Invoke-CommandAs icon indicating copy to clipboard operation
Invoke-CommandAs copied to clipboard

Published 20 hours ago verified publisher icon mkellerman

Calling via NT Authority\SYSTEM - requires elevation?

Open delishus opened this issue 1 year ago • 4 comments

Invoke-ScheduledTask : An access denied error occurred when registering scheduled job definition ffbf27f4-e979-425a-a56e-71d3837cabfc. Try running Windows PowerShell with elevated user rights; that is, Run As Administrator. At C:\Program Files\WindowsPowerShell\Modules\Invoke-CommandAs\3.1.9\public\Invoke-CommandAs.ps1:399 char:17

  •             Invoke-ScheduledTask @Parameters

  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-ScheduledTask

Context- The above error is generated when calling the command via SYSTEM, specifically using an EC2 instance userdata script..

Windows server 2022 host, and the $Credentials are part of the local administrators group here is an example of the command I used:

if (-not (Test-Path "C:\Program Files\Program")) { Invoke-CommandAs -ScriptBlock { Start-Process "c:\binaries\setup.exe" '/HIDDEN /NOUSERINPUT /SCRIPT C:\binaries\Install.ini' } -AsUser $Credentials }

Any ideas?

Runs fine when called manually via an administrative powershell session... I did not think SYSTEM would require elevation?

delishus avatar Aug 23 '23 16:08 delishus

You need to pass the -Credential parameter to auth to the vm. -AsUser will use that user to create and run the scheduled job.

One cred to auth to the vm, another to run the scripblock as (if different).

mkellerman avatar Sep 02 '23 16:09 mkellerman

You need to pass the -Credential parameter to auth to the vm. -AsUser will use that user to create and run the scheduled job.

One cred to auth to the vm, another to run the scripblock as (if different).

Thanks very much for the reply.. I think I get what you mean, however how would this look script wise? Kind regards

delishus avatar Sep 03 '23 07:09 delishus

Invoke-CommandAs -Credential $adminUser -AsSystem -ScriptBlock { ... }

Look at the examples in the README.md

mkellerman avatar Sep 04 '23 17:09 mkellerman

Get the same result but when running in system context and trying to run scriptblock AsUser.

Testing with this:

$Credential = Get-Credential domain\user $ScriptBlock = { [System.Security.Principal.Windowsidentity]::GetCurrent() } Invoke-CommandAs -ScriptBlock $ScriptBlock -AsUser -$Credential

and the user is not local admin but have rights to create tasks, have tried it manually.

afriberg avatar Jan 04 '24 18:01 afriberg