Powershell, RunAs vs Credential - powershell

So I have not found anything that explains why this code will run when you open PowerShell as "Administrator", entering your domain admin credential. Whereas when you open PowerShell with no admin privilege and using the -credential Domain\DomainAdminUser, then entering your password when prompted and I get error. Why is this?
Error: Get-WinEvent: The parameter is incorrect.
I'm asking because I have a menu script which I can run it as admin using my domain admin credential but the gpresult command will not work because of "invalid pointer" and reason being is, my domain account is not part of the authenticated user.
So to make it easy, I need to run my menu script without admin rights and use the -credential switch for certain commands within the menu script.
cls
$logname = "Security"
$Id = "4634"
$Id2 = "4624"
Get-WinEvent -ComputerName $env:COMPUTERNAME -Credential Domain\DomainAdminuser #{logname=$logname;Id=$Id,$Id2;starttime=[datetime]::Today} |
Select-Object TimeCreated, Id, #{n="Message";e={($_.message).Split(" ")[0..4] -join " "}} | Format-Table -Wrap

Related

run a command in a powershell script as another user

Im a low level IT technician working on a swiss knives like powershell script.
So far, I was able to make it work using only user privileges.
But I want to add a function that when you feed it with an address mac, it tells you if there is already an IP reservation on a given scope of the DHCP.
The command works just fine :
Get-DhcpServerv4Lease -ComputerName xxx.xxx.xxx.xxx -ScopeId xxx.xxx.xxx.xxx | findstr "#mac"
The issue im facing is that I want to run the script with user privilege, and the command above needs admin privilege.
So I wrote the command using a Start-Job -credential to feed him admin credential but nothing happens in the foreground.
Start-Job -Credential $Credentials -ScriptBlock ${function:dhcp}
function dhcp
{
$result = Get-DhcpServerv4Lease -ComputerName xxx.xxx.xxx.xxx -ScopeId xxx.xxx.xxx.xxx | findstr "#mac"
$result | Out-File -FilePath C:\temp\result.txt
}
I thought it was due to user environment/PS session given the fact that I run the script as newbieGuy and the command above as admin_newbieGuy so I tried to use Out-file cmdlet so I can get the result of the request on a directory every user have access to.
But the .txt is not even created.
I also tried using Invoke-command but I have the WinRM error and I can't modify the way this is setup in my organization.
Im running out of options guys, If you can give me a hint that would be great.

How to Check User's Rights via powershell on a remote or local machine

I have a script that needs to check the user' rights on the remote machine in order to confirm the user has the permissions to copy their files. When this part of the script runs, it fails 90% of the time unless the user is already an admin on the remote machine.
This is my code:
write-host Checking User Rights
#if the user provides and IP address, find the hostname
if ($sourceComputerName -match $ipPattern) {
Get-Hostname
}
else {
$global:fullHostName = $env:COMPUTERNAME
}
Write-host $sourceFolder
$permissionQuery = (Get-Acl $sourcefolder.substring(1, $sourceFolder.length - 2)).Access | Where-Object { $_.IdentityReference -match $adminusername } | Select-Object IdentityReference, FileSystemRights
if (!$permissionQuery) {
Invoke-Command -FilePath "$PSScriptRoot\LocalAdmin.ps1" -ComputerName $fullHostName -ArgumentList "$sourceRemotePath"
}
else {
write-host "Admin Rights Already Exist for $adminusername at $sourceRemotePath"
}
clear-host
Here is the Get-Hostname Function:
function global:Get-Hostname {
$queryHostname = [System.Net.DNS]::GetHostEntry($sourceComputerName) | Select-Object HostName | format-table -HideTableHeaders
$stringHostName = Out-String -InputObject $queryHostname
$splitHostName = $stringHostName.split(".", 2)
$global:fullHostName = $splitHostName[0] -replace '\s', ''
[void]$fullHostName
}
Here is the error:
[DESKTOPXXXX] Connecting to remote server DESKTOPXXXX failed with the following error message : Access is denied. For
more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (DESKTOPXXXX:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
Note: I am one of the network admins and I have full admin rights on the machine I ran this script on
For effective permissions, try out Get-NTFSEffectiveAccess from the NTFSSecurity module.
The way you're currently checking permissions doesn't check for any groups that $adminusername is a member of, and may not give you accurate information.
The most common reason for "Access is denied" is that your current user is not an administrator on the remote machine, though there are other reasons listed in the Troubleshooting Guide:
Powershell remoting is not (or only partially) enabled on the remote machine.
WinRM service is not running
Remote firewall profile is in "Public network" mode (only accepts powershell remoting from the same subnet)
The current running credentials are invalid for some reason e.g. password expired.
You are double-hopping (remote from PC1 to PC2, then remote again to PC3)
First, try manually providing credentials:
$cred = Get-Credential -UserName Domain\AdminUser -Message Remote
Invoke-Command -Computername $sourceComputerName -Credential $cred -ScriptBlock {Hostname}
If you still get errors, try re-running the remote powershell setup on the remote machine (and restart it):
Enable-PSRemoting -Force

Why can I pass credentials to a regular user but not a local administrator?

