Highlighted
Super Contributor.
Super Contributor.
242 views

Scripting Driver - Previlege Issue

Jump to solution

Hey,

Currently using 4.8.1 IDM & eDirectory 9.2.

I can able to run a command in the Remote Loader machine without any issues locally. but if I trigger the script using the driver, I am getting access denied error. 

Note : The account which is logged into Remote Loader to exceute the powershell is same as that I configured for Driver n RL Communication.

Badly application team says that, using my remote loader machine I can be able to run. If its not running when triggered using the driver then its my cup of tea.

Any thoughts over here ?

Labels (1)
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

How your RL configured to run?

Is it run as services with system account?

 

I had a "similar" issue with another driver, that supposed to execute PowerShell scripts on the Windows box.

Trick - run RL as service under this specific account instead "default" system (local) account.

RL trace window will not be open as your RL run in a "different" session.

I use BareTail to "emulate" RL Trace window functionality.

View solution in original post

4 Replies
Highlighted
Knowledge Partner
Knowledge Partner

How your RL configured to run?

Is it run as services with system account?

 

I had a "similar" issue with another driver, that supposed to execute PowerShell scripts on the Windows box.

Trick - run RL as service under this specific account instead "default" system (local) account.

RL trace window will not be open as your RL run in a "different" session.

I use BareTail to "emulate" RL Trace window functionality.

View solution in original post

Highlighted
Knowledge Partner
Knowledge Partner
Can you provide more details regarding the type of powershell commands you are running?

Some commands require different types of authentication that may not be possible under the local service account. (Which is what I think Alex B was getting at).

The normal config I run with is this;

Configure script service. Set it to run as a domain user or the user which normally would run these commands.

Make this user above a member of local administrators group (on the member server itself).

Configure the scripting driver RL to run as local system.

The logic behind this config is that the events from the engine are stored in clear text (Yes you should also have have EFS enabled) in windows temp directory. So the script service needs local admin rights to access and read those events.

The script service is the only bit that actually runs powershell commands. It often needs to run as the user who has the rights to execute such commands. This is essential in cases where the powershell commands expect to be able to use Kerberos or NTLM authentication.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Highlighted
Super Contributor.
Super Contributor.

Can you provide more details regarding the type of powershell commands you are running?

Its icacls command for providing the rights to the fodler.

Some commands require different types of authentication that may not be possible under the local service account. (Which is what I think Alex B was getting at). - correct 

The normal config I run with is this;

Configure script service. Set it to run as a domain user or the user which normally would run these commands. - Followed the same and it worked 

Thanks for your help

Highlighted
Knowledge Partner
Knowledge Partner

I use Sneakycat CLE and LDIF Driver to execute a number of complex PowerShell scripts, that working with AD/Office 365/Azure AD and  Workday. 

Parameters for scripts and what kind of scripts required to execute calculated in the driver policies.

We don't have a "free internet" connection. All internet connectivity must go thru corporate proxy and it takes out the option to run Remote Loader under the "default" system (local) account. RL process must run under a "real" AD domain account.

As all functions are fully automated, RL (scripts) supposed to be executed in interactive and/or non-interactive modes (nobody logged to the console of Remote Loader server).

Even when somebody logged to the server console, RL process (and PowerShell) run in "own memory space" and can't display RL trace window. for this reason, I run the BareTail app that shows info from RL trace file (emulate "native" RL trace functionality).

Alex

P.S.

I want to separately thank Aleks Mujadin, author of the great apps C2, ldif manipulation tools, and this wonderful IDM driver, that provides more flexibility, functionality, and security than some "commercial" drivers.

New version (with a number of important bug fixes and enhancements) released less than a week ago and available on CS site.

https://community.microfocus.com/t5/Identity-Manager-Tips/Sneakycat-CLE-and-LDIF-Driver-0-91/ta-p/1773684

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.