AsUser Doesn't Impersonate user - Githubissues

mkellerman / Invoke-CommandAs

Invoke Command As System/Interactive/GMSA/User on Local/Remote machine & returns PSObjects.

https://www.powershellgallery.com/packages/Invoke-CommandAs/

MIT License

455 stars 71 forks source link

AsUser Doesn't Impersonate user #37

Closed adstep closed 1 week ago

adstep commented 5 years ago

Running as system administrator, impersonating a user doesn't work. I expect whoami to return 'MyUser'.

PS C:\windows\system32> whoami
nt authority\system
PS C:\windows\system32> $user="MyUser"
PS C:\windows\system32> $pass="MyPass"
PS C:\windows\system32> $secpass = ConvertTo-SecureString $pass -AsPlainText -Force
PS C:\windows\system32> $cred = New-Object System.Management.Automation.PSCredential $user,$secpass
PS C:\windows\system32> Invoke-CommandAs -ScriptBlock { whoami } -AsUser $cred
nt authority\system

mkellerman commented 5 years ago

Working on a fix, seems a parameter was not renamed correctly.

mkellerman commented 5 years ago

Should be fixed in #38 Merging now, and publishing new release. Can you please confirm that this fixed the issue for you?

mkellerman commented 5 years ago

3.1.6 is now in PSGallery

adstep commented 5 years ago

Seeing an error now:

PS C:\windows\system32> Invoke-CommandAs -ScriptBlock { whoami } -AsUser $cred
Invoke-ScheduledTask : An error occurred while registering scheduled job definition
e60d4e36-5ace-49e7-a6b0-144db629961d to the Windows Task Scheduler.  The Task Scheduler error is: (32,4):UserId:.
At C:\Program Files\WindowsPowerShell\Modules\Invoke-CommandAs\3.1.6\public\Invoke-CommandAs.ps1:399 char:17
+                 Invoke-ScheduledTask @Parameters
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-ScheduledTask

mkellerman commented 5 years ago

Does the user have access to running scheduled tasks? create one manually in Task Schedule, and confirm please.

adstep commented 5 years ago

Yes, the user has permissions on the box. They are an Administrator. I was able to create a task.

mkellerman commented 5 years ago

Thanks for testing. Will investigate more tonight and get back to you.

adstep commented 5 years ago

It looks like this stack overflow post is talking about a similar issue to what I'm seeing. Doesn't look like they reach a resolution :(

adstep commented 4 years ago

Hey Marc, I was recently came back to the issue and was able to figure out what was going wrong with my use case. Apparently you can't create a schedule job if you are running as system. Our workaround has been to create a temporary user to register the job and then clean it up afterwards. I've created a PR to apply the workaround (#46.)

mkellerman commented 1 week ago

PR has been closed