I am trying to execute a scriptblock from within a parent script using a different set of credentials. Both the
Parent script and Called scriptBlock are using non-Local Admin accounts. Currently I am attempting to use Invoke-Command
to accomplish this.
Test Setup:
I logged on to the local server (Win 2012R2. UAC disabled. ) as a local admin
I then Open a command prompt as the same ID (Non-Admin) as I will use for the Invoke-Command
Test script: I am attempting the same steps inside and outside of the Invoke-Command to
demonstrate the difference in results. If the RunAs account is added to the local Administrators group this runs
as desired. I do not want to use an admin account as the RunAs account.
# WhoAmi "Check ExecutionPolicy" Get-executionPolicy "Import Module" Import-Module WFTFS "Ready to Invoke-Command (RunAs)" invoke-command -scriptblock { WhoAmi Try {"Check ExecutionPolicy" get-executionPolicy -ErrorAction Stop} Catch {"ERROR : $($Error[0].exception)."} Try {"import Module" import-module WFTFS -Force -ErrorAction Stop} Catch {"ERROR : $($Error[0].exception)"} } -computername ECS-I-AUTD-01 -Credential $TFSCred #
Test Results:
I do not understand how/why I am getting the Access Denied CIM Exception. The ecs-auto-tfs-svc account has full control
granted via Set-PSSessionConfiguration for microsoft.Powershell
PS > .\RunAs-Demo.ps1 ad-ent\ecs-auto-tfs-svc Check ExecutionPolicy Unrestricted Import Module Ready to Invoke-Command (RunAs) ad-ent\ecs-auto-tfs-svc Check ExecutionPolicy ERROR : Microsoft.Management.Infrastructure.CimException: Access denied at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase`1.MoveNext() import Module ERROR : System.Management.Automation.PSSecurityException: AuthorizationManager check failed. ---> Microsoft.Management.Infrastructure.CimException: Access denied at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase`1.MoveNext()
Thoughts, suggestions, solutions all greatly appreciated. Or alternative methods of executing a scriptblock
within a script, under a different set of non-admin credentials than the parent script.
Thanks