Product: PowerShell Universal
Version: 2.5.4 & 2.4.0
PowerShell Version: 5.1 & 7.1.4
Running as Service with ServiceAccount configured.
So I am seeing an issue when trying to run a script as a non-admin account. The account has been given the “Log on as a batch job” permission as per the documentation. Through the debugging I’ve done, I can see an error message in the PowerShellCore/Operation event log:
Log Name: PowerShellCore/Operational
Source: PowerShellCore
Date: 11/18/2021 1:17:40 PM
Event ID: 4102
Task Category: Executing Pipeline
Level: Warning
Keywords: None
User: <Run As Account>
Computer: <PSU server name>
Description:
Error Message = The specified drive root "C:\Users\<Service Account>\AppData\Local\Temp\" either does not exist, or it is not a folder.
Fully Qualified Error ID = DriveRootError
Provider name = FileSystem
Context:
Severity = Warning
Host Name = ConsoleHost
Host Version = 7.1.4
Host ID = 4f1723b1-20f5-48e6-8314-44b6f24d0c91
Host Application = C:\Program Files\PowerShell\7\pwsh.dll -NoProfile -Command & { [System.Reflection.Assembly]::LoadFrom('C:\Program Files (x86)\Universal\Host\host.dll') | Out-Null; [UniversalHost.AgentService]::StartJob(60826, 7008, $False, 50295) }
Engine Version =
Runspace ID =
Pipeline ID =
Command Name =
Command Type =
Script Name =
Command Path =
Sequence Number = 4
User = <Run As Account>
Connected User =
Shell ID = Microsoft.PowerShell
User Data:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="PowerShellCore" Guid="{f90714a8-5509-434a-bf6d-b1624c8a19a2}" />
<EventID>4102</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>106</Task>
<Opcode>19</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2021-11-18T19:17:40.547392300Z" />
<EventRecordID>855004</EventRecordID>
<Correlation />
<Execution ProcessID="7748" ThreadID="5592" />
<Channel>PowerShellCore/Operational</Channel>
<Computer><PSU Server></Computer>
<Security UserID="<Run As SID>" />
</System>
<EventData>
<Data Name="ContextInfo"> Severity = Warning
Host Name = ConsoleHost
Host Version = 7.1.4
Host ID = 4f1723b1-20f5-48e6-8314-44b6f24d0c91
Host Application = C:\Program Files\PowerShell\7\pwsh.dll -NoProfile -Command & { [System.Reflection.Assembly]::LoadFrom('C:\Program Files (x86)\Universal\Host\host.dll') | Out-Null; [UniversalHost.AgentService]::StartJob(60826, 7008, $False, 50295) }
Engine Version =
Runspace ID =
Pipeline ID =
Command Name =
Command Type =
Script Name =
Command Path =
Sequence Number = 4
User =<Run As Account>
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData">
</Data>
<Data Name="Payload">Error Message = The specified drive root "C:\Users\<Service Account>\AppData\Local\Temp\" either does not exist, or it is not a folder.
Fully Qualified Error ID = DriveRootError
Provider name = FileSystem
</Data>
</EventData>
</Event>
Checking the path, it does exist, however the user that is running the command is not given access to that path, as it’s under a different user profile. When I give the Run As user permission to that temp folder, then this error does not occur any more. There is a different error that I have posted about separately that occurs once this is cleared, but it sounds like that would be a non-related issue.
Based on the documentation, I did enable the Debug logging using the appsettings.json, however given the permissions part, I do not see any files getting created there (based on another post I found) or anything additional in the logs under ProgramData/PowerShellUniversal that seems to be useful. As giving permission to that path “fixes” the error, I don’t know if I would expect any logs under that temp folder or not.
I guess I don’t know that this is expected behavior for Run As accounts, but I did not find anything regarding file permissions needed in the documentation.
Any guidance would be appreciated. Thanks.