1

I'm having problems getting DSC (in PowerShell 4) to start processes as another user. Here's a sample configuration:

$configData = @{
    AllNodes = @(
        @{
            NodeName = 'localhost'
            PSDscAllowPlainTextPassword = $true
        }
    )
}

Configuration DSC_AttribProblem {
    param(
        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [PsCredential] $credential
    )

    Node "localhost" {
        File CreateTestFolder {
            Ensure = "Present"
            Type = "Directory"
            DestinationPath = "C:\DSC_Test"
        }

        Script CreateTestFile {
            SetScript = {
                $sw = New-Object System.IO.StreamWriter("C:\DSC_Test\TestFile.txt")
                $sw.Close()
            }
            TestScript = {
                return Test-Path "C:\DSC_Test\TestFile.txt"
            }
            GetScript = {
            }
            DependsOn = "[File]CreateTestFolder"
        }

        WindowsProcess Attrib {
            Path = "C:\Windows\System32\attrib.exe"
            Arguments = "-A C:\DSC_Test\TestFile.txt"
            Credential = $credential
            DependsOn = "[Script]CreateTestFile"
        }
    }
}

Note that this is just a sample, to demonstrate the problem of running an executable with credentials. (The real-world case also needs to redirect the standard output.)

The Attrib step fails with this error:

PowerShell provider MSFT_ProcessResource  failed to execute
Set-TargetResource functionality with error message: Failure starting
process matching path 'C:\Windows\System32\attrib.exe'. Message:
"Failed  to wait for processes to start". 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

I found a similar problem asked at http://powershell.org/wp/forums/topic/running-windowsprocess/ but not really answered.

Behind the scenes, I can imagine this being due to does windows have a limitation when a process started by a scheduled task under one set of creds runs another program under a different set of Creds and Why is this process crashing as soon as it is launched? . So how exactly do you work around this sort of issue? (Even writing a custom resource for this sort of problem, I ran into problems.)

Community
  • 1
  • 1
Todd
  • 530
  • 4
  • 14

1 Answers1

0

To get this to work, my first attempt was to use LogonUser and then the .NET Process class to create the new process (which supported redirection nicely). The LogonUser part was based on https://gist.github.com/idavis/856603 (for impersonating within a scriptblock) and http://poshcode.org/1856 (which seemed to handle the credentials better for my case). This was all wrapped in a custom resource.

I later discovered that although this achieved the goal of having credentials locally, it didn't work with accessing files over the network. At that point I went to an alternative of using CreateProcessAsUser as in DSC powershell xwindowsprocess to execute batch file under different user account. Although the comments on that thread were inconclusive to me, I came up with a solution that worked, and posted it to this Gist page including custom DSC resource and PowerShell modules. The solution also has an alternative implementation that can be swapped in involving CreateProcessWithLogonW(), but in my tests this didn't work.

Community
  • 1
  • 1
Todd
  • 530
  • 4
  • 14