stackoom
  简体   繁体   中英

Elevate creditals with powershell via Local System Account

 原文  2015-11-01 13:07:02       powershell/ jenkins/ start-process

Question

I want to deploy code using powershell via Jenkins Job. This works fine in the powershell ise. 

$username = "mydomain\builder"
$password = "notmypassword"
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
$Arguments = "-ExecutionPolicy Bypass -File C:\Test.ps1 -NoNewWindow -WorkingDirectory C:\Windows\System32\WindowsPowerShell\v1.0 -NoLogo -NonInteractive"

Start-Process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Credential $credentials -ArgumentList $Arguments

But when I run it from Jenkins which use the local system I get the following error message. 

Start-Process : This command cannot be run due to the error: Access is denied.
At C:\WINDOWS\TEMP\hudson5557889306949142167.ps1:7 char:1
+ Start-Process powershell.exe -Credential $credentials -ArgumentList $

If change I change the Jenkins service to another account it works. Why won't elevated permission work under the local system account?

note: the only code in test.ps1 is New-Item c:\\scripts\\new_file.txt

1 answers

solution1
 3  2015-11-01 13:33:39

There seems to be a restriction on certain commands when a script is run under LocalSystem . This makes sense in terms of security, given that LocalSystem :

has complete unrestricted access to local resources. This is also the disadvantage of LocalSystem because a LocalSystem service can do things that would bring down the entire system.

Reference: MSDN, The LocalSystem Account

There is a similar question at SuperUser: Can not create process with elevated permissions from LocalSystem account with no answer so far a reference to this answer now.

There is a similar question at TechNet: Runing PowerShell script with the permissions of the LocalSystem user with answers suggesting to run the script via Task Scheduler.

I can think of using runas with /savecred and a /user:... with appropriate permissions whose password never expires. AFAIR you have to invoke runas with /savecred interactively once, enter the credentials and it will take the saved credentials from the next invocation onwards.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PowerShell script to run an exe using the Local System Account Elevate / Sudo on PowerShell Elevate Powershell scripts BCD Edit Export fails when user not logged on and run via SCCM as System account in Powershell PowerShell: Create Local User Account Elevate rights in current directory with PowerShell Powershell self-elevate loop Check local admins via Powershell How to create a local admin account in powershell studio Managed azure storage account via powershell for VM
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM