Let's say I am logged into a server using "user1".
I have a project where the powershell process runs under "user2".
So every time I execute a script it will be under "user2".
Is there a way to specify powershell to run a certain script under "user1" without prompting for credentials (like mentioned before I'm already logged in as that user)?
Thanks in advance!
No, there is not a way to do this.
The process is running under the context of user2, it cannot run anything in the context of user1 without giving it user1 credentials. As you may be able to imagine if there were a way to do that, it would be a pretty significant security vulnerability.
Bonus Information
If however, you are looking to do something like open a web page as user1 from a process running as user2, you can do so by passing the http/https protocol to the user session IIRC. However, this is only if the process running as user2 is running in the user1 session.
For example:
Logged in to a console session as User1
Powershell Process running under User2 context, within the User1 session
Within the Powershell process, run start-process http://www.google.com
Default http application opens the URL in the User1 session
Related
I have a long running powershell script. It kicks off at login via GPO, connects to Exchange with the user's current credentials then goes back to sleep. It does this every half hour or so and continues until the user logs out.
The issue occurs if the user changes their password during this time. The next time the script attempts to connect to Exchange it fails. I assume this is because the credentials stored within the powershell session are no longer valid.
Is there a way to refresh/update the scripts's credentials from the O/S?
The only other way I thought to work around this was to restart the script in a new powershell instance, hence grabbing a new set of credentials. This sounds problematic as I believe the context will be passed on to the new session if it's initiated from the running script. Triggering a scheduled task that calls the script may work though I haven't tried it and it seems overly convoluted.
Any thoughts? I don't want to use Get-Credential as that requires a prompt. I also don't want to store a password in a file.
[System.Security.Principal.WindowsIdentity] may provide a way? Not quite sure where to start.
Update:
I'm using EWS as per: https://devblogs.microsoft.com/scripting/learn-to-use-the-exchange-web-services-with-powershell/
You can use the credentials stored in the current powershell session as per:
$exchService.UseDefaultCredentials = $true
So I didn't work out how to update the stored credentials in a running powershell session... surely it's possible... anyway, here is what I did.
Script runs, connects to Exchange successfully, sleeps
User changes Windows password
Script wakes up, connection to Exchange fails
Trap error via try/catch, create Scheduled task to Run in 5 seconds from now with Schedule.Service COMObject
Quit script
Task fires and relaunches powershell script with the updated credentials. Connection to Exchange succeeds. Script sleeps
Task autodeletes itself via Settings.deleteExpiredTaskAfter = 'PT0S' - which is immediately. You also need to set the .EndBoundary on the trigger
Works fairly neatly but it's a bit of a hack. Love to see a more elegant solution from someone.
I want to create a powershell script. One of our supporting companies needs to connect to our server from time to time to make their work and I need to connect their RDP session to watch them if their doing is OK.
Server: MS Server 2012 R2 x64
The case is I want to create a script which;
1- Checks the server's current sessions
2- Finds the specific session ID come from the username (the which I will give them to connect) currently logged in as RDP
3- When I pull the correct session ID from the username (and that means he is currently online and connected), I want to shadow his/her session without prompting/requesting their approvals.
Yes, I can do these separately but looking a powershell script or something like that to these. In one attempt, I want to shadow rdp to correct session and if he/she is not online, I want the system return an information message to me that the username is not currently online.
Is it possible?
Thanks&Regards
Melih
If memory serves PoSh does not natively supports querying RDP sessions (unless using the RDS broker, but I could be wrong here) but you can easily do that via query session
I cannot test it right now but something like this should do the trick:
C:\>query session
SESSIONNAME USERNAME ID STATE TYPE DEVICE
console Administrator1 0 active wdcon
rdp-tcp#1 User1 1 active wdtshare
rdp-tcp 2 listen wdtshare
You can even call it with the username directly if that is known to you.
Shadowing the session would be easily accomplished with something like
mstsc /v:"$srv" /shadow:"$id" /control /noconsentprompt
I did not test this so maybe it needs some tweaking but a possible starting point could be
$userSessions = query session user01 /SERVER:server01 | Select-Object -skip 1 | ForEach-Object{$_.Split(' ',[System.StringSplitOptions]::RemoveEmptyEntries)}
$sessionId = $userSessions[2]
mstsc /v:"$srv" /shadow:"$sessionId" /control /noconsentprompt
Of course if running from the local server you can omit the /SERVER:XXX argument.
Hope this can help getting you started.
I am writing a login script in Powershell which install a amount of printers, depending on the user currently loggin into Windows 7. I would like this user to remove the printers it have installed as soon as their are not required anymore, so as soon as this user log out.
How can I plan a script which will be executed as soon as the current sessions ends?
Thank for your time.
Hello Folks,
I have a powershell MTA (GUI script using winForms), which works well, lets take the script name to be "ENDUserMTA.ps1" which does invoke certain commands and does something which really needs admin rights. this works fine when run manually or via task scheduler or when set via [registry] RunOnce or Run or whatever when there is admin rights..
The problem is i want to invoke this script on the END users laptop and make them to work with it [interactively]
Options that i have tried so far:
Tried Scheduling the "ENDUserMTA.ps1" in Task Manager SYSTEM account [using When running the task, use the following user account] - this starts and run NOT INTERACTIVE [since system account does not have interactive session]
Tried Scheduling the "ENDUserMTA.ps1" in Task Manager with Different user account which has admin rights [using When running the task, use the following user account] - This again starts but the GUI is not shown to the End User who has logged without admin rights, rather shown to only the user who was set under the option [When running the task, use the following user account]
My situation is not possible to create PSSessions or Delegated Remoting. I am now is middle of forest and no where to go!!!
Not sure how to invoke the script as admin to a user who has logged into a machine without admin rights..
WHat i exactly need or similar solution: When scheduling this script, i schedule the script to start atlogon[any user], after the script completes it will delete the scheduled task
Pls help..
Balaji
Begining on Vista Microsoft has started to separate UI stacks for security reasons.
My advise for your problem is to change the architecture of your code in order to create two scripts.
The first one with no UI will be scheduled with administrative rights
The second one with UI will be started with the user rights and will be a client of the first one.
You can use Inter-Process Communication between the two scripts, but you will met a security issue, you server part vill need particular ACLs to allow the client part to connect.
It exists other way to communicate between scripts, but it's not so easy with an asynchronous UI architecture on one side. It would be simple using managed code (.NET code) or native code(unmanaged code). For me, you are on the limit of the scripting place even if scripting capacities are very large as far as PowerShell is built on the top of .NET.
How can I prevent a user from killing powershell process which ends the action of the script. and how can I restart powershell by a piece of code to resume its action?
If the script is being run under the users account, you can't stop them from being able to kill the process.
To get around this, you could have the script run as another user (as a service, or invoking as another user) which will launch the Powershell session under their credentials, in which case only admins will be able to kill the process.
Speaking from experience here:
In our environment we run SCCM, we have several powershell scripts that open a verbose window to let the user know that something is running. This script is running as SYSTEM. The user can still close the window even if they're not a member of the administrators group.
To get around crucial scripts that can't be closed I would suggest running the script silently, so that way it runs without the user even knowing. Or, if you indeed need a GUI, use VB.NET / C# to create a form and use the form closing event to prevent the user from closing it until you're well and ready.