So hold on... is what your saying that the PSCredential is authorizing the account running the script to create the folders on the server?
Yeah, just like if you mapped a drive in Windows Explorer. The PSCredential is all the remote file server sees. If you were to check the security log on that server, you’d see the PSCredential account being used to connect and perform actions. Zero difference between this and mapping a drive in Explorer that uses alternate credentials. This is just how Windows has always worked.
But it’s not “the PSCredential is authorizing the account running the script.” The PSCredential isn’t “authorizing” anything. The PSCredential is what’s used to connect to the file server, and it’s actually a LOGON to that file server. Again, you can see it in the security log on the file server, if you’re auditing those events. The “account running the script” has nothing to do with anything, as far as the file server is concerned. The file server has no clue who is “running the script,” because all the file server sees is the credential used to map the drive.
So when it comes time to assign rights, the creator (the one running the script who was authorized) is able to assign those right?
I think you’re overthinking the “authorizing the account” stuff. The PSCredential used to map the PSDrive is the creator of any folders created in that drive. Ergo, the PSCredential gets permissions to those folders by default.
I’m worried that you’re thinking it’s like this:
Bob runs a script under his domain user account, UserBob.
The script maps a PSDrive using the account AdminBob.
The script changes to that PSDrive.
The script creates a folder.
The file server somehow gets permission from AdminBob to let UserBob create the folder.
That isn’t it.
Bob runs a script under his domain user account, UserBob.
The script maps a PSDrive using the account AdminBob.
AdminBob is now “logged in” to the file server (non-interactive logon over SMB)
The script changes to that PSDrive.
The script creates a folder.
Because AdminBob has permission to create the folder, the folder is created.
AdminBob has permissions to the new folder.
The file server has no idea who ran the script (UserBob), and the file server doesn’t care. There is only AdminBob, as far as the file server is concerned.
Again, this is exactly how Windows Explorer has always worked. If you duplicated these tasks in the GUI, you’d get the exact same result, with one exception: Explorer does a bit of a hedge that’s different. Normally, if a member of the local Administrators group creates a folder, then the local Administrators group is given permission to the new folder, rather than the specific admin who created the folder.