Runas=current user failure

I am having issue getting runAs =Current user to work. The project I am stuck with should be an easy one but a week later I still don’t have this issue resolved. The server team has moved our print servers to the cloud. so I wrote a small powershell script to run and detect what printer that is installed and move that printer to the new print server. This works with admin and non-admin domain accounts manually. I have 22,000 endpoints across America to change. I need the printers to be changed as the current logged on domain user that does not have admin rights. I have the printers checking if they exist on the new server against an array. Again this works manually. I think big fix is not completely running the script as the current logged on user rather as the System Account. The task will run but the switching of the print servers is ignored. I hope that explanation is clear. If not ask away I will try to answer your questions. Thank you for your help in advance.

Oh and one caveat. if the user does have admin rights this task works flawlessly. go figure about 100 endpoint have admin rights. 21,900 to go.

Here is my script:

parameter “baseFolder” = “__Download/”

parameter “mainSWDLogFolder” = "{parent folder of client folder of current site}/__Global/SWDDeployData"
folder create "{parameter “mainSWDLogFolder”}"
parameter “logFile” = “SWD_DeploymentResults.log”

delete powershell.ps1
delete {parameter “baseFolder”}powershell.ps1

delete __createfile
parameter “logFolder” = “{parameter “mainSWDLogFolder”}”

createfile until end

$AW2PRINTSVRP04 = @(“csc101-pcl6”, “csc101-PC6-old”, “cac101-xc”, “csc104-pcl6”, “csc106-pcl6”, “csc106-xc”, “csc107-pcl6”, “csc112-pcl6”, “csc112-xc”, “csc113_2-pcl6”, “csc113_2-xc”, “csc113_2-XColor”, “csc113-pcl6”, “csc113-xc”, “csc115-pcl6”, “csc115-pcl6”, “csc115-xc”, “csc117-pcl6”, “csc117-xc”, “csc120-pcl6”, “cac120-xc”, “csc123-pcl6”, “csc123-xc”, “csc201-pcl6”, “csc201-xc”, “csc202-pcl6”, “csc202-xc”, “csc204-xc”, “csc207-pcl6”, “csc207-xc”, “csc209-pcl6”, “csc209-xc”, “csc210-pcl6”, “csc212-pcl6”, “csc214-pcl6”, “csc216_7-pcl6”, “csc216-pcl6”, “csc218-pcl6”, “csc221-pcl6”, “csc225-pcl6”, “csc226-xc”, “csc229-xm”, “CSC-Lobby”, “ic116-pcl6”, “ic116-xc”, “ic142-xm”, “ic211-pcl6”, “ic211-xc”, “ic222-pcl6”, “ic222-xc”, “ic257-pcl6”, “ic257-xc”, “ic261-XM PostScript”, “ic262-pcl6”, “ic262-xc”, “ic-lobby”)
$AW2PRINTSVRP03 = @(“csc106_1”, “csc106_p”, “csc107-1”, “csc107-p”, “csc112-1”, “csc112-p”, “csc113_1-1”, “csc113_1-p”, “csc113_2-1”, “csc213_2-p”, “csc120-1”, “csc120-p”, “csc202-1”, “csc202-p”, “csc209-1”, “csc209-p”, “csc214-p”, “csc216-1”, “csc216-1”, “csc216-p”, “csc226-1”, “csclobby-L”, “cscLobby-P”, “DesignJet T7200”, “ic116-1”, “ic116-p”, “phoenix-1”, “phoenix-p”)

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$userSid =([System.DirectoryServices.AccountManagement.UserPrincipal]::Current).SID.Value

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS

$printers = Get-ChildItem -Path HKU:$userSid\Printers\Connections\ -name

Foreach ($Entry in $printers) {{
$printerStr = $Entry.Split(",")
$server = $printerStr[2]
$printerName = $printerStr[3]
Write-Host "printer is $printerName on server $server."
if ($server -eq “Printserver4”) {{
if ($printerName -in $AW2PRINTSVRP04) {{
write-host "Printer $printerName Exists in array"
Remove-Printer -Name “\$SERVER$printerName”
$server = "AW2PRINTSVRP04"
Add-Printer -ConnectionName “\$server$printerName”
}
else {{
if ($printerName -in $AW2PRINTSVRP03) {{
write-host "Printer $printerName Exists in array"
Remove-Printer -Name “\$SERVER$printerName”
$server = "AW2PRINTSVRP03"
Add-Printer -ConnectionName “\$server$printerName”
}
}
}
}

Remove-PSDrive -Name HKU

end

move __createfile {parameter “baseFolder”}powershell.ps1

override wait
completion=none
RunAs=currentuser

wait powershell -ExecutionPolicy Bypass -File "{parameter “baseFolder”}powershell.ps1"
pause while {exists running application “powershell.exe”}

if the users aren’t admins, I don’t know if they’d have permission to access the powershell.ps1 file that’s created. I generally move it to the temp folder and then have it run. Something like:

move __createfile “{name of drive of system folder & “\Temp\powershell.ps1”}”

2 Likes

wow can it be so simple? going to try now thank you for answering!

