packaging script to run as another user

[klishb-morrisville]

FYI this is my first Powershell Studio experience. Trying to create a form that can be run as standard user. It will have 3 buttons that can restart some services (requires admin rights). It works fine if I package it with an elevate manifest, execute as logged on user, and run it when I'm logged in (I'm an admin).

Since the user needing the tool is not admin I can't use an elevate manifest. Can this be done by providing alternate credentials?

So far I'm striking out. I can see how alternate credentials might work for remote commands, but locally UAC may be getting in the way? Do I need to setup a remote session to the local machine within the script to accomplish this?

[davidc]

The Packager does support alternate credentials. This feature allows limited users to execute a script that requires admin rights without having to give the user admin privileges.
To set alternate credentials, go to the Security Tab in the Packager Settings.

For more info please refer to this blog article:

http://www.sapien.com/blog/2011/07/08/n ... -packages/

David

[klishb-morrisville]

That's exactly the feature I'm talking about that I'm having trouble with. I just read through Alex's post. Only thing I can think of is maybe a group policy setting is in the way. Alex isn't specific about what group policy settings need to be set for this feature to work. I see one for "Impersonate a client after authentication", but it's using default settings.

The error I keep getting is "Logon Failure: unknown username or bad password". I'm quite certain the password is correct and I'm using the format specified (adminuser@domain.edu).

[klishb-morrisville]

I just created a local admin account so so I could avoid a domain account and use the exact format that Alex used in his post. I rebuilt the package to execute as that user, but now I get "the directory name is invalid" upon trying to launch the app.

[klishb-morrisville]

Ok I think I'm getting somewhere. I went in to the "local security policy" and set all the UAC settings to their defaults. I noticed one of them was "User Account Control: Only elevate UIAccess applications that are installed in secure locations" - which is enabled by default.

I created a temp folder in "c:program files (x86)" and put my built .exe in that temp folder. After I did that I was able to successfully open the form. Progress!

If I try to run it from the user's desktop it says "the directory name is invalid". Clearly location matters - probably because it's a WinForm and it uses "User Interface Accessibility (UIAccess) integrity level"?

Next step: do the buttons work? No. Even though the form opens the buttons don't restart the services. My guess is UAC is getting in the way. Powershell is probably generating an error (probably access denied) when I click the buttons, but I'm not sure how to show that output in my form yet. I assume it's access denied because, as I stated previously, I can package with an elevation manifest, "execute as logged on user", it works fine if I'm logged in as an admin. So I know the form works - I just need to provide the right environment for it to be run.

I then tried to go back to a domain account and again I get "Logon Failure: uknown username or bad password".

Summary:
Ok so location matters, it doesn't like authenticating domain accounts, and even when I get the form to open the buttons can't perform the administrative function they are intended to do.

[klishb-morrisville]

Is this something you can have Alex look at? I feel like what I'm trying to do is about as basic as it gets for this functionality...nothing special. There's not much room for error so I'm not sure where I'm going wrong. Maybe this isn't designed to work on local admin tasks when UAC is enabled?

[klishb-morrisville]

So far my first experience with the product and the support provided is disappointing to say that least...

[Alexander Riedel]

I am sorry to hear you are disappointed.

We cannot support or help with circumventing UAC, even if it where possible. I am sure you also understand that we cannot analyze each individual users local security settings. We don't know how much your systems are locked down and by what means.

I submit that maybe the general PowerShell section would be a more appropriate place for your questions, since they deal more with general security policy issues rather than product specific questions.

In general you cannot elevate in process or disable UAC for specific processes.
If in doubt you need to launch another process that requests elevation. That's the way it was designed by Microsoft.

[klishb-morrisville]

Thank you for your response Alex. My disappointment stems from me convincing my boss this was the product I needed because it had this feature. Now after making the purchase I haven't been able to get the feature to work after a decent amount of time spent.

I'm not looking for help circumventing UAC per se, but just looking for help identifying the problem. If you believe UAC is getting in the way based on the information I've provided then I either need to turn off UAC (I feel like that's probably the wrong approach) or I need to understand how your tool works well enough to use it correctly.

If it's not intended to be used the way I'm using it then I don't quite grasp how it's intended to be used. If I am using it correctly then maybe it is just a local security setting as you say. I haven't been able to find a whole lot of information about using it aside from the blog post davidc mentioned above.

Maybe I should post in the general PowerShell section, but I felt the use of this feature was fairly specific to the product.

[klishb-morrisville]

To summarize my problem - I'm trying to do the right thing and protect a particular system that's important to us. The goal is to provide a tool to a standard user that runs under an account with admin access. The only buttons on the form are to restart services when they push the appropriate button. Is that something that can be done with your tool or am I attempting the impossible? Thank you in advance.