Search code examples
powershellazureazure-virtual-machineazure-powershellpowershell-remoting

Azure Custom Script Extension. Execute script as another user

I'm using command1.ps1 script to install Azure Custom Script Extension on the target VM and execute command2.ps1. command2.ps1 is supposed to run a script (that is inside ScriptBlock) as domain administrator (hence -Credential $Credentials). When I run command2.ps1 manually and input $domainAdminName and $domainAdminPassword it works, but when running it through command1.ps1 it doesn't work. Maybe the problem is cause by Azure Custom Script Extension running command2.ps1 as System account? Please, help me make the script work. command1.ps1:

    param
(
    [Parameter(Mandatory)]
    [String]$resourceGroupName,

    [Parameter(Mandatory)]
    [String]$targetVMname,

    [Parameter(Mandatory)]
    [String]$vmLocation,

    [Parameter(Mandatory)]
    [String]$FileUri,

    [Parameter(Mandatory)]
    [String]$nameOfTheScriptToRun,

    [Parameter(Mandatory)]
    [String]$customScriptExtensionName,

    [Parameter(Mandatory)]
    [String]$domainAdminName,

    [Parameter(Mandatory)]
    [String]$domainAdminPassword

)

Set-AzureRmVMCustomScriptExtension -Argument "-domainAdminName $domainAdminName -domainAdminPassword $domainAdminPassword" `
    -ResourceGroupName $resourceGroupName `
    -VMName $targetVMname `
    -Location $vmLocation `
    -FileUri $FileUri `
    -Run $nameOfTheScriptToRun `
    -Name $customScriptExtensionName

Remove-AzureRmVMCustomScriptExtension -Force `
    -ResourceGroupName $resourceGroupName `
    -VMName $targetVMname `
    -Name $customScriptExtensionName

command2.ps1:

    param
(
    [Parameter(Mandatory)]
    [String]$domainAdminName,

    [Parameter(Mandatory)]
    [String]$domainAdminPassword

)

$domainAdminPasswordSecureString = ConvertTo-SecureString -String $domainAdminPassword -AsPlainText -Force
$DomainCredentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $domainAdminName, $domainAdminPasswordSecureString

Invoke-Command -ComputerName localhost -ScriptBlock {
Start-Transcript C:\transcript1.txt
New-Item C:\111.txt 
Stop-Transcript
} -Credential $DomainCredentials

There are also a couple of errors in the event log: https://i.sstatic.net/RKlZo.png https://i.sstatic.net/XL28M.png

Solution

  • you can use Azure DSC extension to work around that

    "properties": {
    "publisher": "Microsoft.Powershell",
    "type": "DSC",
    "typeHandlerVersion": "2.20",
    "autoUpgradeMinorVersion": true,
    "settings": {
        "configuration": {
            "url": "url",
            "script": "script.ps1",
            "function": "function"
        },
        "configurationArguments": {
            "regular": "arguments"
        }
    },
    "protectedSettings": {
        "configurationArguments": {
            "DomainCredentials": {
                "userName": "user",
                "password": "password"
            }
        }
    }

    And in your DSC configuration add a parameter like this:

    [Parameter(Mandatory)] # doesn't have to be mandatory, just copy pasting
[System.Management.Automation.PSCredential]$DomainCredentials,

    Parameter name in the template must match parameter name in the dsc. You can probably figure out something similar using powershell. I personally never tried, but it should be possible.