running part of a script with different credentials.
Posted: Wed Jun 26, 2019 3:25 am
To help you better we need some information from you.
*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***
Product, version and build:Powershell Studio 2019 Version 5.6.164
32 or 64 bit version of product:64
Operating system:Windows 10
32 or 64 bit OS:64
So here's my problem.
I have a form that runs as a service account. This is required due to some issues on our network shares. There are parts of the script I need to run with different credentials, basically to access and change properties and permissions of a security group. For the most part, i can use the Credential switch on the AD cmdlets, but, to change the security permissions on a security group in ad, I am using set-acl (if anyone has a better way to grant and remove "Write-Members" permission, please advise). Set-Acl does not have a credential switch. I have tried invoke-command.
$aclpath - String - "AD:\CN=ETIAll,OU=Security Groups,OU=National Groups,OU=National Objects,OU=Accounts,DC=ENT,DC=dfo-mpo,DC=
ca"
$groupacl - System.DirectoryServices.ActiveDirectorySecurity
So the first try I did this:
Invoke-Command -Credential $admincred -ComputerName localhost -ArgumentList $groupinfo, $GroupACL -ScriptBlock {
Set-Acl -path AD:$args[0] -AclObject $args[1]}
Failed:
[localhost] Connecting to remote server localhost failed with the following error message : Access is
denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (localhost:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
Then I tried this:
Start-Job -Name "Set Permissions" -Credential $admincred -ArgumentList $aclpath, $GroupACL -ScriptBlock { Set-Acl -path $args[0] -AclObject $args[1] }
That failed.
AclObject
+ CategoryInfo : InvalidArgument: (System.Director...rectorySecurity:PSObject) [Set-Acl],
ArgumentException
+ FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand
+ PSComputerName : localhost
I tried a couple of other things (wrapping the whole function in a start-job, etc) nothing seems to work. Any ideas out there?
Here is the function I built.
Function Change-SecACL
{
<#
.SYNOPSIS
This function will add a secondary person to write members.
.DESCRIPTION
Using get and set acl this script will add a secondary user
to have the ability to modify the membership of a security
group
.PARAMETER User
Username
.PARAMETER Group
Group Name
.PARAMETER AR
Remove or Add user
.EXAMPLE
#>
param (
[Parameter(Mandatory = $true)]
[System.String]$User,
[Parameter(Mandatory = $true)]
[System.String]$Group,
[ValidateSet("ADD", "REMOVE")]
[System.String]$AR
)
$userinfo = get-aduser $User -Credential $admincred
$groupinfo = Get-adgroup $group
Write-Host $user
Write-Host $userinfo
Write-Host $groupinfo
$Sid = New-Object System.Security.Principal.NTAccount($userinfo.SamAccountName)
$sid = $sid.Translate([System.Security.Principal.SecurityIdentifier])
$identity = $sid
$GroupACL = Get-Acl -Path "AD:\$($groupinfo.DistinguishedName)"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$identity,
[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
[System.Security.AccessControl.AccessControlType]::Allow,
"bf9679c0-0de6-11d0-a285-00aa003049e2",
[DirectoryServices.ActiveDirectorySecurityInheritance]::All
)
$aclpath = "AD:\$($groupinfo.DistinguishedName)"
switch ($AR)
{
"ADD" { $GroupACL.AddAccessRule($ACE); break }
"REMOVE" { $GroupACL.RemoveAccessRule($ACE); break }
}
switch ($AR)
{
"ADD" {
Start-Job -Name "Add Permissions" -Credential $admincred -ArgumentList $aclpath,$GroupACL -ScriptBlock { Set-Acl -path $args[0] -AclObject $args[1] }
Wait-Job -Name "Add Permissions"
Receive-Job -Name "Add Permissions"
}
"Remove" {
Start-Job -Name "Remove Permissions" -Credential $admincred -ArgumentList $aclpath,$GroupACL -ScriptBlock { Set-Acl -path $args[0] -AclObject $args[1] }
Wait-Job -Name "Remove Permissions"
Receive-Job -Name "Remove Permissions"
}
}
}
*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***
Product, version and build:Powershell Studio 2019 Version 5.6.164
32 or 64 bit version of product:64
Operating system:Windows 10
32 or 64 bit OS:64
So here's my problem.
