I've created a PowerShell session configuration with a RunAs user. I am able to connect to configuration using Enter-PSSession and Invoke-Command, as well as through PowerShell Web Access. It works, and appears to be running correctly as the RunAs user.
I also have automatic transcription enabled through Group Policy so all PowerShell sessions are logged.
PowerShell transcripts log both a "Username" and a "RunAs User" which as far as I knew was exactly for this situation.
But the issue I'm having is that it logs the RunAs user as both users, and user name that was used to connect to the session is not recorded anywhere.
********************** Windows PowerShell transcript start Start time: 20161109123326 Username: DOM\adminuser RunAs User: DOM\adminuser Machine: HOSTMACHINE (Microsoft Windows NT 6.3.9600.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 4676 PSVersion: 5.0.10586.117 PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0.10586.117 BuildVersion: 10.0.10586.117 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 **********************
This is the top of my transcript with the user and machine names changed. DOM\adminuser us the RunAs user, but the user that authenticates to the session is different (my own account).
I don't think this is how this is supposed to work. I was expecting to see my user in the "Username" field.
I'm hoping someone has seen this before.
I think I figured this out. I'm pretty sure the RunAs User field is for a virtual account (RunAsVirtualAccount) if you set up your endpoint for impersonation, and not really for using a RunAsCredential.
Unfortunately a virtual account won't work for me because it must be a local account, and I need it to access a domain.
I'm not 100% on this so I'm not going to accept my own answer unless I get confirmation, so hopefully someone else has more info.
After more reading I'm convinced that this is the "expected" behavior and the above is correct.
For completeness, the user I'm looking for (the "invoker") is referred to as the "Connected User" and is available in the event logs, if you are logging those events. As it happens I am. The events contain the PID of the process, which is also available in the transcript, so from a transcript, I can read the PID and then find all the events that are associated with it.
Here's a (very rough) snippet to do that:
[int]$logpid = gc $log | % {
if ($_ -match '^Process ID:\s(?<pid>\d+)') {
$Matches['pid']
}
} | Select-Object -First 1
$events = Get-WinEvent -ProviderName 'Microsoft-Windows-PowerShell' -FilterXPath "*[System[Execution[@ProcessID='$logpid']]]"
(where $log is the path to the transcript file).
And here's another rough snippet that makes a [hashtable] out of the juicy info available in some of the events (it's unstructured text):
$infohash = $events[0].Properties[0].Value -split '\r?\n' |
% -b { $stuff = @{} } -p {
$kv = $_ -split '\s+=\s+'
$stuff[$kv[0].Trim(' ',"`t")] = $kv[1]
} -e { $stuff }
Out of this, you'd use $infohash.'Connected User' to find who connected to the session, and $infohash.User to see the identity of the process (the RunAs user).
This was barely tested, it needs work, but hopefully it serves as a starting point and helps someone.