Invoke-Command run as different user to kill a process

Hi

I want to create a script that will allow terminal users (Citrix XenApp) that will allow a normal user to close opened IE on multiple terminal servers. I created a script that is doing just that, but the problem is, it works only on the user which generated the security string. So i changed the security token to the password in plain text but the code stoped to work. Is showing all process but is now getting the user session ID. Do you have any suggestions? Here is the code:

$Username = "usernamewithadminrights"

$Password = 'password' | ConvertTo-SecureString -AsPlainText -Force

$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential `

-ArgumentList $Username,$Password

$Servers = 'servername'

Invoke-Command -ComputerName $Servers -ScriptBlock {

$SID = (Get-Process -IncludeUserName |  Where-Object { $_.UserName -contains 'username'} | Sort-Object SessionId -Unique).SessionId

get-process *iexplo* | where {$_.SI -like $SID} | Stop-Process

} -ArgumentList $User -Credential $MyCredential

If it worked the first time,

you can use a keyfile to store you pass with encryption so it isn’t readable from the PS file

I use this methode to create that file

$KeyFile = 'C:\Scripts\SystonyAES.key'
$Key = New-Object -TypeName Byte[] -ArgumentList 32   # You can use 16, 24, or 32 for SystonyAES
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
$Key | out-file -FilePath $KeyFile

$SystonyPasswordFile = 'C:\Scripts\SystonyPassword.txt'
$KeyFile = 'C:\Scripts\SystonyAES.key'
$Key = Get-Content -Path $KeyFile
$SystonyPassword = 'password' | ConvertTo-SecureString -AsPlainText -Force
$SystonyPassword | ConvertFrom-SecureString -key $Key | Out-File -FilePath $SystonyPasswordFile

$User = 'username'
$SystonyPasswordFile = 'C:\Scripts\SystonyPassword.txt'
$KeyFile = 'C:\Scripts\SystonyAES.key'
$key = Get-Content -Path $KeyFile
$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential `
-ArgumentList $User, (Get-Content -Path $SystonyPasswordFile | ConvertTo-SecureString -Key $key)

 

and see if this works

It’s very bad risk management practice to embed plain text passwords in script files. You should always prompt for them. You can then store them in a secure file or windows credential manager or PS JEA to do this more securely.

As for …

I created a script that is doing just that, but the problem is, it works only on the user which generated the security string

This is by design. Any script or cannot natively get the currently logged on user full credentials and run with that, imagine the security risk to that. They user must specifically supply those.

Resources:

http://powershellcookbook.com/recipe/PukO/securely-store-credentials-on-disk

Working with Passwords, Secure Strings and Credentials in Windows PowerShell
https://social.technet.microsoft.com/wiki/contents/articles/4546.working-with-passwords-secure-strings-and-credentials-in-windows-powershell.aspx

PowerShell Credentials Manager
CredMan.ps1 is a PowerShell script that provides access to the Win32 Credential Manager API used for management of stored credentials.

https://www.sqlshack.com/how-to-secure-your-passwords-with-powershell

How to run a PowerShell script against multiple Active Directory domains with different credentials | Microsoft Learn