Hey Gays,

I have script which needs to be executed on client machine under domain account via SCCM agent, instead of local systems account. PowerShell script is accessing to network resources which is impossible under system account.

I dont want to include domain account and password into PowerShell script, it is not secure. 

Do you have any idea?

I would look at one of the following options:

• Use multiple programs in your package. One program that runs as the user and copies the files and one program that does the installation.
• Use a task sequence and use a Run command line step. In that step you can specify a user account.

Two additional suggestions:

• If possible, you could grant the computer accounts read rights to the share in question. The "Domain Computers" group usually works well, and then every computer's SYSTEM account will rights without using RunAs.
• If not, you could prevent putting a cleartext password in the script by encrypting the password inside the script (helpful blog post). It wouldn't prevent someone who found the script from repurposing the encrypted password in another script, but it's a step above cleartext. 

Thanks for feedback gays, but:

@Peter, actually it network resource is not shared folder, it is server which needs to be called from the script.

I don't want PowerShell encryption, looking for solution from SCCM.

It is not a complex task, it is a general task which every SCCM admin meets in daily routine, and i think Microsoft must have solution for it via SCCM.

All new ideas will be appreciated, thanks.

Well, as another option you could use a task sequence and leverage the built-in Run As functionality of the Run Command Line step. But I don't think I understand what you're trying to do well enough to see if that's the best option. 

We have powershell script on the network which needs to be executed if user needs access to corporate application. Our support team connect to server via Invoke-command and execute script with client computer name as input parameter. Script execution access is granted only for support users. 

now, i need to publish Program via SCCM and grant user access to that program. User will execute program via Application Catalog after that SCCM agent should perform the following command with appropriate credential:

Invoke-Command -ComputerName ServerName -ScriptBlock ... and etc.

I don't know how execute script under domain account

There is no solution in ConfigMgr for this (except maybe using the run as ability of a task sequence but this is problematic in different scenarios).

How do you "call a server"? Sorry, that doesn't make sense. Accessing a network resource, regardless of what it is, is the same as far as authentication goes and is generally always the same as far as authorization goes (although that truly depends upon the resource): using the AD principal. In this case, as Peter pointed out, the local System account uses the AD computer account for the system it is on to access network resources and all AD computer accounts are part of the built-in Domain Computers group which can be used like any other group in AD for authorization purposes.

Without knowing exactly what you are doing, it's hard to offer anything more.

Finally, if its an administrative task, perhaps ConfigMgr is not the best tool for the job. Can't say without the details though.

Set the script to run as the user. That's built-in, no reason to do anything else.

Is it making sense to grand domain computers execute permission on corporate application? The application is critical for us, and its not making sense to grand such kind of access to domain computers, I assume that it could be done for one domain group (remediation group). Where computers will be added for installation period.

As I got there is no other solution, except listed in this forum.

Thanks gays for your time, Ill encrypt pass in PowerShell script and use Ran As command.

At the time I wrote that, you hadn't posted any details of what you were doing so we had no idea. We still really have no idea so its hard to say what is the best path.

I'll try to describe with detail, as much as allowed.

We have Act_OnSrv.ps1 script on the Server1. The Act_OnSrv.ps1 could NOT be copied to a client machine and executed as it uses a lot of PS modules and dependencies and must be executed only on Server1. So pls consider it as a rule "the Act_OnSrv.ps1 must be executed on the server". 

Act_OnSrv.ps1 script waits for computer name as input .

My task is:

Execute below PS commands on client machine under domain account instead of system account.

$Session = New-PSSession -ComputerName Server1 

Invoke-Command -Session $session -ScriptBlock  {C:\_Script\Act_OnSrv.ps1}

Note: Access to the server is restricted only for one user, domain\user1.

if above described is note making a sense please don't hesitate to contact me.

There's the -Credential parameter available for Invoke-Command.

The script must be executed on client side, so in order to use credential param i should encrypt password. At this stage i don't want, still looking for SCCM solution.

ConfigMgr does not have a solution for you. It will run the script as system.

As mentioned you could use -Credential but this will use the password in clear text and is easily readable. 

I'd be interested in seeing what method you use to encrypt the password. From personal experience every time I have attempted this I was able to decrypt the password with ease.

So back to what was already said: why not using a 'run command line' step using a task sequence. There's the option to specify an account. 

@Paul, it is another topic for discussion. I suppose the will be solution, hope so.

@Torsten, you are right in OSD case, how to do it in case program deployment.

You can also use a task sequence outside OSD. Just a single step that contains 'run command line'.