Invoke-Command run as different user to kill a process

Welcome Forums General PowerShell Q&A Invoke-Command run as different user to kill a process

This topic contains 2 replies, has 3 voices, and was last updated by

 
Participant
3 months, 2 weeks ago.

  • Author
    Posts
  • #110986

    Participant
    Points: 1
    Rank: Member

    Hi

    I want to create a script that will allow terminal users (Citrix XenApp) that will allow a normal user to close opened IE on multiple terminal servers. I created a script that is doing just that, but the problem is, it works only on the user which generated the security string. So i changed the security token to the password in plain text but the code stoped to work. Is showing all process but is now getting the user session ID. Do you have any suggestions? Here is the code:

    
    $Username = "usernamewithadminrights"
    
    $Password = 'password' | ConvertTo-SecureString -AsPlainText -Force
    
    $MyCredential = New-Object -TypeName System.Management.Automation.PSCredential `
    
    -ArgumentList $Username,$Password
    
    $Servers = 'servername'
    
    Invoke-Command -ComputerName $Servers -ScriptBlock {
    
    $SID = (Get-Process -IncludeUserName |  Where-Object { $_.UserName -contains 'username'} | Sort-Object SessionId -Unique).SessionId
    
    get-process *iexplo* | where {$_.SI -like $SID} | Stop-Process
    
    } -ArgumentList $User -Credential $MyCredential
    
    
  • #111011

    Participant
    Points: 39
    Rank: Member

    If it worked the first time,

    you can use a keyfile to store you pass with encryption so it isn't readable from the PS file

    I use this methode to create that file

    
    $KeyFile = 'C:\Scripts\SystonyAES.key'
    $Key = New-Object -TypeName Byte[] -ArgumentList 32   # You can use 16, 24, or 32 for SystonyAES
    [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
    $Key | out-file -FilePath $KeyFile
    
    $SystonyPasswordFile = 'C:\Scripts\SystonyPassword.txt'
    $KeyFile = 'C:\Scripts\SystonyAES.key'
    $Key = Get-Content -Path $KeyFile
    $SystonyPassword = 'password' | ConvertTo-SecureString -AsPlainText -Force
    $SystonyPassword | ConvertFrom-SecureString -key $Key | Out-File -FilePath $SystonyPasswordFile
    
    $User = 'username'
    $SystonyPasswordFile = 'C:\Scripts\SystonyPassword.txt'
    $KeyFile = 'C:\Scripts\SystonyAES.key'
    $key = Get-Content -Path $KeyFile
    $MyCredential = New-Object -TypeName System.Management.Automation.PSCredential `
    -ArgumentList $User, (Get-Content -Path $SystonyPasswordFile | ConvertTo-SecureString -Key $key)
    
    

     

    and see if this works

  • #111034

    Participant
    Points: 332
    Helping Hand
    Rank: Contributor

    It's very bad risk management practice to embed plain text passwords in script files. You should always prompt for them. You can then store them in a secure file or windows credential manager or PS JEA to do this more securely.

    As for ...

     I created a script that is doing just that, but the problem is, it works only on the user which generated the security string

    This is by design. Any script or  cannot natively get the currently logged on user full credentials and run with that, imagine the security risk to that. They user must specifically supply those.

    Resources:

    http://powershellcookbook.com/recipe/PukO/securely-store-credentials-on-disk

    Working with Passwords, Secure Strings and Credentials in Windows PowerShell
    https://social.technet.microsoft.com/wiki/contents/articles/4546.working-with-passwords-secure-strings-and-credentials-in-windows-powershell.aspx

    https://www.powershellgallery.com/packages/CredentialManager/1.0

    PowerShell Credentials Manager
    CredMan.ps1 is a PowerShell script that provides access to the Win32 Credential Manager API used for management of stored credentials.
    https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde

    Using saved credentials securely in PowerShell scripts

    How to secure your passwords with PowerShell

    https://blogs.technet.microsoft.com/ashleymcglone/2016/11/30/how-to-run-a-powershell-script-against-multiple-active-directory-domains-with-different-credentials

The topic ‘Invoke-Command run as different user to kill a process’ is closed to new replies.