Powershell: Using Arguments/Parameters won't work

Hi, that path is the debug info from our build server, so that’s just where the app was compiled and is not your path.

Could it be that Local System is not allowed to impersonate other users, Windows has a ‘secondary logon’ policy which takes effect when a user is trying to impersonate another user. Access is denied when using the "runas" command, Run as Administrator, or Run as a different user option - Windows Server | Microsoft Docs

You could test this by using psexec to run a local system (the same user the Certify background service runs as), then try to Run As your user.

A workaround (if required) is to write out the latest config (e.g. as a JSON result or other format, such as the cert thumbprint or cert file path) to a file as part of your (non-impersonated) task.

You then create a windows scheduled task which periodically checks for this file and if it exists it then runs whatever script you need using that config information.

It’s not as nice as having an integrated script but it does open up a range of other ways of working (such as having fine grained control over privilege escalation, or only running the update during a maintenance window etc),

Could it be that Local System is not allowed to impersonate other users, Windows has a ‘secondary logon’ policy which takes effect when a user is trying to impersonate another user.

No, this is not the case. I’m always logged in with another user and trying to run the script after opening powershell via “Run As”. Also the psexec is working as intended.

Using a scheduled task is not an option and shouldn’t be required in my opinion.

Thanks, I was able to reproduce. The difference is that my testing was under a different service account. I will look for a solution.

@webprofusion Any update on this matter?

Hi, I’m afraid further development of impersonation features has stalled and will be resumed at a later date.

I did a bunch of further experimental work but the crux of the issue seems to be because our services runs under local system it is subject to different limitations when impersonating users. After that the work basically ran out of time budget for further investigation and many other things needed attention as a priority.

This feature will be revisited but I can’t say when, so you should seek alternative solutions such as writing out settings to a file with Task, then using your own windows scheduled task to pick up those settings and perform your scripting.

Okay, it’s sad to hear but thanks for the update. Happy Bughunting furthermore! :wink:

1 Like

@webprofusion
Hi, is there any update on this matter?

Hi, no there have been no further improvements to powershell impersonation and there is no work scheduled for this - we will likely revisit this in the future but I don’t know when. You should find an alternative solution such as a scheduled task which picks up your certificate and processes it, or use SSH into your remote machine to perform scripting as the target user.