I’m designing a system which will provide IIS log cleanup on bunch of remote servers. Majority of powershell utility code is dot sourced from UNC share. I’m planning to use PowerShell remoting to launch GZIP compression on remote system launched from scheduled task on central computer. Remote computers are Windows 2008+ and have powershell versions 3.0+. Scheduled task will be under System account of central computer and use that account to authenticate to remote machines (Computer Account is added to local Adminstrator’s group on remote machines), this way I don’t have to deal with passwords and expirations. Now the problem is that since a lot of code in dotsourced when Invoke-Command is being run it’s utilizing -FilePath to transmit powershell file to remote computer, within that file there is dot source powershell script which point to remote share where majority of logic and configuration is stored. This second hop obviously is not going to happen. I don’t want to enable credSSP for multiple reasons.
My plan is use to equivalent of “net use” before dot sourcing to provide access to remote share.
I plan to encrypt password with AES+RSA. RSA will be provided through certificate which will be present on all remote computers (via GPO), AES will be stored encrypted with that certificate in DNS via TXT record. (Kind of dual factor authentication since to decrypt password you need to have certificate AND have access to our internal network to query DNS).
Now comes the actual question. How do I avoid using cmd.exe (running using net use), what do I do in powershell to instruct underlying OS to use alternative credentials to access remote UNC share.