How to run a powershell script with service account and not local system?

Hi ,
We have a scenario where we wanted to run a PowerShell script on server A to drop a file on other server B. The Server A has octopus tentacle so its connects but server B has no tentacle and thus we browse the specific path of server B by connecting from server A . To explain in detail, when i the powershell of file drop it runs on Server A (that has tentacle) browse the server B path locally on server A and drop files on the path present in server B. Here now, i face issue on dropping file on server B folder path when script runs : says Access denied.

The issue can be resolved only if we run the powershell with service account and password but octopus run the poweshell in local system account on Server A as octopus tentacle is setup as local system. Thus can you please advise how to run the script with service account please.

Hi puk.it.scm,

Thank you for reaching out to us with your query.

There are a couple of possible options that might work in this scenario:

  • Install the Tentacle software on Server B
    The first option would be to install the Tentacle software onto Server B and to add additional steps and/or packages to your deployment process to target the additional server. This would have the benefit of keeping everything related to the deployment (e.g. logs) in one place.

  • Run the Tentacle on Server A as a different user
    If it isn’t possible to install the Tentacle software onto Server B then you have the option of configuring the Tentacle on Server A to run as a different user which has the necessary access rights to connect to Server B. You can find out how to configure the Tentacle to run as a different user in our documentation.

I hope this is helpful. Please let me know if you have any questions.

Best Regards,

Charles

Hi Charles,

Thanks for swift response!

The twist here is we will not be able to install it tentacle on Server B , as its consider as external file transfer server . So only option is to run powershell on server A with service account so it access that path on server B and drops the file.

Thanks,

Karthega

Hi Karthega,

Thank you for getting back to me.

The second option does sound like the best choice in that case - changing the user that the Tentacle runs as will also change the user that any PowerShell scripts run as.

Could you please try the above and let me know how it goes?

Best Regards,

Charles

Hi ,

Reviewed the below journal , but am afraid it doesn’t help us in our scenario as we have configured on al our machines to run only with local system and thus its not our policy to run a deployment tool service in service account all time . Is there any way you can help me with an idea on how to run a particular script with service account – something like octopus can switch to run the powershell in service account on runtime alone please?

Thank you

Hi puk.it.scm,

Thank you for getting back to me.

I’ve been looking into this and unfortunately there isn’t a reliable or recommended way to switch users for a single step. The Tentacle executes everything as the same user with no granular control available and the usual methods of changing users in a PowerShell session either do not work or result in unintended consequences.

If you’re unable to run the Tentacle as a user which has permissions to access the share then the only option we’ve been able to come up with is using PowerShell to mount the share as a different user. For example:

$uncServer = "\\12.34.56.78"
$uncFullPath = "$uncServer\destination\folder"
$username = "username"
$password = "password"

net use $uncServer $password /USER:$username  

Copy-Item $sourceFile $uncFullPath  

However, this is risky as it would require the variable to be embedded in the script. You might be able to mitigate this risk using some form of sensitive variable or credential management.

I hope this is helpful. Please let me know if you have any questions.

Best Regards,

Charles

Thanks Charles - this worked :slight_smile:

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.