So basically I've been working forever on a PS remote self help script that originally was thought to be simple: Restart the spooler service, clear the queue, and print a test page on the default printer. Getting there however hasn't been so easy, due to security issues. After some hours, I was able to get my local user test account to accept the credentials of my domain administrator. I thought all was well, until I tried to replicate it on a local administrator's account, in which event access was denied. This is sort of important, because the majority of the accounts we will be deploying the script on are local admins. I suspect it may be a UAC issue, but I have no idea what I should do to work around the problem. Here's what I'm working with currently:
$v = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")
If ($v = "False")
{
$password = "ElPassword" | ConvertTo-SecureString -asPlainText -Force
$username = "Domainname\Username"
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
invoke-command {Stop-Service spooler} -comp $env:ComputerName -cred $credential
Remove-Item C:\Windows\System32\spool\PRINTERS\* -Force
invoke-command {Start-Service spooler} -comp $env:ComputerName -cred $credential
$printer = Get-WmiObject -Query " SELECT * FROM Win32_Printer WHERE Default=$true"
$PrintTestPage = $printer.PrintTestPage() } Else
{ Stop-Service spooler
$printer = Get-WmiObject -Query " SELECT * FROM Win32_Printer WHERE Default=$true"
Start-Service spooler
$PrintTestPage = $printer.PrintTestPage() }
The first thing this does is check if the current PS session is being run as admin; seeing as the users don't actually see the PowerShell window or script, and we recently started using the RMM tool, I'm still trying to figure out under what conditions the tool runs PS elevated - the documentation says that it runs with the credentials of the logged in user, but that doesn't seem to be the case, as an hour with their support team told me that the reason the script wasn't doing it's job on any admin accounts was because it wasn't being elevated. Anyways, after the check, it either passes credentials for the commands or it doesn't. This script seems to handle every scenario but that of a local admin account running PS non elevated. In that event, it simply denies me access where the exact same creds give me access on a regular user account. I'm not sure how to even approach this problem, so any help is appreciated.

Rights needed for accessing wmi32_process.GetOwner

I am working on a PowerShell script that (among other things) gets the currently logged in user to a list of VM's, using WMI to get the owner of any explorer.exe processes.
$User = Get-WmiObject -Class win32_process -ComputerName $strVMName -Credential $cred | `
Where-Object{ $_.Name -eq "explorer.exe" } | `
ForEach-Object{ ($_.GetOwner()).Domain + "\" + ($_.GetOwner()).User; }
This code works great, but only when the credentials used are an admin on the VM being queried. I have given a non-admin user full rights on CIMV2 in WMI Control, but the GetOwner method doesn't return anything ($user is returned as just "\") unless I add the user to the admin group as well. Since this script is intended to be run by normal users, I would rather not give them admin rights.
Can someone point me to what the minimum rights needed to use these methods? Or even a different method of getting the currently logged in user that will work for non-admins?

