Custom Inventory rule to run as a user
We are using Microsoft LAPS to manage the local administrator's passwords. Works great but I would like a way to get this info in the computer inventory as a custom inventory value.
I created a PowerShell script that can be run from the local computer and works very well when run as a user that has been granted the rights to access the extended attributes in Active Directory:
C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe "Import-Module ActiveDirectory ; Get-ADComputer -Identity %COMPUTERNAME% -Properties * | Select ms-Mcs-AdmPwd |ft -hide"
My issue is when the custom inventory rule runs on the local computer by the KACE agent it is running under the System account. The local system has the ability to update the value in AD, but not read it back so the following Customer Inventory Rule returns blank text
ShellCommandTextReturn(c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe "Import-Module ActiveDirectory ; Get-ADComputer -Identity %COMPUTERNAME% -Properties * | Select ms-Mcs-AdmPwd |ft -hide")
I would like to get this data associated with the computer inventory somehow and it has to be run as a specific user account. Any ideas?
Answers (1)
1. (my preferred one) Create a KACE Script which runs as the user in need and creates a text file with the results. Use the CIR to read out the file
2. use runas
With 2. you need to use a cleartext password, so I do not prefer this option.
