runas.exe和Start-Process -Credential之间的区别

Question

I am playing around with setting up some scripts on a vpn on a client's network. This client generally assigns an ActiveDirectory account on their network and use it to manage permissions (eg. to databases). Ok, that makes sense.

But here is something that confuses me:

start-process runas.exe "/user:CLIENTDOMAIN\George.Mauer /netonly W:\tools\LINQPad4\LINQPad.exe

queries for a password and runs just fine (and I can access the database)

But

Start-Process W:\tools\LINQPad4\LINQPad.exe -Credential (Get-Credential)

and entering CLIENTDOMAIN\\George.Mauer and my password at the popup prompt always results in an error

Start-Process : This command cannot be run due to the error: The user name or password is incorrect.

Are these not the same thing? What's the difference between runas and -Credential ? And a secondary question - how do I Start-Job with my CLIENTDOMAIN\\George.Mauer credential?

Answer 1

/netonly runs the process as the current user and only network connections are made with the other credentials.

Start-Process will run the process (and all its network connections) with the other credentials. There's no way to achieve the /NETONLY functionality with Start-Process .

You'd have to p/invoke the Win32 API to achieve /NETONLY functionality. If you're up for the exercise this is the API you'll need to use LOGON_NETCREDENTIALS_ONLY with:

http://www.pinvoke.net/default.aspx/advapi32/createprocesswithlogonw.html

More resources:

• example code with LOGON_NETCREDENTIALS_ONLY
• CreateProcessWithTokenW function

To run a job as a different user:

Start-Job -ScriptBlock {whoami} -Credential (get-credential) | Wait-Job | Receive-Job