Showing posts with label runas. Show all posts
Showing posts with label runas. Show all posts

Thursday 6 April 2023

Runas on Flows

Overview: If I use a connection in a Canvas App, the signed in user uses their own permissions and the connector as as the signed in user.  

Problem: I wish to run a flow as a specific user and not the users calling the flow from the Canvas app.

Hypothesis: I wish to call logging connector into Log Analytics, so I have created a flow, If I use the Power Apps V2 connector, it offers and option to run in another users context.

Resolution: Open the Workflow, ensure you are using the Power Apps V2 trigger, then...


Here I use the Scopes to perform a Try Catch finally set of logic


Tip:  most people tend to use a custom connector to push the error message into a function from the Workflow, the function app uses the App Insights SDK and logs the workflow error.

Simple C# code to write to App Insights using the SDK. 

#r "Newtonsoft.Json"
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;
public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
dynamic data = JsonConvert.DeserializeObject(requestBody);
int eventId = data?.eventId;
string errType = data?.errType;
string errMsg = data?.errMsg;
string correlationId = data?.correlationId;
string workflowId = data?.workflowId;
string workflowUrl = data?.workflowUrl;
string flowDisplayName = data?.flowDisplayName;
var custProps = new Dictionary<string, object>()
{
{ "CorrelationId", correlationId},
{ "WorkflowId", workflowId},
{ "WorkflowUrl", workflowUrl},
{ "WorkflowDisplayName", flowDisplayName}
};
using (log.BeginScope(custProps))
{
if (errType=="Debug") { log.Log(LogLevel.Debug, eventId, $"{errMsg}"); }
else if (errType=="Trace") { log.Log(LogLevel.Trace, eventId, $"{errMsg}"); }
else { log.LogInformation($"Event is {eventId}, type is {errType}, and msg is {errMsg}");}
};
string responseMessage = $"This HTTP triggered function executed successfully. {errType} - {errMsg}";
return new OkObjectResult(responseMessage);
}

More Info:

Reza Dorrani has a great recording showing running Power Automate flows using elevated/shared accounts.

Wednesday 17 November 2010

Powershell - Running as a farm administrator using the SharePoint plug-in on Powershell

Problem: I need to run SharePoint Powershell commands in Production/UAT, I get remote access to the servers however the account is not the SharePoint farm account as the Famr account runns windows services and should not have remote access to the servers. 

Initial Hypothesis: Remote desktop into the WFE server, use the command prompt to launch Powershell using the farm account.  Lastly, add the SharePoint snapin for SharePoint 2010.
Update 6 Dec 2010 - Alternatively, hold down the shift key and right click the program you wish to run, you are given the "run as .." menu option.

Resolution:
1.> Remote desktop into the machine using a remote desktop access account i.e. demo\
2.> Open the cmd prompt and run the following cmd:
cmd > runas /user:demo\farm_admin c:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
3.> In the new Powershell windows add the PowerShell snapin
ps c:\windews\system32> Add-PSSnapin Microsoft.SharePoint.PowerShell
Read More:
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/fcb77654-0f13-42e0-b181-6e52242fe9d6  Adding the SharePoint snapin to PowerShell.

Friday 12 November 2010

Installing SharePoint using a dedicated Installation account

Problem: Best practice is to install SharePoint servers using a dedicated install account.  This account is not the farm account.  Once the installation is complete, the installation account should be disabled.  You need to install in the role of the admin account to install correctly. 

Note:  If your install and farm account are the same as is often the case, this post does not apply to you.

Initial Hypothesis:  It is only worth following this post if you are using at least 5 or more accounts for your farm install.  The idea is that the installation account is disabled after installation.

Resolution:  The farm account needs the 2 SQL Server security roles namely: dbcreator and securityadmin.  The farm account still needs local admin permission rights on each Web Front End (WFE) server.  The Installation account does not need any SQL Server permissions.

Using the codeplex AutoSPinstaller.  Launch the installer using a cmd prompt using the runs cmd to run in the farm domain admin priviledge.
cmd> runas /user:demo\farm_admin %windir%\system32\cmd.exe
cmd> D:\SP2010\Script>Launch.bat


You can also do the runas shotcut to change the account installing SharePoint.
Update 6 Dec 2010 - Hold down the shift key and right click the cmd prompt program menu, you are given the "run as .." menu option.

Update: 22 June 2011 - the current version of AutoSPInstaller is 2.5, additionallly the codeplex project is called AutoSPIntaller not SPAutoInstaller as previously named.

AutoSPInstaller - Step-by-step guide: http://blog.lekman.com/2010/11/automated-sharepoint-2010-installations.html

Wednesday 10 November 2010

Access SQL using a different domain account using SQL Windows authentication mode

Problem: Infrastructure has setup a new SQL Server 2008 R2 instance.  I can only remote desktop to the machine using the installation account.  AS SQL Server is setup to use Windows authentication I can't login using the local "Microsoft SQL Server Management Studio". 

Initial Hypothesis:  I can't connect remotely to the SQL instance, I can't login using remote desktop access with the appropriate account that has SQL access.  I need to remote desktop to the SQL Server using the remote access windows account i.e. demo\Installation and then runas the demo\sqladmin account to get access to the Management Studio.

Resolution: Run SQL Server Management Studio in the rights of the windows account that has SQL access.
Steps:
  • Remote desktop into the SQLServer using the windows account that has remote desktop access i.e. demo\Installation
  • Open you cmd prompt
  • Execute the cmd> C:\Users\Installation>runas /user:demo\sqlaccount "C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe"
  • Enter the SqlAccount password
  • Management Studio opens up using the demo\SQLAdmin account

Update 6 Dec 2010 - Alternatively, hold down the shift key and right click the SQL Server Management menu, you are given the "run as .." menu option.