"If in doubt you need to launch another process that requests elevation".
Maybe the key is in this statement, but I'm not sure what other process I would launch in this case.
packaging script to run as another user
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
- klishb-morrisville
- Posts: 17
- Last visit: Thu Jan 11, 2024 12:08 pm
- Alexander Riedel
- Posts: 8479
- Last visit: Thu Mar 28, 2024 9:29 am
- Been upvoted: 37 times
packaging script to run as another user
I understand that you are frustrated, but this is still not really a PowerShell Studio problem. Our packager allows to elevate, impersonate and execute a process entirely as a different user. On a completely nailed shut system you just can't get from a unpriviledged user to an elevated admin process in one step.
You need to learn about permissions and how UAC works to use these items correctly. Microsoft has some great articles in their MSDN magazine.
While I don't know how your systems are configured, you could potentially execute a start tool as an admin user and from there execute the UI tool with a manifest that requires elevation. As developers we use this two process approach all the time to deal with UAC, but I cannot promise you that it will work on your specific system. Potentially you can also create a specific user with ONLY the right to restart services and use that within your tool. Once again, not knowing what you are running and how, I cannot promise this would work.
Once again, I am sorry you are frustrated, but there is no silver bullet for dealing with security permissions and UAC. There is no other way than actually learning how Microsoft implemented this split security token system. Only then will you be able to use it correctly.
You need to learn about permissions and how UAC works to use these items correctly. Microsoft has some great articles in their MSDN magazine.
While I don't know how your systems are configured, you could potentially execute a start tool as an admin user and from there execute the UI tool with a manifest that requires elevation. As developers we use this two process approach all the time to deal with UAC, but I cannot promise you that it will work on your specific system. Potentially you can also create a specific user with ONLY the right to restart services and use that within your tool. Once again, not knowing what you are running and how, I cannot promise this would work.
Once again, I am sorry you are frustrated, but there is no silver bullet for dealing with security permissions and UAC. There is no other way than actually learning how Microsoft implemented this split security token system. Only then will you be able to use it correctly.
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
- klishb-morrisville
- Posts: 17
- Last visit: Thu Jan 11, 2024 12:08 pm
packaging script to run as another user
"This feature allows limited users to execute a script that requires admin rights without having to give the user admin privileges." -davidc
That's exactly what I'm trying to do so it sounds like the feature does what I want. Maybe it's just a UAC thing. Tomorrow I'll see if I can test on VM with UAC off just so I know if that works. If it does then I'm unsure why the feature lets you optionally elevate if it only works when UAC is off. There wouldn't be much reason to elevate if UAC is off.
That's exactly what I'm trying to do so it sounds like the feature does what I want. Maybe it's just a UAC thing. Tomorrow I'll see if I can test on VM with UAC off just so I know if that works. If it does then I'm unsure why the feature lets you optionally elevate if it only works when UAC is off. There wouldn't be much reason to elevate if UAC is off.
- klishb-morrisville
- Posts: 17
- Last visit: Thu Jan 11, 2024 12:08 pm
packaging script to run as another user
This is really looking like an authentication problem. I believe the type of authentication being attempted is not currently permitted by the domain controller. Not entirely sure what setting is prohibiting this.
- klishb-morrisville
- Posts: 17
- Last visit: Thu Jan 11, 2024 12:08 pm
packaging script to run as another user
Alex,
Sorry if it sounds like I'm blaming PowerShell Studio. My intent was to find out if I'm doing it correctly and if so maybe some troubleshooting tips. Sometimes you make a post and someone responds saying "hey make sure xyz is correct or it won't work." The only reply was from Davidc basically saying it can be done.
I mentioned in my second post that I suspected a group policy setting. I was hoping someone might have some tips on what setting(s) could get in the way.
Last night I may have narrowed it down to group policy. Now I know what I'm doing will work...it just needs to be in the right environment. I spun up a couple VMs in a Hyper-V private network. One new domain controller and one client joined to it's domain.
With default group policy settings it worked flawlessly. In fact, it worked better than I expected. Even with UAC turned on I was able to run the form as a standard user. The buttons would restart services on the local machine when clicked. I really expected I would have to turn off UAC or provide an elevate manifest.
Now that I know what I'm doing will work I have to direct my troubleshooting efforts to group policy settings. Or so it seems...
Thank you again for your responses.
Sorry if it sounds like I'm blaming PowerShell Studio. My intent was to find out if I'm doing it correctly and if so maybe some troubleshooting tips. Sometimes you make a post and someone responds saying "hey make sure xyz is correct or it won't work." The only reply was from Davidc basically saying it can be done.
I mentioned in my second post that I suspected a group policy setting. I was hoping someone might have some tips on what setting(s) could get in the way.
Last night I may have narrowed it down to group policy. Now I know what I'm doing will work...it just needs to be in the right environment. I spun up a couple VMs in a Hyper-V private network. One new domain controller and one client joined to it's domain.
With default group policy settings it worked flawlessly. In fact, it worked better than I expected. Even with UAC turned on I was able to run the form as a standard user. The buttons would restart services on the local machine when clicked. I really expected I would have to turn off UAC or provide an elevate manifest.
Now that I know what I'm doing will work I have to direct my troubleshooting efforts to group policy settings. Or so it seems...
Thank you again for your responses.