Thursday, January 31, 2019

Runas in WFA command

One of my colleagues asked me this week how he could run a PowerShell action as another user.

He wanted to move files between CIFS shares but this specific action required specific windows credentials and they didn't want to give the WFA service those rights.

Here is what is possible and what not...

Remote PowerShell

1 option would be to run the code on another windows server as another user using remote PowerShell (New-PSSession), but that will make you bump into the double-hop problem, which can be solved but is rather complex.


Another option is to use start-process, which allows you to pass credentials.  The idea is to start another PowerShell session and impersonate another user.

However : the SYSTEM user cannot impersonate another user.
This means that the WFA service MUST run as a windows user.  You could limit the rights of the WFA service user, but if you leave the service running as LOCALSYSTEM, you will get an access denied.

The code (in this example we do a move-item, but this could another scriptblock of course)
is ready to go into a WFA command.  Note that we pass the name of the credentials we need to grab from the WFA credentials manager that will be used to execute the scriptblock as another user.


$cred = get-wfacredentials $Wfacreds

$movecommand = {
    move-item -path $from -destination $to
$arg1 = "\\\vol1\q1\*.*"
$arg2 = "\\\vol1\q2"
$encodedArg1 =[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($arg1))
$encodedArg2 =[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($arg2))
Start-Process powershell -Credential $cred -ArgumentList "-command & {$movecommand} $encodedarg1 $encodedarg2"

No comments :

Post a Comment