Copy-Item fails in Powershell WF

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Глеб Боушев Глеб Боушев 1 year, 5 months ago.

  • Author
    Posts
  • #32537

    Hello, i have a really simple powershell WF

    Workflow Gather-SecurityLogs {
        parallel {
            sequence {
                InlineScript {
                    cmd /k 'wevtutil epl security /q:"*[System[TimeCreated[timediff(@SystemTime) < = 7862400000]]]" c:\%computername%.evtx /ow:true'
                }
    Copy-Item c:\output.evtx \\dc\share\$pscomputername.evtx
            }
        }
    }

    which errors out with permission denied. I tried with domain admin acc, powershell started from admin, tried granting everyone all access to share (including security permissions)... no good. Any ideas?
    Copy-Item works outside powershell wf, what am i missing?

  • #32553
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Workflows aren't scripts in the usual sense. Workflows get translated to XAML, and then passed off to Windows Workflow Foundation to execute. So regardless of how you opened PowerShell, the code is actually being executed, usually, by SYSTEM, which doesn't have the ability to access network resources. "Everyone" on the share permissions (and you'd also need to look at the underlying NTFS file permissions) doesn't include non-authenticated (Anonymous) users, which is probably what's happening.

    Try adding the -PSCredential common parameter when you run Gather-SecurityLogs. That should let you specify a credential for the workflow to run under.

    Oh, and Gather isn't a good verb. See https://technet.microsoft.com/en-us/library/ms714428(v=vs.85).aspx for the list of approved verbs. I suspect you want to use Get. Maybe Join. 🙂

  • #32556

    In case or -credential, i suppose i need to construct variable before hand, right? let me see

    Workflow Gather-SecurityLogs {
        $user = 'xxxxx'
        $PlainPassword = 'xxxxx'
        $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
        $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $User, $SecurePassword
        
        parallel {
            sequence {
                InlineScript {
                    cmd /k 'wevtutil epl security /q:"*[System[TimeCreated[timediff(@SystemTime) < = 7862400000]]]" c:\%computername%.evtx /ow:true'
                    New-PSDrive -Name X -PSProvider FileSystem -Root "\\msk-dc-02\C$" -Credential $using:cred
                    Copy-Item c:\$pscomputername.evtx X:\$pscomputername.evtx
                    Remove-PSDrive -Name X
                }
            }
        }
    }
    

    works like this
    ps. that for the verb info, didn't think about it when doing this 😉
    pps. is there any easy way to secure password string?
    ppps. how to mark an answer?

You must be logged in to reply to this topic.