So… the moment of truth………epic failure. It seems when you copy a file over as the system account, no other user (except an Admin) can even read the file. I copied it over to the users desktop on the second try and still the end user does not have read access thus the script fails. I have tried any different solutions all have failed. It seems that even though you run the script as logged on user it still creates\copies the file as System Account.

I have gone as far as uploading the script then coping it over same issue.

Are you copying it, or moving it?

This is a Windows filesystem behavior. If you move a file, it retains its original permissions (in the case of a file in __BESData, keeping permissions for only Administrators and System. If you copy a file, it gets new permissions based on the target directory.

So you’ll want to copy it, not move it.

1 Like

didn’t realize that, good to know!

sadly I know that… I seriously thought I was coping it I see now that I am moving it. I will try and get back to you. thank you.

OK… that was indeed one of the issues. The second was no matter what folder I put the file in even though they had access to the file it wouldn’t run. So I added an icalcs to give everyone full access to the folder itself. I questioned that decision but,I do delete all scripts after they run so the folder is always empty

Here is the final working script:

if { not exists folder "C:\Scripts" } 
    waithidden cmd.exe /C mkdir "C:\Scripts"
endif

parameter "baseFolder" = "C:\Scripts"

waithidden C:\Windows\System32\icacls.exe {parameter "baseFolder"} /grant "Everyone:(OI)(CI)F"

delete {parameter "baseFolder"}\powershell.ps1

delete __createfile

createfile until _end_

$AW2PRINTSVRP04 = @("csc101-pcl6", "csc101-PC6-old", "cac101-xc", "csc104-pcl6", "csc106-pcl6", "csc106-xc", "csc107-pcl6", "csc112-pcl6", "csc112-xc", "csc113_2-pcl6", "csc113_2-xc", "csc113_2-XColor", "csc113-pcl6", "csc113-xc", "csc115-pcl6", "csc115-pcl6", "csc115-xc", "csc117-pcl6", "csc117-xc",  "csc120-pcl6", "cac120-xc", "csc123-pcl6", "csc123-xc", "csc201-pcl6", "csc201-xc",  "csc202-pcl6", "csc202-xc", "csc204-xc", "csc207-pcl6", "csc207-xc", "csc209-pcl6", "csc209-xc", "csc210-pcl6", "csc212-pcl6", "csc214-pcl6", "csc216_7-pcl6", "csc216-pcl6", "csc218-pcl6", "csc221-pcl6", "csc225-pcl6", "csc226-xc", "csc229-xm", "CSC-Lobby", "ic116-pcl6", "ic116-xc", "ic142-xm", "ic211-pcl6", "ic211-xc", "ic222-pcl6", "ic222-xc", "ic257-pcl6", "ic257-xc", "ic261-XM PostScript", "ic262-pcl6", "ic262-xc", "ic-lobby")
$AW2PRINTSVRP03 = @("csc106_1", "csc106_p", "csc107-1", "csc107-p", "csc112-1", "csc112-p", "csc113_1-1", "csc113_1-p", "csc113_2-1", "csc213_2-p", "csc120-1", "csc120-p", "csc202-1", "csc202-p", "csc209-1", "csc209-p", "csc214-p", "csc216-1", "csc216-1", "csc216-p", "csc226-1", "csclobby-L", "cscLobby-P", "DesignJet T7200", "ic116-1", "ic116-p", "phoenix-1", "phoenix-p")

Add-Type -AssemblyName System.DirectoryServices.AccountManagement            
$userSid =([System.DirectoryServices.AccountManagement.UserPrincipal]::Current).SID.Value

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS

$printers = Get-ChildItem -Path HKU:\$userSid\Printers\Connections\ -name

Foreach ($Entry in $printers) {{
    $printerStr = $Entry.Split(",")
    $server = $printerStr[2]
    $printerName = $printerStr[3]
    if ($server -eq "Printserver4") {{
        if ($printerName -in $AW2PRINTSVRP04) {{
            Remove-Printer -Name "\\$SERVER\$printerName" 
            $server = "AW2PRINTSVRP04"
            Add-Printer -ConnectionName "\\$server\$printerName"
        }
        else {{
            if ($printerName -in $AW2PRINTSVRP03) {{
                Remove-Printer -Name "\\$SERVER\$printerName" 
                $server = "AW2PRINTSVRP03"
                Add-Printer -ConnectionName "\\$server\$printerName"
            }
        }
    } 
}
Remove-PSDrive -Name HKU

_end_

copy __createfile {parameter "baseFolder"}\powershell.ps1

override wait
Hidden=true 
completion=none
RunAs=currentuser
wait powershell -ExecutionPolicy Bypass -File {parameter "baseFolder"}\powershell.ps1
pause while {exists running application "powershell.exe"}

delete {parameter "baseFolder"}\powershell.ps1

parameter "returnCode" = "{exit code of action}"

I hope this help others. Thank you everybody for your help!

I guess this website does not like \ so if you use the script make sure you add those back in. :slight_smile:

To show code like that you can highlight your text and click the icon that looks like </> above the editor area to ‘format as code’.
I’ll edit your post since this looks very helpful, and congratulations!