Invoke-UAScript with -Credential

Product: PowerShell Universal
Version: 2.3.0

I followed the notes in the ticket below in attempts to execute a script with the specified set of credentials that are stored as a secret variable, but the script is still being executed with the account that is running the PowerShell Universal Windows server (listed under “logon as”) instead of the referenced credentials. The job status displays "run manually by “ServiceAccount” in the Integrated environment as “userAccountName” and the output results of the script show “ServiceAccount” as the user actually executing the script.

I’m trying the following (the users credentials is stored as a secret variable):

$Creds = Get-UAVariable -Name $User
Invoke-UAScript -Script Script1.ps1 -Credential $Creds

What piece am I missing to force the script to run with the user’s credentials instead of the service account?
`

Make sure to run it in an environment besides the Integrated one since it doesn’t support credentials right now.

You can either specify the environment during the invoke.

Invoke-PSUScript -Script $Script -Credential (Get-UAVariable -name 'iis') -Environment '5.1'

Or you can assign it on the script.

After doing so, I’m receiving the following error message after the job fails:

“Error executing job: A required privilege is not held by the client”

Am I required to create a token for each user in order for them to execute jobs?

Hmmm that is something I did not consider. I’m sure there is some way to provide this privilege to the user logging in via a script: Running as a Service Account - PowerShell Universal

Actually, it looks like the Carbon module can do this: PowerShell - Grant-Privilege - Carbon

Install-Module Carbon
Grant-Privilege -Identity $Credential.UserName -Privilege 'SeBatchLogonRight'

@adam , for testing, I have manually given my accounts the rights needed as outlined in https://docs.powershelluniversal.com/config/running-as-a-service-account

With that being said, my script is executing successfully, but not executed as the end user. I’m using the code below but $env:USERNAME inside of the script being invoked is the account running the Windows Service instead of the user account. The job description makes it appear that it executed successfully "run manually by serviceAccountName in the 7.1.3 environment as User1. However the output shows it executed as the service Account.

Invoke-PSUScript -Script $Script -Credential (Get-UAVariable -name 'User1')

Update: $env:USERNAME is still evaluating to the service account, however “whoami” is evaluating to the user… the main focus is figuring out how to pass the PSCredential object into the script so that I can create PSSessions with the user’s account.

I’ve attempted to pass the PSCredentials as follows but it does not appear to be passing them to the script file successfully:

Invoke-PSUScript -Script $Script -Credential (Get-UAVariable -name 'User1')

The code above is working correctly for me. I needed to allow the script being invoked to run and understand that $User continues to evaluate to the service account, but everything in the script is in fact executing with the credentials specified in the (Get-UAVariable -name ‘User1’) variable. This was confirmed by storing the current user with “whoami”.

Awesome. Glad you got all that working!