4

I want to deploy code using powershell via Jenkins Job. This works fine in the powershell ise.

$username = "mydomain\builder"
$password = "notmypassword"
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
$Arguments = "-ExecutionPolicy Bypass -File C:\Test.ps1 -NoNewWindow -WorkingDirectory C:\Windows\System32\WindowsPowerShell\v1.0 -NoLogo -NonInteractive"

Start-Process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Credential $credentials -ArgumentList $Arguments

But when I run it from Jenkins which use the local system I get the following error message.

Start-Process : This command cannot be run due to the error: Access is denied.
At C:\WINDOWS\TEMP\hudson5557889306949142167.ps1:7 char:1
+ Start-Process powershell.exe -Credential $credentials -ArgumentList $

If change I change the Jenkins service to another account it works. Why won't elevated permission work under the local system account?

note: the only code in test.ps1 is New-Item c:\scripts\new_file.txt

paul rockerdale
  • 377
  • 6
  • 21

1 Answers1

3

There seems to be a restriction on certain commands when a script is run under LocalSystem. This makes sense in terms of security, given that LocalSystem:

has complete unrestricted access to local resources. This is also the disadvantage of LocalSystem because a LocalSystem service can do things that would bring down the entire system.

Reference: MSDN, The LocalSystem Account

There is a similar question at SuperUser: Can not create process with elevated permissions from LocalSystem account with no answer so far a reference to this answer now.

There is a similar question at TechNet: Runing PowerShell script with the permissions of the LocalSystem user with answers suggesting to run the script via Task Scheduler.

I can think of using runas with /savecred and a /user:... with appropriate permissions whose password never expires. AFAIR you have to invoke runas with /savecred interactively once, enter the credentials and it will take the saved credentials from the next invocation onwards.

Community
  • 1
  • 1
Gerold Broser
  • 14,080
  • 5
  • 48
  • 107
  • To save the credentials I opened a cmd prompt as local system like this `psexec -i -s cmd.exe` you have to right click the psexec and tick run as administrator for this to work. I then ran my powershell script for the first time. I was prompted for my password and then I got Acces Denied!! In the end I've changed the jenkins account to use something else. However here's a solution that I didn't try [link](http://www.brandonmartinez.com/2013/04/24/resolve-access-is-denied-using-psexec-with-a-local-admin-account) – paul rockerdale Nov 01 '15 at 23:14