Run parts of PS-Script as other user

Robin_FaklerRobin_Fakler Customer IT Monkey ✭

Hi,
we have a workflow-user who has no permissions for the Active Directory and is only used to run workflows within SCSM. For AD actions we have an ad-connector-user. My goal is to run PS-Scripts executed by the workflow-user and perform some AD actions within the script as the ad-connector-user.

I performed following steps on my SCSM machine:
- logged on as workflow-user
- saved the ad-connector-user credentials with "cmdkey" in the credential manager
- successfully executed a test script as workflow-user with following lines included:

$cred = Get-StoredCredential -Target ad-connector-user | ConvertTo-SecureString
Invoke-Command -Computer scsm-machine -Credential $cred -Authentication CredSSP -ScriptBlock $script -ArgumentList $user_name, $printer_Name

We integrated the PS-Script within an Service Request but there are problems with the "Credential" Parameter (see attached file). Do you have a proper solution to run parts of a script as other user?

Thank you!

scsm.png 142.4K

Best Answer

  • Roland_KindRoland_Kind Partner Advanced IT Monkey ✭✭✭
    Accepted Answer

    Hi,

    just to be sure - you tested the $cred variable when running 'in the' workflow - 'not' as an interactive user ?


    at your second question

    yes, it is possible without a password in cleartext ... I use the following approach:

    ## how to convert password strings to secure string and create encrypted string from secure string
    ##
    ## $key= (63,54,132,223,56,24,124,22,123,176,232,23,22,14,133,33,21,134,22,47,96,15,35,13)
    ## $sc=ConvertTo-SecureString 'passwordstring' -AsPlainText -Force
    ## $st=ConvertFrom-SecureString -SecureString $sc -Key $key
    ##

    the $st  / $secString var should then be used in your script like :

    $secString="764YwBkADcANkADMAM .... AA1ADMANwBkAGEANgBjAIAZgA1AGQANgA2AGUAMQA="
    $password = ConvertTo-SecureString -String $secString -key $key
    $username = "domain\user"
    $un = New-Object System.Management.Automation.PSCredential($username,$password)

    but please note - in both methods yours (cred store) and the above method  the pw is not 100% safe ...

    regards

Answers

  • Roland_KindRoland_Kind Partner Advanced IT Monkey ✭✭✭
    edited June 18

    Hi just a quick thought.... did you run your test on the scsm workflow Server - or on your local machine ?

    so maybe the credentials are not available on the workflow Server ;)

  • Robin_FaklerRobin_Fakler Customer IT Monkey ✭

    Hi Roland,
    I successfully ran the test on our scsm-workflow-server logged on as the workflow-user. That´s why this problem gives me headache :(

  • Roland_KindRoland_Kind Partner Advanced IT Monkey ✭✭✭
    ok - according to the "error" message you get, it seems that, the credential might not be read from the cred. store - can you verify (when running in a workflow) - that the $cred var is propulated with the credentials from the cred. store ?
  • Robin_FaklerRobin_Fakler Customer IT Monkey ✭

    I tested following on the SCSM-workflow-machine logged on as workflow-user:

    $cred = Get-StoredCredential -Target ad-connector-user

    Write-Output $cred

    Output from Windows PowerShell ISE: System.Management.Automation.PSCredential

    Output from PoweShell Activity within a Service Request in Service Manager Console: <nothing>


    This is driving me crazy because both tests are made on the same machine with the same user. But thank you for that hint Roland!

    Is there any other way to run parts of PS scripts as other user without storing the credentials in cleartext?

  • Roland_KindRoland_Kind Partner Advanced IT Monkey ✭✭✭
    Accepted Answer

    Hi,

    just to be sure - you tested the $cred variable when running 'in the' workflow - 'not' as an interactive user ?


    at your second question

    yes, it is possible without a password in cleartext ... I use the following approach:

    ## how to convert password strings to secure string and create encrypted string from secure string
    ##
    ## $key= (63,54,132,223,56,24,124,22,123,176,232,23,22,14,133,33,21,134,22,47,96,15,35,13)
    ## $sc=ConvertTo-SecureString 'passwordstring' -AsPlainText -Force
    ## $st=ConvertFrom-SecureString -SecureString $sc -Key $key
    ##

    the $st  / $secString var should then be used in your script like :

    $secString="764YwBkADcANkADMAM .... AA1ADMANwBkAGEANgBjAIAZgA1AGQANgA2AGUAMQA="
    $password = ConvertTo-SecureString -String $secString -key $key
    $username = "domain\user"
    $un = New-Object System.Management.Automation.PSCredential($username,$password)

    but please note - in both methods yours (cred store) and the above method  the pw is not 100% safe ...

    regards

  • Robin_FaklerRobin_Fakler Customer IT Monkey ✭

    Yes, I used the $cred variable within a test service request which is executed by the workflow-user.

    Thank you very much for this example! Works like a charm! :)

Sign In or Register to comment.