Kaseya Community

UseCredential/Impersonateuser question

This question is answered

I've written and modified multiple Kaseya scripts/agent procedures in the past, and consider myself far from a novice when it comes to the scripting built into Kaseya, but I ran into a situation this morning with a script that we need, that I've just never had before.  I'll be doing some additional testing myself on this, but I thought I'd through the question out there first to see if someone else already knows the answer. 

When you specify a "usecredential" or impersonateUser in a script, does that apply to anything you "Run as User" from that point on, or only the very next line you execute in the script?  The documentation is not really clear on that fact, it *seems* to indicate that it might be just for the next statement, but I'm just not certain.

Here's my overall scenario.  I am applying an update to a specific application that the users run.  In my script I'm first checking if they are currently running the app, and if so prompting them to give then an opportunity to put off doing the update if necessary.  Then I terminate the app, and run the installer using the machine credentials, as the users are not local admins, and local admin permissions are required to run the update.  Once the update is done, I would like to go ahead and restart the app for them if they were running it before the update ran.  

My concern is, if the usecredential is propagated through the rest of the script, then when I run the app at the end, it will be running as the admin user rather than the locally logged in user.  

I'm going to be doing some testing later today to find out one way or the other, if no one else knows for certain, and then I'll post my results back here later so that I can save someone else time if/when this same question comes up.

Verified Answer
  • Ok, I had time to test this much sooner than I figured I would get to it, so I thought I'd share my results in case this helps someone else.  I'd still like to hear from someone else who's run into this as well just to confirm my findings are accurate if nothing else.

    The usecredentials/impersonate user seems to be dependent on the indent level, and it seems to follow a logical program flow similar to variables.  For my testing I ran through several different scenarios.

    First I tested with the use credential followed by a statement that ran notepad.exe, several other nonsense statements just to add some additional lines in there and then one that ran calc.exe.  In that scenario, both notepad and calc were started using the credentials specified on the agent tab, so that the only way I was able to verify that they were running is by looking in Task manager.

    I then put the use credentials and notepad.exe statement inside an "If User logged in" statement.  

    Notepad.exe ran using the credentials and calc.exe ran as the actual logged in user.

    If I put the usecredentials as the first line in the script, then everything from that point forward ran using the credentials regardless of the indent level, making it in effect "global" for that script.

    So overall from what I can tell at least the usecredentials seems to follow basic "inheritance" and scope rules, and it doesn't only apply to the next step as the documentation would seem to indicate.

    If someone else can confirm or disprove that I'd be grateful.

    Thank you

All Replies
  • Ok, I had time to test this much sooner than I figured I would get to it, so I thought I'd share my results in case this helps someone else.  I'd still like to hear from someone else who's run into this as well just to confirm my findings are accurate if nothing else.

    The usecredentials/impersonate user seems to be dependent on the indent level, and it seems to follow a logical program flow similar to variables.  For my testing I ran through several different scenarios.

    First I tested with the use credential followed by a statement that ran notepad.exe, several other nonsense statements just to add some additional lines in there and then one that ran calc.exe.  In that scenario, both notepad and calc were started using the credentials specified on the agent tab, so that the only way I was able to verify that they were running is by looking in Task manager.

    I then put the use credentials and notepad.exe statement inside an "If User logged in" statement.  

    Notepad.exe ran using the credentials and calc.exe ran as the actual logged in user.

    If I put the usecredentials as the first line in the script, then everything from that point forward ran using the credentials regardless of the indent level, making it in effect "global" for that script.

    So overall from what I can tell at least the usecredentials seems to follow basic "inheritance" and scope rules, and it doesn't only apply to the next step as the documentation would seem to indicate.

    If someone else can confirm or disprove that I'd be grateful.

    Thank you

  • Jonathan,

    Yes. I have to agree with you on this. If the Impersonate line is placed after any running programs, they will not use the credentials. If you use the Impersonate line at the top then everything will inherit the credentials.

  • What if you're executing a .bat file with ExecuteFile command? Will it use the assigned Credential, or Impersonated User?

  • Just to clarify a little.  

    JamesB.  I knew the impersonate line has to be placed *before* running a program in the script for it to use the credentials.  What I was more testing was to see when it *stopped* impersonating a user in the script.  The answer to that was that it basically follows the same "scoping" mechanism as variables.  If your impersonateuser command is inside an IF statement, then it will only continue impersonating the user until the end of your IF statement, any execute commands after the IF statement is closed will use the normal logged in user.

    To answer your question Billmccl - That is exactly what I'm doing in my case.  So the short answer is yes.  If your script is simply executing a batch file, and you need this then your script could conceivably consist of only three lines.

    1.) writefile - to write your batch file out to the agent.

    2.) useCredential or impersonateUser - to specify what user to execute as.

    3.) executeFile As User your .bat file to run ..

    Again mainly what I was trying to test was for how long that useCredential lasted... Just to outline a bit.  and provide a graphic example.. Here is one of the scripts I tested, with some comments to indicate what happened.


    If isUserLoggedIn("")

    useCredential("All Operating Systems", "Halt on Fail")

    // Notepad will run as our "Agent Credential User"

    executeFile("c:\windows\system32\notepad.exe", "", "Execute as User and Continue", "All Operating Systems")

    // Now we have ended the IF block by "outdenting" so calc.exe will run as the currently logged on user

    executeFile("c:\windows\system32\calc.exe", "", "Execute as User and Continue", "All Operating Systems")