I am trying to build a form for staff to create a new AD user, but to go through our custom module we built. The module/functions work fine outside of the dashboard interface, we use them for automated creations daily. The module does various AD tasks (create user object, add some groups, mailboxes, etc) but how do I get the dashboard to run my module functions in the context of either the user who logged in to the form or as a service account?
I am front-ending my setup through IIS and SSL, if that info is helpful.
You won’t be able to run as the user logging in unless you configure credentials for each user within the variables and use the run as support to elevate the processes to those users’ context. It’s probably a lot of work to do it that way.
To run as a service account in IIS, you’ll just need to set the app pool identity to the account you want to use and then all commands run through PSU will run in that user’s context.
I have stored a secret for a service account that I would like to run this cmd as, instead of having to set up the IIS side with a service account. I will want to use multiple service accounts in the future with other dashboards and automation tasks.
I figured I could use that stored secret, but am having issues with implementation.
So is this not possible? Are dashboards only allowed to run in the same context as the whole PSU setup? Are automatons the only place I can run something in another user context? I would have several dashboards that my Support team would use and some of them touch other systems and need different access/service accounts to do the actions.
Currently, dashboards do not support alternate credentials. There’s nothing really technically limiting here it’s just that that functionality hasn’t been implemented.
You can use DPAPI to store many different account creds for your scripts. Login as the user that IIS runs as, create/store any service account creds in an encrypted file.
When your script runs in the dashboard it can load the creds out of the encrypted file and then execute your AD commands with them. Easiest way is to set some global variables that all functions will reference for credentials. The ITGlueAPI module has some decent examples of creating/exporting/importing/using DPAPI stored creds in this manner.