Passing Admin username & password using shell_exec

Question

I have a Powershell script which when I run directly on the Web Server (Windows 2008R2, IIS) completes successfully. I am now trying to launch the script from a php page. The script launches and I can see the process in Task Manager just fine.

When I call the script using shell_exec from a php page, it fails with the error

"Exception calling "FindOne" with "0" argument(s): "An operations error occurred."

I can see from Task Manager that the script is running as the user IUSR. I'm pretty sure that this is the reason the script is failing, as to complete successfully it needs to be run as a domain admin.

I am calling the script with the following command

$username = the currently logged in user on the page (authenticated against AD)
$newPword1 = new user password

$query = shell_exec("powershell -command $psScriptPath '$username' '$newPword1' < NUL");

Powershell Script:

#*=============================================================================
#* PARAMETER DECLARATION
#*=============================================================================

param([string]$username,[string]$pword)

#*=============================================================================
#* INITIALISE VARIABLES
#*=============================================================================
# Increase buffer width/height to avoid Powershell from wrapping the text before
# sending it back to PHP (this results in weird spaces).
$pshost = Get-Host
$pswindow = $pshost.ui.rawui
$newsize = $pswindow.buffersize
$newsize.height = 3000
$newsize.width = 400
$pswindow.buffersize = $newsize


#*=============================================================================
#* SCRIPT BODY
#*=============================================================================

$root = [ADSI]'LDAP://<server>/<DNtoOU>'
$searcher = new-object System.DirectoryServices.DirectorySearcher($root)
$searcher.filter = "(&(objectCategory=person)(sAMAccountName=$username))"
$user = $searcher.findone()

$userDN = $user.path

$user=[ADSI]$($userDN)
$user.SetPassword($pword)
$user.setinfo()
write-host "success"

Is it possible to pass a Domain Admin username/password to run powershell as using the above command, thereby allowing the script to run successfully?

Answer 1

One of several ways is to use PowerShellRunAs .

Edit: It is documented, you can use the powershell script as-is or modify it to suit your needs (eg not using a password file).

In more detail, instead of this:
shell_exec("powershell -command $psScriptPath …")
You could use this:
shell_exec("powershell -command "Start-Process powershell.exe -argumentlist '-command $psScriptPath …' -Credential 'TheDomain\\TheUser'")
But to avoid the password prompt, use PowerShellRunAs as per the documentation:
shell_exec("powershell -command "Start-Process powershell.exe -argumentlist '-command $psScriptPath …' -Credential (.\\PowerShellRunAs.ps1 -get contoso\\svc_remoterestart \\\\fileserver\\share\\file.pwd)")

Alternatively, you could incorporate the start-process … -credential … into your own script. That way you can keep your shell_exec call simple as before, and only a limited part of your script will run under the user with different (higher) privileges.

Should you use the script as is, remember to first run it with -set instead of -get , in order to set the password file.