I have a form that runs as a service account. This is required due to some issues on our network shares. There are parts of the script I need to run with different credentials, basically to access and change properties and permissions of a security group. For the most part, i can use the Credential switch on the AD cmdlets, but, to change the security permissions on a security group in ad, I am using set-acl (if anyone has a better way to grant and remove "Write-Members" permission, please advise). Set-Acl does not have a credential switch. I have tried invoke-command.
$aclpath - String - "AD:\CN=ETIAll,OU=Security Groups,OU=National Groups,OU=National Objects,OU=Accounts,DC=ENT,DC=dfo-mpo,DC=
ca"
$groupacl - System.DirectoryServices.ActiveDirectorySecurity
So the first try I did this:
Invoke-Command -Credential $admincred -ComputerName localhost -ArgumentList $groupinfo, $GroupACL -ScriptBlock {
Set-Acl -path AD:$args[0] -AclObject $args[1]}
Failed:
[localhost] Connecting to remote server localhost failed with the following error message : Access is
denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (localhost:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
Then I tried this:
Start-Job -Name "Set Permissions" -Credential $admincred -ArgumentList $aclpath, $GroupACL -ScriptBlock { Set-Acl -path $args[0] -AclObject $args[1] }
That failed.
AclObject
+ CategoryInfo : InvalidArgument: (System.Director...rectorySecurity:PSObject) [Set-Acl],
ArgumentException
+ FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand
+ PSComputerName : localhost
I tried a couple of other things (wrapping the whole function in a start-job, etc) nothing seems to work. Any ideas out there?
Here is the function I built.
Function Change-SecACL
{
<#
.SYNOPSIS
This function will add a secondary person to write members.
.DESCRIPTION
Using get and set acl this script will add a secondary user
to have the ability to modify the membership of a security
group
.PARAMETER User
Username
.PARAMETER Group
Group Name
.PARAMETER AR
Remove or Add user
.EXAMPLE
#>
param (
[Parameter(Mandatory = $true)]
[System.String]$User,
[Parameter(Mandatory = $true)]
[System.String]$Group,
[ValidateSet("ADD", "REMOVE")]
[System.String]$AR
)
$userinfo = get-aduser $User -Credential $admincred
$groupinfo = Get-adgroup $group
Write-Host $user
Write-Host $userinfo
Write-Host $groupinfo
$Sid = New-Object System.Security.Principal.NTAccount($userinfo.SamAccountName)
$sid = $sid.Translate([System.Security.Principal.SecurityIdentifier])
$identity = $sid
$GroupACL = Get-Acl -Path "AD:\$($groupinfo.DistinguishedName)"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$identity,
[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
[System.Security.AccessControl.AccessControlType]::Allow,
"bf9679c0-0de6-11d0-a285-00aa003049e2",
[DirectoryServices.ActiveDirectorySecurityInheritance]::All
)
$aclpath = "AD:\$($groupinfo.DistinguishedName)"
switch ($AR)
{
"ADD" { $GroupACL.AddAccessRule($ACE); break }
"REMOVE" { $GroupACL.RemoveAccessRule($ACE); break }
}
switch ($AR)
{
"ADD" {
Start-Job -Name "Add Permissions" -Credential $admincred -ArgumentList $aclpath,$GroupACL -ScriptBlock { Set-Acl -path $args[0] -AclObject $args[1] }
Wait-Job -Name "Add Permissions"
Receive-Job -Name "Add Permissions"
}
"Remove" {
Start-Job -Name "Remove Permissions" -Credential $admincred -ArgumentList $aclpath,$GroupACL -ScriptBlock { Set-Acl -path $args[0] -AclObject $args[1] }
Wait-Job -Name "Remove Permissions"
Receive-Job -Name "Remove Permissions"
}
}
}