Pass password into -credential

I am trying to login into a computer.
I have been playing with various versions and determined that my past questions were when I didn't know what I was really trying to do.
I discovered that I was on the incorrect PC when running the script.
When I now run the script on the correct PC, the following code requires me to enter the password.
gwmi win32_service –credential domain\username –computer PC#
Is there a way with my current script above, to enforce the username and password without user entry? I have to do this for 100s of PCs so I want to loop through all of them without the user having to input the password 100s of times.
I tried doing the following:
$Username = 'domain\username'
$Password = 'password'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$SecureString = $pass
# Users you password securly
$MySecureCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username,$SecureString –computer PC#
However, I get an error of A parameter cannot be found that matches parameter name 'computer'.
also tried:
$MySecureCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username,$SecureString
# Sets yous credentials to be used
#$RemoteConn = New-PSSession -ComputerName "PC#" -Credential $MySecureCreds -Authentication default
but the RemoteConn didn't work
WOW I figured it out thanks to https://social.technet.microsoft.com/forums/windowsserver/en-US/440ab7ed-7727-4ff7-a34a-6e69e2dff251/getwmiobject-prompting-for-password-issues
So I didn't realize I can use the $MySecureCreds as the -credential
ANSWER:
$Username = 'domain\username'
$Password = 'password'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$SecureString = $pass
# Users you password securly
$MySecureCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username,$SecureString
gwmi win32_service –credential $MySecureCreds –computer PC#
$pass="FooBoo"|ConvertTo-SecureString -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PsCredential('user#domain',$pass)
gwmi win32_service –credential $cred –computer $computer
Windows PowerShell
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Users\joshua> Get-Help Get-Credential -Full
NAME
Get-Credential
SYNOPSIS
Gets a credential object based on a user name and password.
SYNTAX
Get-Credential [-Credential] []
Get-Credential [[-UserName] <String>] -Message <String> [<CommonParameters>]
DESCRIPTION
The Get-Credential cmdlet creates a credential object for a specified user name and password. You can use the
credential object in security operations.
Beginning in Windows PowerShell 3.0, you can use the Message parameter to specify a customized message on the
dialog box that prompts the user for their name and password.
The Get-Credential cmdlet prompts the user for a password or a user name and password. By default, an
authentication dialog box appears to prompt the user. However, in some host programs, such as the Windows
PowerShell console, you can prompt the user at the command line by changing a registry entry. For more information
about this registry entry, see the notes and examples.
PARAMETERS
-Credential
Specifies a user name for the credential, such as "User01" or "Domain01\User01". The parameter name
("Credential") is optional.
When you submit the command, you are prompted for a password.
Starting in Windows PowerShell 3.0, if you enter a user name without a domain, Get-Credential no longer
inserts a backslash before the name.
If you omit this parameter, you are prompted for a user name and a password.
Required? true
Position? 1
Default value None
Accept pipeline input? false
Accept wildcard characters? false
-Message <String>
Specifies a message that appears in the authentication prompt.
This parameter is designed for use in a function or script. You can use the message to explain to the user why
you are requesting credentials and how they will be used.
This parameter is introduced in Windows PowerShell 3.0.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UserName <String>
Specifies a user name. The authentication prompt requests a password for the user name. By default, the user
name is blank and the authentication prompt requests both a user name and password.
When the authentication prompt appears in a dialog box, the user can edit the specified user name. However,
the user cannot change the user name when the prompt appears at the command line. When using this parameter in
a shared function or script, consider all possible presentations.
This parameter is introduced in Windows PowerShell 3.0.
Required? false
Position? 1
Default value None (blank)
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
You cannot pipe input to this cmdlet.
OUTPUTS
System.Management.Automation.PSCredential
http://go.microsoft.com/fwlink/?LinkId=228224
Get-Credential returns a credential object.
NOTES
You can use the PSCredential object that Get-Credential creates in cmdlets that request user authentication,
such as those with a Credential parameter.
By default, the authentication prompt appears in a dialog box. To display the authentication prompt at the
command line, add the ConsolePrompting registry entry
(HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\ConsolePrompting) and set its value to True. If the
ConsolePrompting registry entry does not exist or if its value is False, the authentication prompt appears in
a dialog box. For instructions, see the examples.
The ConsolePrompting registry entry works in the Windows PowerShell console, but it does not work in all host
programs. For example, it has no effect in the Windows PowerShell Integrated Scripting Environment (ISE). For
information about the effect of the ConsolePrompting registry entry, see the help topics for the host program.
The Credential parameter is not supported by all providers that are installed with Windows PowerShell.
Beginning in Windows PowerShell 3.0, it is supported on selected cmdlet, such as the Get-WmiObject and
New-PSDrive cmdlets.
-------------------------- EXAMPLE 1 --------------------------
PS C:\>$c = Get-Credential
This command gets a credential object and saves it in the $c variable.
