Powershell Start-Process : This command cannot be executed due to the error: Access is denied

25,998

Ok, I finally got it. It seems that for security reason the System account can not initiate impersonation. The solution here was to change the account running the script, from system to a custom account. And then to allow impersonation for this account in security policies as said here:

https://serverfault.com/questions/185813/which-ad-permission-is-required-to-allow-impersonation-of-an-account/193717#193717

Share:
25,998
John-Philip
Author by

John-Philip

I'm a full-stack developer, with knowledge in C#, Typescript, Sql and software deployment processes.

Updated on October 07, 2020

Comments

  • John-Philip
    John-Philip over 3 years

    I'm trying to run start-process from a powershell script with given credential. Nevertheless the command fail with the following error:

    Start-Process : This command cannot be executed due to the error: Access is denied  
    

    Here is the full error log:

    18-Jun-2015 11:48:54    Start-Process : This command cannot be executed due to the error: Access is den
    18-Jun-2015 11:48:54    ied.
    18-Jun-2015 11:48:54    At C:\Windows\system32\config\systemprofile\AppData\Local\Temp\PRISMA-AMR-JOB1-
    18-Jun-2015 11:48:54    87-ScriptBuildTask-8569094554411403512.ps1:38 char:18
    18-Jun-2015 11:48:54    +     Start-Process <<<<  C:\Windows\System32\cmd.exe -arg "/C" -Credential $cr
    18-Jun-2015 11:48:54    edential
    18-Jun-2015 11:48:54        + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOp 
    18-Jun-2015 11:48:54       erationException
    18-Jun-2015 11:48:54        + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C 
    18-Jun-2015 11:48:54       ommands.StartProcessCommand
    

    Here is what the the faulty powershell call looks like:

    Start-Process C:\Windows\System32\cmd.exe -arg "/C" -Credential $credential
    

    If I open a command prompt with the appropriate credential on the machine where the script is executed, running cmd /C does well. If it's on the powershell script on behalf of start-process it fails.

    Maybee I should say that when I manually run the command prompt with targeted credential I was logged as administrator while the powershell looks to be run under the system account.

    Looks really like something is wrong with some permissions... Any idea what's going on here ?

    Edit: From what is been said in https://serverfault.com/questions/185813/which-ad-permission-is-required-to-allow-impersonation-of-an-account/193717#193717
    I checked the permission ofr impersonation in Local Policies -> User Rights Assignment. System is present, and for the sake of completeness I also added the computer account. Restarted. But with no luck, problem still there !