-account/193717#193717

Community
  • 1
  • 1
John-Philip
  • 3,392
  • 2
  • 23
  • 52