packaging script to run as another user

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 11 years and 3 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
User avatar
klishb-morrisville
Posts: 17
Last visit: Thu Jan 11, 2024 12:08 pm

packaging script to run as another user

Post by klishb-morrisville »

"If in doubt you need to launch another process that requests elevation".

Maybe the key is in this statement, but I'm not sure what other process I would launch in this case.
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 19
Been upvoted: 37 times

packaging script to run as another user

Post by Alexander Riedel »

I understand that you are frustrated, but this is still not really a PowerShell Studio problem. Our packager allows to elevate, impersonate and execute a process entirely as a different user. On a completely nailed shut system you just can't get from a unpriviledged user to an elevated admin process in one step.

You need to learn about permissions and how UAC works to use these items correctly. Microsoft has some great articles in their MSDN magazine.

While I don't know how your systems are configured, you could potentially execute a start tool as an admin user and from there execute the UI tool with a manifest that requires elevation. As developers we use this two process approach all the time to deal with UAC, but I cannot promise you that it will work on your specific system. Potentially you can also create a specific user with ONLY the right to restart services and use that within your tool. Once again, not knowing what you are running and how, I cannot promise this would work.

Once again, I am sorry you are frustrated, but there is no silver bullet for dealing with security permissions and UAC. There is no other way than actually learning how Microsoft implemented this split security token system. Only then will you be able to use it correctly.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
klishb-morrisville
Posts: 17
Last visit: Thu Jan 11, 2024 12:08 pm

packaging script to run as another user

Post by klishb-morrisville »

"This feature allows limited users to execute a script that requires admin rights without having to give the user admin privileges." -davidc

That's exactly what I'm trying to do so it sounds like the feature does what I want. Maybe it's just a UAC thing. Tomorrow I'll see if I can test on VM with UAC off just so I know if that works. If it does then I'm unsure why the feature lets you optionally elevate if it only works when UAC is off. There wouldn't be much reason to elevate if UAC is off.
User avatar
klishb-morrisville
Posts: 17
Last visit: Thu Jan 11, 2024 12:08 pm

packaging script to run as another user

Post by klishb-morrisville »

This is really looking like an authentication problem. I believe the type of authentication being attempted is not currently permitted by the domain controller. Not entirely sure what setting is prohibiting this.
User avatar
klishb-morrisville
Posts: 17
Last visit: Thu Jan 11, 2024 12:08 pm

packaging script to run as another user

Post by klishb-morrisville »

Alex,

Sorry if it sounds like I'm blaming PowerShell Studio. My intent was to find out if I'm doing it correctly and if so maybe some troubleshooting tips. Sometimes you make a post and someone responds saying "hey make sure xyz is correct or it won't work." The only reply was from Davidc basically saying it can be done.

I mentioned in my second post that I suspected a group policy setting. I was hoping someone might have some tips on what setting(s) could get in the way.

Last night I may have narrowed it down to group policy. Now I know what I'm doing will work...it just needs to be in the right environment. I spun up a couple VMs in a Hyper-V private network. One new domain controller and one client joined to it's domain.

With default group policy settings it worked flawlessly. In fact, it worked better than I expected. Even with UAC turned on I was able to run the form as a standard user. The buttons would restart services on the local machine when clicked. I really expected I would have to turn off UAC or provide an elevate manifest.

Now that I know what I'm doing will work I have to direct my troubleshooting efforts to group policy settings. Or so it seems...

Thank you again for your responses.
This topic is 11 years and 3 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.