Vista - executing ps1 from a web browser, alternate credentials

Hi all,
Im a web developer who has developed an online user management system for our company.


As phase 1 of the project, I used powershell and exchange management shell scripts to create and manage AD users and Mailboxes. The scripts were simply created and placed in a folder where they were periodically picked up by a scheduled task (run with admin rights) and executed.


I am now trying to make the system a little more user friendly and have been trying to get the scripts to execute on the fly as the end user requests them from the online system. This way the user can have a report on the outcome right there and then. Problem with this is that the internet user does not (nor should it) have elevated privileges like creating users in powershell. My goal is to be able to run each script as an admin user tho all the information i have found online says that the password must be prompted and cannot be stored in a variable (even if encrypted).


When i execute a script from php, i use this command:


$cmd = “C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -PSConsoleFile \”C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1\” -Command \”. ‘”.EMS_SCRIPT_PATH.”tesmgi-001-20080313_053745.ps1′\”";
$emsResult = exec($cmd, $output);


The output is a lovely Access Denied Error.


[0] =>
[1] => Name Type DN
[2] => —- —- –
[3] => domain domainDNS DC=domain,DC=local
[4] => New-QADUser : General access denied error


I’m hoping someone has had similar problems and maybe has a work around or maybe just a pointer in the right direction.


Cheers,


Ging

Well, I've seen some things floating around here and in the forums on
powershellcommunity.org, but they are for using ASP.NET for something
similar.

I had to do something similar before in Windows and Linux. I wanted to
stick with a somewhat common logic for both OSs, and since my Linux web
server was chroot'ed, I was pretty limited.

What I did was something like this:
1. Create a looping script and run it with elevated priviledges.
2. When the user called the form:
a. Create a lock file so only one user can use the form.
b. Drop a quick tmp file with the form input.
3. The looping script would pick up the tmp file, process it, and drop a
new tmp file.
4. The input form would have enough logic to sleep for a bit, and
continue to look for the tmp file with the results.
5. Once the tmp file with the results was found, the page would refresh
with the results of the tmp file.
6. Remove the lock file.

If a 2nd user submitted the form while the lock file existed, a message
would simply ask them to try later.

That's roughly what I did.

So, you can actually run your looping script as Administrator via the
task manager.

It would be a good idea to have a script periodically to make sure the
loop (whatever process is still running).

One thing I was faced with was not adding enough error checking... My
script looked like it was in a continuous loop, but it had hit an error,
and was basically throwing an error to the desktop/screen, and halting
as a result.

Hope that helps.

Marco

I used VBScript for Windows, and the Bourne shell on Linux... Bourne
not being the best/most-common choice for Linux CGI scripts, but it
worked...

Hi Marco,

I was thinking of doing something very similar to what you have specified only not as far in depth... obviously you have spend a bit more time thinking about the repercussions to validation failure. Its a valid solution and thanks for the heads up mate... If all else fails this is probably the way i will end up going.

i'm just really hoping that someone can enlighten me on using alternate credentials without the need to prompting the user for the passwords. Obviously this was done for security purposes but if VB can do it, i'm betting that there is a way of doing it when executing a ps1.

Thanks again and hopefully we can solve the problems of the world soon

cheers,

G