Forum Discussion

Pretzel's avatar
Pretzel
Icon for Neophyte rankNeophyte
5 months ago

PowerShell Datasource with NonAdmin Collector

Hey can some maybe explain to me what i'm doing wrong. We recently change all our Collector to Non-Admins. We have the Windows Certificates Datasource in place and if i understand correct the Datas...
lmproduct
Pretzel's avatar
Pretzel
Icon for Neophyte rankNeophyte

I'm using wmi.user and wmi.pass properties, the properties are set on the server object and has the rights on the target server but is non admin on collector.

If I have not overlooked anything then there should be nothing in the powershell script that triggers Set-ExecutionPolicy.

I have also run the code once on the collector under the non admin service user and get no error. I have also tested signing. I can't explain what is causing this.

This is my test datasource (i need to change my return to int)

# Clears the CLI of any text
Clear-Host
# Clears memory of all previous variables
Remove-Variable * -ErrorAction SilentlyContinue
#------------------------------------------------------------------------------------------------------------
# Initialize Variables
$TargetHostName = '##SYSTEM.SYSNAME##' + '.' + '##SYSTEM.DOMAIN##'
$CollectorHostName = $env:computername
$TargetUserName = '##wmi.user##'
$TargetPassword = '##wmi.pass##'
$DebugMode = $false

$ScriptBlock = {
    param (
        [bool]$Debug
    )
    # Get pagefile information
    $pageFileInfo = Get-CimInstance -Class Win32_PageFileUsage | Select-Object *
    $CompSysResults = Get-CimInstance win32_computersystem -Namespace 'root\cimv2'

    # Initialize variables
    $pageFileDrive = ""
    $isOnC = $false
    $isAuto = $false
    $otherFilesExist = $false

    if ($pageFileInfo) {
        $pageFilePath = $pageFileInfo.Name
        $pageFileDrive = Split-Path -Path $pageFilePath -Qualifier

        # Check if pagefile is on C: drive
        $isOnC = $pageFileDrive -eq "C:"

        # Check if pagefile size is set to auto
        $isAuto = $CompSysResults.AutomaticManagedPagefile

        # Output results
        Write-Host "PageFileDrive=$pageFileDrive"
        Write-Host "IsOnCDrive=$isOnC"
        Write-Host "IsAutoManaged=$isAuto"

        # Check for other files/folders on pagefile drive
        if ($pageFileDrive -eq "D:") {
            $otherItems = Get-ChildItem -Path $pageFileDrive -Force | Where-Object { $_.FullName -ne $pageFilePath }
            $otherFilesExist = $otherItems.Count -gt 0
            Write-Host "OtherFilesExist=$otherFilesExist"
        }

    }
}


if ($TargetHostName -eq $CollectorHostName)
{
    Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList @($DebugMode,$Instance)
}
else
{
    #If WMI creds undefined - invoke remote command without creds, if not - create credential object and use it for authorization
    if (($TargetUserName -Match "wmi.user" -and $TargetPassword -Match "wmi.pass") -or 
        ($TargetUserName -eq "" -and $TargetPassword -eq ""))
    {
        Invoke-Command -ComputerName $TargetHostName -ScriptBlock $ScriptBlock -ArgumentList @($DebugMode,$Instance)
    }
    else
    {
        $TargetCredentials = New-Object System.Management.Automation.PSCredential ($TargetUserName, $(ConvertTo-SecureString $TargetPassword -AsPlainText -Force))
        Invoke-Command -ComputerName $TargetHostName -ScriptBlock $ScriptBlock -Credential $TargetCredentials -ArgumentList @($DebugMode,$Instance)
    }
}

Exit 0

 

 

 

and this is code from Windows Certificate Datasource and its running without error. If i past the code into my newly created datasource i also get an error for ExecutionPolicy. So if there is not command inside that is triggering ExecutionPolicy this should be a bug?

 

$Instance = '##WILDVALUE##'
$TargetHostName = '##SYSTEM.SYSNAME##' + '.' + '##SYSTEM.DOMAIN##'
$CollectorHostName = $env:computername
$TargetUserName = '##wmi.user##'
$TargetPassword = '##wmi.pass##'
$DebugMode = $false

$ScriptBlock = {
    param (
        [bool]$Debug,
        [String]$SerialNumber
    )
    
    if ($Cert = Get-ChildItem -Path cert:LocalMachine -Recurse | Where-Object { $_.SerialNumber -eq $SerialNumber } | Sort-Object -Unique) {
        $TimeSpan = New-TimeSpan -Start (Get-Date) -End $Cert.NotAfter
        $DaysLeft = $TimeSpan.Days
        Write-Host "DaysLeft=$DaysLeft"
    }
}

if ($TargetHostName -eq $CollectorHostName)
{
    Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList @($DebugMode,$Instance)
}
else
{
    #If WMI creds undefined - invoke remote command without creds, if not - create credential object and use it for authorization
    if (($TargetUserName -Match "wmi.user" -and $TargetPassword -Match "wmi.pass") -or 
        ($TargetUserName -eq "" -and $TargetPassword -eq ""))
    {
        Invoke-Command -ComputerName $TargetHostName -ScriptBlock $ScriptBlock -ArgumentList @($DebugMode,$Instance)
    }
    else
    {
        $TargetCredentials = New-Object System.Management.Automation.PSCredential ($TargetUserName, $(ConvertTo-SecureString $TargetPassword -AsPlainText -Force))
        Invoke-Command -ComputerName $TargetHostName -ScriptBlock $ScriptBlock -Credential $TargetCredentials -ArgumentList @($DebugMode,$Instance)
    }
}

Exit 0

 

Mike_Moniz's avatar
Mike_Moniz
Icon for Professor rankProfessor
5 months ago

Outside of the code above what is different from two DataSources? Is one Batch while the other is Script for example? Does once have ActiveDiscovery and the other doesn't? etc. Perhaps even export both and compare the raw JSON.

Might want to work out a bare min replication. For example, do you see the same error even if the script is literally just "Exit 0" and nothing else? Might need to work with LM support to look at your specific situation.