I’m looking for a PowerShell solution to allow a member of AD group to invoke a SQL Job on a remote server where they are NOT an admin. The current concept is for them to invoke a command from a shortcut to a server that uses the sqlcmd utility to invoke a command using credentials with elevated permissions.
We’ve worked through a solution for this, but I’m looking for a solution that does not require making server changes to permit the remote AD group users permission (see reference link below). We’d also like to log the user who initiated the script somewhere since the SQL logs will only report the impersonated credentials with elevated permissions that invoked the job.
I’ll note our current solution and list some references related below that helped get a working example, but am looking for any example others may have devised.
$CredsFile="\\SqlServerName\Scripts$\powershell\SrvSqlJobAccountx-PowershellCreds.xml"
$AdminName="domain\SrvSqlJobAccount"
$encrypted=Import-Clixml$CredsFile
$key= (2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43,6,6,6,6,6,6,31,33,60,23)
$csp=New-ObjectSystem.Security.Cryptography.CspParameters
$csp.KeyContainerName ="SuperSecretProcessOnMachine"
$csp.Flags =$csp.Flags -bor[System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore
$rsa=New-ObjectSystem.Security.Cryptography.RSACryptoServiceProvider-ArgumentList5120,$csp
$rsa.PersistKeyInCsp =$true
$password=[char[]]$rsa.Decrypt($encrypted,$true) -join""|ConvertTo-SecureString-Key$key
$cred=New-ObjectSystem.Management.Automation.PsCredential$AdminName,$password
$user=[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
Invoke-Command-ComputernameSqlServerName-Credential$cred-ScriptBlock {
sqlcmd-E-SSqlServerName-dmsdb-q"EXIT(exec sp_start_job @job_name = 'JobMaint: ToggleEnabled for XXX')" >>Log_XXXToggleJobEnabled.txt
}
How to store encrypted password for script to access for credentials: Overcoming “access denied” by updating three service to permit non-admins to invoke commands (but looking for an alternative):