Can I execute installation as different user?

Question

We need to execute the command below using a specific domain account we created, but I am having trouble passing the command to the new Powershell session. The error I am getting is

"...The directory name is invalid"

However, when I execute something simple like running IE using the same code, everything works fine.

##Create new credential
$username = "DOMAIN\Username"

$password = "P@ssword"

$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))

##ScriptBlock to pass to new PS Session started with new credential
$ScriptBlock = { 

$args = "/s"

$username = "DOMAIN\Username"

$password = "P@ssword"

$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))

Start-Process -FilePath C:\TEMP\WinMagic\SecureDoc_64.exe -WorkingDirectory C:\TEMP\WinMagic\ -credential $credentials

}

##Execute new powershell session with new credential and scriptblock
Start-Process -FilePath powershell.exe -credential $credentials -ArgumentList "-noexit" , {$ScriptBlock}

Has the user account ever logged in to this system interactively? The error smells of PowerShell trying to set the working directory to `C:\Users\\` and failing, perhaps because the user profile doesn't exist — Mathias R. Jessen, Oct 19 '21 at 13:34
That shouldn't be a requirement @matiasrjessen, I use service accounts to log into remote systems regularly that don't have log on interactively permission. The difference there though is I am using PowerShell Remoting, not Start-Process — codewario, Oct 19 '21 at 13:44
@BendertheGreatest Exactly - you don't locally call `Start-Process` without specifying a working directory as those accounts :) — Mathias R. Jessen, Oct 19 '21 at 13:46
@my9to5 try `runas /user:username powershell $ScriptBlock`. This should create the profile if non-existant and run your code. At the least it should confirm whether this is a missing profile issue or not. You may need to provide `$ScriptBlock` as a string if going through runas though, I've not tried passing a scriptblock to powershell through it before. If that works I'll provide an answer so you don't have to provide the password interactively. — codewario, Oct 19 '21 at 13:48
@BendertheGreatest I ran that, but it just hosed. I am thinking that the profile might be the issue, though. If powershell is started from the profile using the code, it will just try to start in the profile. I feel like either this is overdoing it or missing something. — My9to5, Oct 19 '21 at 13:58
@My9to5 What was the error? `runas` 100% will create the profile directory if it does not exist. It executes as if it were an interactive logon (and will fail if the account does not have the "Log On Interactively" permission).' — codewario, Oct 19 '21 at 13:59
Thanks, @BendertheGreatest. I don't think the user's profile directory comes into play, given that a `-WorkingDirectory` argument is explicitly passed. (I just tried with a sample account whose profile dir. I've deleted and it worked). The error message suggests that the target user lacks permission to access the working directory. — mklement0, Oct 19 '21 at 14:07
@MathiasR.Jessen I did some digging and indeed `Start-Process` does not seem to create the profile directory if nonexistent. — codewario, Oct 19 '21 at 14:08
@mklement0 The problem is that the profile directory doesn't seem to get created with `start-process`, but PowerShell starts in the user profile which doesn't exist. I think this may be a chicken and egg scenario. — codewario, Oct 19 '21 at 14:09
`-WorkingDirectory` is passed inside the block, but not to the first/outer invocation of `Start-Process` — Mathias R. Jessen, Oct 19 '21 at 14:10
Good point, @MathiasR.Jessen - I missed that. Note that `Start-Process` tries to retain the _caller_'s working directory by default, and if that is inside a different user's profile directory tree, you'll get the error mentioned. So this may just be a case of having to pass a suitable working directory to the _outer_ `Start-Process` call. — mklement0, Oct 19 '21 at 14:13
@My9to5 It seems that -WorkingDirectory is an argument to Start-Process, try setting it there — codewario, Oct 19 '21 at 14:13
@My9to5, I hope the linked duplicate explains the problem and the need to pass a `-WorkingDirectory` argument to the _outer_ `Start-Process` call (too). If that doesn't help, we can revisit. — mklement0, Oct 19 '21 at 14:18
@mklement0 Good point, powershell.exe does this as well after a quick test. But if they are in another user's profile directory that doesn't explain the error because the path exists, but they would get an access denied error if the user doesn't have permissions to access that folder, not that the directory can't be found. — codewario, Oct 19 '21 at 14:18
@BendertheGreatest, no, I just tried: you get `The directory name is invalid.` (in both PS editions). — mklement0, Oct 19 '21 at 14:19
@mklement0 I'm not getting the same behavior, but I guess since this question is closed now it's a moot point :) — codewario, Oct 19 '21 at 14:26
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/238327/discussion-between-mklement0-and-bender-the-greatest). — mklement0, Oct 19 '21 at 14:29
mklemento @mathias R. Jessen Was just testing and found that to be the issue. Have to define the powershell working directory (the outer start-process). I think the result was the same in the duplicate link, but the title question is different. — My9to5, Oct 19 '21 at 14:45
Makes sense, My9to5 (yes, the duplicate's title is different, but it's the same problem, explained in detail in [this answer](https://stackoverflow.com/a/42180341/45375)). @BendertheGreatest, the only way I get `access denied` is if the target _executable_ is located in a directory the target user isn't allowed access to. — mklement0, Oct 19 '21 at 16:25

Can I execute installation as different user?

0 Answers0