ScriptBlock - Elevate or runAs different user [Help]

by Wayfinder at 2013-04-25 19:23:01

Hi everyone,

I’m quite new to Powershell (New memebr as of today to this forum). I have performed a search for what I think the termonology is but have not been successful.

Is it possible to invoke a command to runas different user and or elevated permissions with UAC within side the script without calling external scripts or running the script with credentials from command line?

Some scrappy code I have been working on: (warning noobness code inbound)

[code2=powershell]$creds = New-Object Management.Automation.PSCredential("$UserName", $securePassword)
invoke-command -Credential $creds -ScriptBlock
{
New-Item -ItemType directory -Path “C:\TestArea”
}[/code2]

I want to eventually convert a script to an executable with a GUI so I’m just starting off with the basics.

Thank you for your help :slight_smile:
by DonJ at 2013-04-26 07:06:57
Yes, Invoke-Command can do that, exactly as you’ve put here. You can also use -FilePath instead of -ScriptBlock to execute a file.
by mjolinor at 2013-04-26 08:14:00
If it’s something relatively trivial (like create directory) that requires elevated permissions, you can use Start-Process with the ‘RunAs’ verb without needing to spawn a whole new instance of Powershell:


$Directory = ‘c:\TestArea’

If (-not (test-path $Directory))
{

$cmds = @"
/C md $Directory
icacls $Directory /grant Users:(RD,WD)
"@
$ProcessParams = @{
FilePath = ‘cmd.exe’
Verb = ‘RunAs’
ArgumentList = $($cmds -replace “\n”,"&&")
}
Start-Process @ProcessParams
}
by Wayfinder at 2013-04-29 01:25:00
Hi DonJ,

Thanks for your response but the actual command I posted doesn’t work. I have tried with addtional arguments -ComputerName etc but no success magic :slight_smile: .

Exceptions thrown:
Invoke-Command : Missing an argument for parameter ‘ScriptBlock’. Specify a parameter of type ‘System.Management.Automation.ScriptBlock’ and try again.
+ invoke-command -Credential $creds -ScriptBlock <<<<
+ CategoryInfo : InvalidArgument: (:slight_smile: [Invoke-Command], ParameterBindingException
+ FullyQualifiedErrorId : MissingArgument,Microsoft.PowerShell.Commands.InvokeCommandCommand


[quote=“DonJ”]Yes, Invoke-Command can do that, exactly as you’ve put here. You can also use -FilePath instead of -ScriptBlock to execute a file.[/quote]
by Wayfinder at 2013-04-29 01:26:37
Hi mjolinor,

Thanks for your help. I was hoping to avoid launching addtional processes such as cmd to perform this function.
But I will keep this snippet for something else.

Thanks again :slight_smile:

[quote=“mjolinor”]If it’s something relatively trivial (like create directory) that requires elevated permissions, you can use Start-Process with the ‘RunAs’ verb without needing to spawn a whole new instance of Powershell:


$Directory = ‘c:\TestArea’

If (-not (test-path $Directory))
{

$cmds = @"
/C md $Directory
icacls $Directory /grant Users:(RD,WD)
"@
$ProcessParams = @{
FilePath = ‘cmd.exe’
Verb = ‘RunAs’
ArgumentList = $($cmds -replace “\n”,"&&")
}
Start-Process @ProcessParams
}
[/quote]
by Lery at 2013-04-29 07:25:39
Can you give the following a try to see if it works for you?
Invoke-Command -scriptBlock{
$securePassword = ConvertTo-SecureString -string “password” -AsPlainText –Force; $user = New-Object Management.Automation.PSCredential(“username”, $securePassword); Invoke-Command -computername computername -Credential $user -scriptBlock {New-Item -ItemType directory -Path “C:\TestArea” }}
by Wayfinder at 2013-04-29 20:50:20
[quote=“Lery”]Can you give the following a try to see if it works for you?
Invoke-Command -scriptBlock{
$securePassword = ConvertTo-SecureString -string “password” -AsPlainText –Force; $user = New-Object Management.Automation.PSCredential(“username”, $securePassword); Invoke-Command -computername computername -Credential $user -scriptBlock {New-Item -ItemType directory -Path “C:\TestArea” }}
[/quote]

Hi Lery,

With your code snippet I get the following error:
[computername] Connecting to remote server failed with the following error message : Logon failure: unknown user name or bad password. For more information, see the about_Re
mote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (:slight_smile: [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken

Now it does not prompt to put in credentials, so not sure how it is to populate the variables if no input has been provided by user?

Thanks
by MasterOfTheHat at 2013-05-01 08:34:32
In Wayfinder’s script, I think he intended for you to change “password” to your actual password and “username” to your actual username… And not sure why he has the first Invoke-Command wrapping around the rest of it…

Another option would be to use Get-Credential to prompt for the credentials:
Invoke-Command -computername computername -Credential (Get-Credential) -scriptBlock {New-Item -ItemType directory -Path “C:\TestArea” }
by Wayfinder at 2013-05-01 17:42:17
[quote=“MasterOfTheHat”]In Wayfinder’s script, I think he intended for you to change “password” to your actual password and “username” to your actual username… And not sure why he has the first Invoke-Command wrapping around the rest of it…

Another option would be to use Get-Credential to prompt for the credentials:
Invoke-Command -computername computername -Credential (Get-Credential) -scriptBlock {New-Item -ItemType directory -Path “C:\TestArea” }[/quote]

Hi MOTH,

Unfortuantey this does not yeild the requeid results. I have tried “-Credential” .

To be able to create a folder on the root of C:\ I need to be able to elevate permissions. So I am hoping there is a way inwhich you can do this.
Performing this task manually prompts a UAC dialogue box to press okay or cancel to create the folder, I need the same to happen from the script.

Cheers.
by mjolinor at 2013-05-01 18:07:51
[quote]
Performing this task manually prompts a UAC dialogue box to press okay or cancel to create the folder, I need the same to happen from the script.
[/quote]

You’ve also said you don’t want to launch another process. I believe these two things are mutually exclusive. You cannot, by design, elevate your current process. You must start a new process that is initialized with elevated privileges.
by MasterOfTheHat at 2013-05-02 07:37:10
Sorry, Wayfinder. Guess I misunderstood the question somewhere along the way…

Like mjolinar says then, you’re going to have to use Start-Process with -RunAs in your Invoke-Command script block to run with elevated privileges on the remote system. Why don’t you want to kick off the additional proces?