search

mkellerman / Invoke-CommandAs

Invoke Command As System/Interactive/GMSA/User on Local/Remote machine & returns PSObjects.
https://www.powershellgallery.com/packages/Invoke-CommandAs/
MIT License
455 stars 71 forks source link

Calling via NT Authority\SYSTEM - requires elevation? #65

Closed delishus closed 1 week ago

delishus commented 1 year ago

Invoke-ScheduledTask : An access denied error occurred when registering scheduled job definition ffbf27f4-e979-425a-a56e-71d3837cabfc. Try running Windows PowerShell with elevated user rights; that is, Run As Administrator. At C:\Program Files\WindowsPowerShell\Modules\Invoke-CommandAs\3.1.9\public\Invoke-CommandAs.ps1:399 char:17

Context- The above error is generated when calling the command via SYSTEM, specifically using an EC2 instance userdata script..

Windows server 2022 host, and the $Credentials are part of the local administrators group here is an example of the command I used:

if (-not (Test-Path "C:\Program Files\Program")) { Invoke-CommandAs -ScriptBlock { Start-Process "c:\binaries\setup.exe" '/HIDDEN /NOUSERINPUT /SCRIPT C:\binaries\Install.ini' } -AsUser $Credentials }

Any ideas?

Runs fine when called manually via an administrative powershell session... I did not think SYSTEM would require elevation?

mkellerman commented 1 year ago

You need to pass the -Credential parameter to auth to the vm. -AsUser will use that user to create and run the scheduled job.

One cred to auth to the vm, another to run the scripblock as (if different).

delishus commented 1 year ago

You need to pass the -Credential parameter to auth to the vm. -AsUser will use that user to create and run the scheduled job.

One cred to auth to the vm, another to run the scripblock as (if different).

Thanks very much for the reply.. I think I get what you mean, however how would this look script wise? Kind regards

mkellerman commented 1 year ago

Invoke-CommandAs -Credential $adminUser -AsSystem -ScriptBlock { ... }

Look at the examples in the README.md

afriberg commented 9 months ago

Get the same result but when running in system context and trying to run scriptblock AsUser.

Testing with this:

$Credential = Get-Credential domain\user $ScriptBlock = { [System.Security.Principal.Windowsidentity]::GetCurrent() } Invoke-CommandAs -ScriptBlock $ScriptBlock -AsUser -$Credential

and the user is not local admin but have rights to create tasks, have tried it manually.