Terminal: Support windows terminal to be run with different user credentials.

Created on 2 Jun 2020 · 7Comments · Source: microsoft/terminal

Description of the new feature/enhancement

It would be a massive plus to have the ability to run Windows Terminal under the security context of a user other than the one logged into windows.

Microsoft recommend "Seperate accounts" for users that need to perform actions that require "privileged access", this means that I have 2 active directory accounts at work.
[email protected] and me.[email protected]

I log into my computer as [email protected] every day.

A lot of the terminal work that I do day to day involves me launching pwsh as me.[email protected] and running commands from there so that I can have "privileged access" to the required resources.
Try as I might I can not find away of launching windows terminal when logged in as [email protected] under the security context of me.[email protected].

This issue is basicly the same as https://github.com/microsoft/terminal/issues/3534 which was closed as it "looks like a /dupe of https://github.com/microsoft/terminal/issues/632". However those 2 issues are clearly not duplicates so thought I would create another one.

Thanks in advance :)

Issue-Feature Resolution-Duplicate

Source

AlexisColes

Most helpful comment

FYI, I found a workaround for this by running the application as-is, and then just modifying the JSON config file to include entries to spawn powershell sessions as another user.

Note that this will not get the new session to run a new tab, rather, it will launch a new window. It DOES work however as available drop-down options. Would be nice to see this baked into the application where instead of opening a new window, it will just open in-place as a new tab instead.

Add new entry(ies) to your settings.json file, in the vein of the below examples:
        {
            // "guid": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",
            "name": "PowerShell 7 (Privileged account)",
            "commandline": "C:\\Windows\\System32\\runas.exe /savecred /user:domain\\my_privilegedacct \"C:\\Program Files\\PowerShell\\7\\pwsh.exe\"",
            "hidden": false
        },
        {
            // "guid": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",
            "name": "Windows PowerShell (Privileged account)",
            "commandline": "C:\\Windows\\System32\\runas.exe /savecred /user:domain\\my_privilegedacct powershell",
            "hidden": false
        },
        //other entries etc as you see fit

This works but it really is not an answer. Why bother opening Windows Terminal if I am just getting a new command window when I need to operate as my Admin account.

As of now,, Windows Terminal is just not useful for administering Windows systems with Powrshell.

Clifra-Jones on 7 Aug 2020

👍3 👎2

All 7 comments

You're right, #3534 probably shouldn't be duped to #632. The more correct dupe would be #4217, which is tracking this dependency with the store team.

Thanks!

/dup #4217

zadjii-msft on 2 Jun 2020

Hi! We've identified this issue as a duplicate of another one that already exists on this Issue Tracker. This specific instance is being closed in favor of tracking the concern over on the referenced thread. Thanks for your report!

msftbot[bot] on 2 Jun 2020

That does indeed look like a better dupe, thanks @zadjii-msft will follow that one.

AlexisColes on 2 Jun 2020

FYI, I found a workaround for this by running the application as-is, and then just modifying the JSON config file to include entries to spawn powershell sessions as another user.

Note that this will not get the new session to run a new tab, rather, it will launch a new window. It DOES work however as available drop-down options. Would be nice to see this baked into the application where instead of opening a new window, it will just open in-place as a new tab instead.

Add new entry(ies) to your settings.json file, in the vein of the below examples:

        {
            // "guid": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",
            "name": "PowerShell 7 (Privileged account)",
            "commandline": "C:\\Windows\\System32\\runas.exe /savecred /user:domain\\my_privilegedacct \"C:\\Program Files\\PowerShell\\7\\pwsh.exe\"",
            "hidden": false
        },
        {
            // "guid": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",
            "name": "Windows PowerShell (Privileged account)",
            "commandline": "C:\\Windows\\System32\\runas.exe /savecred /user:domain\\my_privilegedacct powershell",
            "hidden": false
        },
        //other entries etc as you see fit

yllekz on 2 Jun 2020

❤2

FYI, I found a workaround for this by running the application as-is, and then just modifying the JSON config file to include entries to spawn powershell sessions as another user.

Note that this will not get the new session to run a new tab, rather, it will launch a new window. It DOES work however as available drop-down options. Would be nice to see this baked into the application where instead of opening a new window, it will just open in-place as a new tab instead.

Add new entry(ies) to your settings.json file, in the vein of the below examples:
        {
            // "guid": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",
            "name": "PowerShell 7 (Privileged account)",
            "commandline": "C:\\Windows\\System32\\runas.exe /savecred /user:domain\\my_privilegedacct \"C:\\Program Files\\PowerShell\\7\\pwsh.exe\"",
            "hidden": false
        },
        {
            // "guid": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",
            "name": "Windows PowerShell (Privileged account)",
            "commandline": "C:\\Windows\\System32\\runas.exe /savecred /user:domain\\my_privilegedacct powershell",
            "hidden": false
        },
        //other entries etc as you see fit

This works but it really is not an answer. Why bother opening Windows Terminal if I am just getting a new command window when I need to operate as my Admin account.

As of now,, Windows Terminal is just not useful for administering Windows systems with Powrshell.

Clifra-Jones on 7 Aug 2020

👍3 👎2

Grant users full control access to the application folder, and you are good to go. Note: the system account (e.g. psexec -s ) is required to modify the ACLs, and you'll have to make the change after each update. I wrote a simple script to do this for me, and created a couple desktop icons I can easily update/right-click-RunAs when needed. It grabs the logged on user account, but can be tweaked use whatever account name you like.

@echo off & pushd %~dp0
if not "%username%" == "%computername%$" echo This script must be run with the system account! & goto:eof
echo ++ Configuring permissions for Windows Terminal
for /f "tokens=1,2,*" %%a in ('tasklist /FI "IMAGENAME eq explorer.exe" /FO LIST /V') do if /i "%%a %%b"=="User Name:" set _loggedOnUser=%%c
echo ++ Resetting ACLs for username: [%_loggedOnUser%]
echo ++ Getting latest application folder and exe paths...
set _winAppsDir=%ProgramFiles%\WindowsApps
:: Update folder version number when needed
for /f "tokens=*" %%i in ('dir "%_winAppsDir%\Microsoft.WindowsTerminal_1*" /on /b') do set _winTermDir=%_winAppsDir%\%%i
set _winTermExe="%_winTermDir%\WindowsTerminal.exe"
echo ++ Windows Terminal Directory: [%_winTermDir%]
echo ++ Setting permissions...
icacls "%_winTermDir%" /grant %_loggedOnUser%:(OI)(CI)(F) /T
echo ++ Path to executable: [%_winTermExe%]
popd
:eof

scotpower on 3 Sep 2020

If you're going to mess with the permissions in system folders, you would be much better off just extracting the msixbundle like a zip file and using WindowsTerminal.exe directly. It'll be much less of a headache and runs less risk of making the application installation service upset with you.