Run command as System User in Powershell
Question
I found several answers on the web, but not really what I was searching for.
The issue is as follows: When restoring a file with "Networker", the ACLs of the file are the same ones as when the file was backed up, regardles of inheritance in the folder the file is restored to. Meaning the inheritence of ACL does not affect the newly restored file.
This leaves me with the problem that only 3 Accounts have the right to alter the ACL.
- The user, the file belongs to
- The domain Admins
- The system account
To solve the issue I would like to run an automated script fixing the ACL and activating the correct inheritance.
The system user for the script has to be one of the three. The User is changing and thefore not a valid choice, also I dont want to leave any domain admin credentials nor give domain admin rights to a service account.
This leaves me with the system account to do the job and here comes the question:
How do I execute a task in powershell under system account credentials?
I tried
$username = "NT Authority\System"
$password = ConvertTo-SecureString -String "" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist @($username, $password)
Since the password is an empty I can not really create credentials with it.
The name of the account in all locales is.\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. https://msdn.microsoft.com/de-de/library/windows/desktop/ms684190(v=vs.85).aspx
So now I am a little bit confused as to how I can get this to work.
Edit: The file system runs on EMC and is not a real Windows File System, but just kinda hooked onto a Linux system. So there is no local administrator account.
TL;DR
I want to inherit ACL Permissions on files using the system account with powershell, how?
3 answers
solution1
4 2018-07-18 03:03:21
https://github.com/mkellerman/Invoke-CommandAs
Made a function to Invoke-Command against local/remote computer using provided credentials or SYSTEM. Returns PSObjects, handles network interruptions and resolves any Double-Hop issues.
Try it out let me know if this resolves your issues.
solution2
3 2020-01-12 00:03:51
If you're ok installing a (very useful) 3rd party program, you can try the following. It's a portable.zip, no real installation.
Run as administrator:
C:\WINDOWS\system32>nircmd.exe elevatecmd runassystem c:\windows\System32\cmd.exe
starts a new cmd window:
Microsoft Windows [Version 10.0.18362.418]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
nt authority\system
C:\WINDOWS\system32>
solution3
2 2017-02-22 12:32:56
Domain Admins get access via the local Administrators group. Local Administrators can take ownership of any local object and subsequently grant new permissions to that object.
Running something like this as an administrator should do what you want:
takeown /f C:\some\file_or_folder /a /r /d:y
icacls C:\some\file_or_folder /reset /t /c /q
Never use the SYSTEM account for things like this.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.