Launch script without existing network connections?

Ask your Windows PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
rhymasaurusRex
Posts: 2
Joined: Tue Jul 25, 2017 8:05 am

Launch script without existing network connections?

Post by rhymasaurusRex » Fri Nov 30, 2018 9:58 am

I have a script that needs to be run as the logged in user. It gathers information about the user and saves the data to a shared location. The user can't have read or write access to the shared folder. When I create a new-psdrive for the connection:

Code: Select all

$secpassword = ConvertTo-SecureString 'xxxxx' -asplaintext -Force
$credential = New-Object System.Management.Automation.PSCredential("xxxxx", $secpassword)
New-PSDrive -Name Staging -PSProvider filesystem -Root "<path to shared folder>" -Credential $credential
I get an error:

Code: Select all

New-PSDrive : Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again
I've tried mapping to the IP address and FQDN of the server (and the dfs name) as well as creating a new shared folder on the server. I've also tried using invoke-command and new-pssession, but the domain account I'm using doesn't appear to have the necessary rights on the PC to allow it.

I tried including the user info in the build settings, but it won't work with smart card enforcement enabled on the PC (which we have).

Ultimately, I'd prefer to launch the gui in a new space where existing network connections are not remembered.

User avatar
jvierra
Posts: 13681
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Launch script without existing network connections?

Post by jvierra » Fri Nov 30, 2018 10:15 am

The user already has a connection to that server. You cannot create two connections with different credentials. THis is a base Windows restriction and has nothing to do with PowerShell.


The way to do this is to give users read and write access to a single folder on a server so the user account can update the files. If the user creates the file they will be the owner. Properly setting the permissions will make the user the only one with access to the file and any admins you want to allow.

You also do not want a script to run under a user account that has a plain text password as it can be easily stolen by anyone with access to the script.

User avatar
rhymasaurusRex
Posts: 2
Joined: Tue Jul 25, 2017 8:05 am

Re: Launch script without existing network connections?

Post by rhymasaurusRex » Fri Nov 30, 2018 12:22 pm

jvierra wrote:
Fri Nov 30, 2018 10:15 am
The user already has a connection to that server. You cannot create two connections with different credentials. THis is a base Windows restriction and has nothing to do with PowerShell.


The way to do this is to give users read and write access to a single folder on a server so the user account can update the files. If the user creates the file they will be the owner. Properly setting the permissions will make the user the only one with access to the file and any admins you want to allow.

You also do not want a script to run under a user account that has a plain text password as it can be easily stolen by anyone with access to the script.
I found a workaround:

The script will be deployed via SCCM, so this works for me. I configured the build settings to run as the account with the permissions on the share drive. I included another package in SCCM to disable smart card enforcement before this package runs. It's not ideal, but it's working.

Thanks for the reply. BTW, regarding the plain text password, I totally agree with you. Since I'm packaging the script and using Alternate Credentials in the build settings, I think that's as secure as it'll get. At least the password isn't in plain text in the source script. It's also far more secure that the current solution.

Locked