Share via

[REFERENCE] HOW TO: PowerShell Workflow: Execute PowerShell with an account other than FIMService

  • Article

Introduction: Powershell workflow activities are executed by the FIM Service account by default.  There could be a situation where we want to run the Powershell script as another account - which means we need to save these credentials somewhere, preferably NOT in plaintext.  Here I'll save the ADMA account password, since we'll use it to execute Update-Recipient on the Exchange Server (and it's a member of Exchange Organization Administrators)

Implementation:

Create a secure password file - Here I've chosen to save the passwords in a directory I already created c:\SecurePW\

  1. Open PowerShell on the FIM Service server. IMPORTANT: you must run this as the FIMService account, or the password will not be read successfully when the workflow runs.
  2.  PS C:\> read-host -AsSecureString | ConvertFrom-SecureString | out-File C:\SecurePW\adma.txt
  3. Type the ADMA account password
  4. exit

Take a look at the file and notice it's NOT stored as plain text, but as a secure string (324 characters).

 Read in the encrypted password in your PS script - This is most easily demonstrated by an example.  Here we'll do a remote PS session to the CAS server and execute Update-Recipient on the target user.

Param($TargetIdentity)$pass = cat c:\securepw\adma.txt | ConvertTo-SecureString$mycreds = new-object -TypeName System.Management.Automation.PSCredential - Argumentlist "contoso\adma",$pass$session = New-PSSession -configurationName Microsoft.Exchange -Connectionuri https://DC.contoso.com/PowerShell -credential $mycredsImport-PSSession -Session $sessionUpdate-Recipient -Identity $TargetIdentityRemove-PSSession -Session $session

Exit

 

 

 

 

 

 

 

Here the Named Paremeter $TargetIdentity is defined in the activity as [//Target/MailNickname], one of the valid parameter values for Update-Recipient.  Of course we could have used the built-in Exchange Provisioning via dropdown in the ADMA, but what fun would that be?

Comments

  • Anonymous
    December 16, 2013
    How does it know how to decrypt the password without a key?

  • Anonymous
    December 16, 2013
    Daniel, the securestring approach is not totally secure, but it is more secure than a password in plain text.  I came across this post which I think explains it well: stackoverflow.com/.../how-is-securestring-encrypted-and-still-usable An important caveat is that when the ADMA account (or whatever account we are using for this) changes the password, you will need to go through the steps for creating the secure password file.

  • Anonymous
    December 16, 2013
    The comment has been removed

  • Anonymous
    December 17, 2013
    Thank you Andrew! Very enlightening!