I have an IIS with php 5.6.
I am writing a PHP script, which should execute a powershell script.
The powershell script has to switch to another user because the IUSR user does not have the privileges for the needed commands in the powershell.
Source:
PHP call of powershell:
$content = shell_exec("powershell.exe -NonInteractive -command " . getcwd() . "\\ps-helper.ps1 -ps_password '".$powershell_password."' < NUL");
As it is (to my knowledge) not possible to switch user within a script, I split them up in two files. the ps-helper.ps1 should start the second script with different credentials:
ps-helper.ps1:
$psuser_secpassword = ConvertTo-SecureString $ps_password -AsPlainText -Force
$psi = New-Object System.Diagnostics.ProcessStartInfo
$psi.CreateNoWindow = $true
$psi.FileName = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$psi.Arguments = "/?"
$psi.UseShellExecute = $false;
$psi.RedirectStandardInput = $true;
$psi.RedirectStandardError = $true;
$psi.RedirectStandardOutput = $True;
$psi.Username = 'username'
$psi.Domain = 'DOMAIN'
$psi.Password = $psuser_secpassword
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $psi
$p.Start()
$stdout = $p.StandardOutput.ReadToEnd()
$stderr = $p.StandardError.ReadToEnd()
$p.WaitForExit()
If I execute the command via cmd.exe in windows as normal user, it works fine.
Problem:
- If I execute the command via IIS it fails, no reason given (stdout and stderr are empty)
- If I comment out Username, Domain and Password, it works - meaning $stdout is filled with output from second script (but obviously no user change)
Are there any settings in Windows, IIS, PHP or powershell that prevent user change from IUSR to something else?