Run command as System User in Powershell

Question

I found several answers on the web, but not really what I was searching for.

The issue is as follows: When restoring a file with "Networker", the ACLs of the file are the same ones as when the file was backed up, regardles of inheritance in the folder the file is restored to. Meaning the inheritence of ACL does not affect the newly restored file.

This leaves me with the problem that only 3 Accounts have the right to alter the ACL.

The user, the file belongs to
The domain Admins
The system account

To solve the issue I would like to run an automated script fixing the ACL and activating the correct inheritance.

The system user for the script has to be one of the three. The User is changing and thefore not a valid choice, also I dont want to leave any domain admin credentials nor give domain admin rights to a service account.

This leaves me with the system account to do the job and here comes the question:

How do I execute a task in powershell under system account credentials?

I tried

$username = "NT Authority\System"
$password = ConvertTo-SecureString -String "" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist @($username, $password)

Since the password is an empty I can not really create credentials with it.

The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. https://msdn.microsoft.com/de-de/library/windows/desktop/ms684190(v=vs.85).aspx

So now I am a little bit confused as to how I can get this to work.

Edit: The file system runs on EMC and is not a real Windows File System, but just kinda hooked onto a Linux system. So there is no local administrator account.

TL;DR

I want to inherit ACL Permissions on files using the system account with powershell, how?

score 4 · Answer 1 · answered Jul 18 '18 at 03:03

https://github.com/mkellerman/Invoke-CommandAs

Made a function to Invoke-Command against local/remote computer using provided credentials or SYSTEM. Returns PSObjects, handles network interruptions and resolves any Double-Hop issues.

Try it out let me know if this resolves your issues.

score 3 · Answer 2 · answered Jan 12 '20 at 00:03

3

If you're ok installing a (very useful) 3rd party program, you can try the following. It's a portable .zip, no real installation.

Run as administrator:

C:\WINDOWS\system32>nircmd.exe elevatecmd runassystem c:\windows\System32\cmd.exe

starts a new cmd window:

Microsoft Windows [Version 10.0.18362.418]

(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\system

C:\WINDOWS\system32>

https://www.nirsoft.net/utils/nircmd.html

answered Jan 12 '20 at 00:03

john v kumpf

431
3
8

1

There must be a powershell *native* way to do this? – not2qubit Oct 31 '20 at 13:50
1

Also from NirSoft: `AdvancedRun.exe /EXEFilename "C:\Program Files\PowerShell\6\pwsh.exe" /RunAs 4 /Run` Here "4" is for running as `SYSTEM`. – not2qubit Oct 31 '20 at 15:42
ahhh,,, Nirsoft tools... I have them always at hand... near the Sysinternals tools... ;-) – ZEE May 13 '21 at 13:46

score 2 · Answer 3 · answered Feb 22 '17 at 12:32

2

Domain Admins get access via the local Administrators group. Local Administrators can take ownership of any local object and subsequently grant new permissions to that object.

Running something like this as an administrator should do what you want:

takeown /f C:\some\file_or_folder /a /r /d:y
icacls C:\some\file_or_folder /reset /t /c /q

Never use the SYSTEM account for things like this.

answered Feb 22 '17 at 12:32

Ansgar Wiechers

193,178
25
254
328

Yeah, the problem is that the file system runs on EMC and is not a real Windows File System, but just kinda hooked onto a Linux system. So there is no local administrator account :( The only other way I would see now would be to restore to a different location "with" a normal file system and thus a local administrator. – Asharon Feb 23 '17 at 09:00
If there is no local admin account what makes you believe there would be a local SYSTEM account? Please edit your question and provide more information about your environment, the operating system(s), and the file system. – Ansgar Wiechers Feb 23 '17 at 09:53
Hi Ansgar, as mentioned, the System Account shows in the ACL of the restored file. However, you are right, it seems odd that there actually is a system account. – Asharon Feb 23 '17 at 12:16
@AnsgarWiechers If you want to run a PS script that normally runs as the `ComputerName$` account in AD when you reboot as a startup and shutdown, doesn't this mean you want to run the process as `LocalSystem`? The share the script reside and a log file it writes only grants access to `Domain Computers` but I was trying to remotely `Enter-PSSession` and `Invoke-Commands` to make it run without a reboot but access denied. Is there not a pure PowerShell or even with AddType C# definition or something to make this happen without psexec or task scheduler or nircmd? Do you have an answer already? – Bitcoin Murderous Maniac Sep 15 '20 at 20:20
Related is [here](https://learn.microsoft.com/en-us/dotnet/api/system.serviceprocess.serviceaccount?redirectedfrom=MSDN&view=netframework-4.8) so one would think it'd be possible if compiled nircmd or psexec can do it, then why not use .Net or C or C# code in PowerShell if PowerShell doesn't have a way to make something execute as system or local system. Only to be used manually with extreme cases when only needed and not for automation or something like that. – Bitcoin Murderous Maniac Sep 15 '20 at 20:22

Run command as System User in Powershell

3 Answers3