When you enter the command, a dialog box appears requesting a user name and password. When you enter the requested
information, the cmdlet creates a PSCredential object representing the credentials of the user and saves it in the
$c variable.
You can use the object as input to cmdlets that request user authentication, such as those with a Credential
parameter. However, some providers that are installed with Windows PowerShell do not support the Credential
parameter.
-------------------------- EXAMPLE 2 --------------------------
PS C:\>$c = Get-Credential
PS C:\>Get-WmiObject Win32_DiskDrive -ComputerName Server01 -Credential $c
These commands use a credential object that the Get-Credential cmdlet returns to authenticate a user on a remote
computer so they can use Windows Management Instrumentation (WMI) to manage the computer.
The first command gets a credential object and saves it in the $c variable. The second command uses the credential
object in a Get-WmiObject command. This command gets information about the disk drives on the Server01 computer.
-------------------------- EXAMPLE 3 --------------------------
PS C:\>Get-WmiObject Win32_BIOS -ComputerName Server01 -Credential (Get-Credential -Credential Domain01\User01)
This command shows how to include a Get-Credential command in a Get-WmiObject command.
This command uses the Get-WmiObject cmdlet to get information about the BIOS on the Server01 computer. It uses
the Credential parameter to authenticate the user, Domain01\User01, and a Get-Credential command as the value of
the Credential parameter.
-------------------------- EXAMPLE 4 --------------------------
PS C:\>$c = Get-Credential -credential User01
PS C:\>$c.Username
\User01
This example creates a credential that includes a user name without a domain name. It demonstrates that
Get-Credential inserts a backslash before the user name.
The first command gets a credential with the user name User01 and stores it in the $c variable.
The second command displays the value of the Username property of the resulting credential object.
-------------------------- EXAMPLE 5 --------------------------
PS C:\>$Credential = $host.ui.PromptForCredential("Need credentials", "Please enter your user name and password.",
"", "NetBiosUserName")
This command uses the PromptForCredential method to prompt the user for their user name and password. The command
saves the resulting credentials in the $Credential variable.
The PromptForCredential method is an alternative to using the Get-Credential cmdlet. When you use
PromptForCredential, you can specify the caption, messages, and user name that appear in the message box.
-------------------------- EXAMPLE 6 --------------------------
PS C:\>Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds" -Name ConsolePrompting -Value $true
This example shows how to modify the registry so that the user is prompted at the command line, instead of by
using a dialog box.
The command creates the ConsolePrompting registry entry and sets its value to True. To run this command, start
Windows PowerShell with the "Run as administrator" option.
To use a dialog box for prompting, set the value of the ConsolePrompting to false ($false) or use the
Remove-ItemProperty cmdlet to delete it.
The ConsolePrompting registry entry works in some host programs, such as the Windows PowerShell console. It might
not work in all host programs.
-------------------------- EXAMPLE 7 --------------------------
The first command saves the user account name in the $User parameter. The value must have the "Domain\User" or
"ComputerName\User" format.
PS C:\>$User = "Domain01\User01"
The second command uses the ConvertTo-SecureString cmdlet to create a secure string from a plain text password.
The command uses the AsPlainText parameter to indicate that the string is plain text and the Force parameter to
confirm that you understand the risks of using plain text.
PS C:\>$PWord = ConvertTo-SecureString –String "P#sSwOrd" –AsPlainText -Force
The third command uses the New-Object cmdlet to create a PSCredential object from the values in the $User and
$PWord variables.
PS C:\>$Credential = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $User, $PWord
This example shows how to create a credential object that is identical to the object that Get-Credential returns
without prompting the user. This method requires a plain text password, which might violate the security standards
in some enterprises.
-------------------------- EXAMPLE 8 --------------------------
PS C:\>Get-Credential -Message "Credential are required for access to the \\Server1\Scripts file share." -User
Server01\PowerUsers
Windows PowerShell Credential Request
Credential are required for access to the \\Server1\Scripts file share.
Password for user ntdev\juneb:
This command uses the Message and UserName parameters of the Get-Credential cmdlet. This command format is
designed for shared scripts and functions. In this case, the message tells the user why credentials are needed and
gives them confidence that the request is legitimate.
-------------------------- EXAMPLE 9 --------------------------
PS C:\>Invoke-Command -ComputerName Server01 {Get-Credential Domain01\User02}
Windows PowerShell Credential Request : Windows PowerShell Credential Request
Warning: This credential is being requested by a script or application on the SERVER01 remote computer. Enter your
credentials only if you
trust the remote computer and the application or script requesting it.
Enter your credentials.
Password for user Domain01\User02: ***************
PSComputerName : Server01
RunspaceId : 422bdf52-9886-4ada-ab2f-130497c6777f
PSShowComputerName : True
UserName : Domain01\User01
Password : System.Security.SecureString
This command gets a credential from the Server01 remote computer. The command uses the Invoke-Command cmdlet to
run a Get-Credential command on the remote computer. The output shows the remote security message that
Get-Credential includes in the authentication prompt.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/p/?linkid=293936