[REFERENCE] HOW TO: PowerShell Workflow: Execute PowerShell with an account other than FIMService
Introduction: Powershell workflow activities are executed by the FIM Service account by default. There could be a situation where we want to run the Powershell script as another account - which means we need to save these credentials somewhere, preferably NOT in plaintext. Here I'll save the ADMA account password, since we'll use it to execute Update-Recipient on the Exchange Server (and it's a member of Exchange Organization Administrators)
Implementation:
Create a secure password file - Here I've chosen to save the passwords in a directory I already created c:\SecurePW\
- Open PowerShell on the FIM Service server. IMPORTANT: you must run this as the FIMService account, or the password will not be read successfully when the workflow runs.
- PS C:\> read-host -AsSecureString | ConvertFrom-SecureString | out-File C:\SecurePW\adma.txt
- Type the ADMA account password
- exit
Take a look at the file and notice it's NOT stored as plain text, but as a secure string (324 characters).
Read in the encrypted password in your PS script - This is most easily demonstrated by an example. Here we'll do a remote PS session to the CAS server and execute Update-Recipient on the target user.
Param($TargetIdentity)$pass = cat c:\securepw\adma.txt | ConvertTo-SecureString$mycreds = new-object -TypeName System.Management.Automation.PSCredential - Argumentlist "contoso\adma",$pass$session = New-PSSession -configurationName Microsoft.Exchange -Connectionuri https://DC.contoso.com/PowerShell -credential $mycredsImport-PSSession -Session $sessionUpdate-Recipient -Identity $TargetIdentityRemove-PSSession -Session $session Exit |
Here the Named Paremeter $TargetIdentity is defined in the activity as [//Target/MailNickname], one of the valid parameter values for Update-Recipient. Of course we could have used the built-in Exchange Provisioning via dropdown in the ADMA, but what fun would that be?