I'm using command1.ps1 script to install Azure Custom Script Extension on the target VM and execute command2.ps1. command2.ps1 is supposed to run a script (that is inside ScriptBlock) as domain administrator (hence -Credential $Credentials). When I run command2.ps1 manually and input $domainAdminName and $domainAdminPassword it works, but when running it through command1.ps1 it doesn't work. Maybe the problem is cause by Azure Custom Script Extension running command2.ps1 as System account? Please, help me make the script work.
command1.ps1:
param
(
[Parameter(Mandatory)]
[String]$resourceGroupName,
[Parameter(Mandatory)]
[String]$targetVMname,
[Parameter(Mandatory)]
[String]$vmLocation,
[Parameter(Mandatory)]
[String]$FileUri,
[Parameter(Mandatory)]
[String]$nameOfTheScriptToRun,
[Parameter(Mandatory)]
[String]$customScriptExtensionName,
[Parameter(Mandatory)]
[String]$domainAdminName,
[Parameter(Mandatory)]
[String]$domainAdminPassword
)
Set-AzureRmVMCustomScriptExtension -Argument "-domainAdminName $domainAdminName -domainAdminPassword $domainAdminPassword" `
-ResourceGroupName $resourceGroupName `
-VMName $targetVMname `
-Location $vmLocation `
-FileUri $FileUri `
-Run $nameOfTheScriptToRun `
-Name $customScriptExtensionName
Remove-AzureRmVMCustomScriptExtension -Force `
-ResourceGroupName $resourceGroupName `
-VMName $targetVMname `
-Name $customScriptExtensionName
command2.ps1:
param
(
[Parameter(Mandatory)]
[String]$domainAdminName,
[Parameter(Mandatory)]
[String]$domainAdminPassword
)
$domainAdminPasswordSecureString = ConvertTo-SecureString -String $domainAdminPassword -AsPlainText -Force
$DomainCredentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $domainAdminName, $domainAdminPasswordSecureString
Invoke-Command -ComputerName localhost -ScriptBlock {
Start-Transcript C:\transcript1.txt
New-Item C:\111.txt
Stop-Transcript
} -Credential $DomainCredentials
There are also a couple of errors in the event log: https://i.stack.imgur.com/RKlZo.png https://i.stack.imgur.com/XL28M.png
you can use Azure DSC extension to work around that
"properties": {
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.20",
"autoUpgradeMinorVersion": true,
"settings": {
"configuration": {
"url": "url",
"script": "script.ps1",
"function": "function"
},
"configurationArguments": {
"regular": "arguments"
}
},
"protectedSettings": {
"configurationArguments": {
"DomainCredentials": {
"userName": "user",
"password": "password"
}
}
}
And in your DSC configuration add a parameter like this:
[Parameter(Mandatory)] # doesn't have to be mandatory, just copy pasting
[System.Management.Automation.PSCredential]$DomainCredentials,
Parameter name in the template must match parameter name in the dsc. You can probably figure out something similar using powershell. I personally never tried, but it should be possible.
Maybe the problem is cause by Azure Custom Script Extension running command2.ps1 as System account?
Yes, Azure Custom Script Extension runs as the System account . This means using the Azure VM Custom Script Extension we can run any sort of code even if it requires highest system privileges. As following picture, we can see the CustomScriptHandler.exe process runs as the System account.
More about Understanding Azure Custom Script Extension, refer to this article.
Please, help me make the script work.
Your scripts are OK. This issue is about system privilege. According to your errors log, if you want to run your scripts through Azure custom extension script, you can try to solve it by assign permissions to System account and change some configurations on your VM. More about how to resolve the errors, you can refer to this link.
来源:https://stackoverflow.com/questions/46433123/azure-custom-script-extension-execute-script-as-another-user