Search code examples
azurepowershellandroid-virtual-devicewvd

Add onprem AD group while provisioning Azure VM with ARM template -Azure virtual desktop

I have a requirement of provisioning a Azure VM with ARM template, which consists of creating machine, add domain join, register hostpool, enable Azure disk encryption. we will be using image. I tried to use Custom exten script at last to run a ps1 which can add the machine object to ad group.

Script1

$SysInfo = New-Object -ComObject "ADSystemInfo"
$ComputerDN = $SysInfo.GetType().InvokeMember("ComputerName", 
"GetProperty", $Null, $SysInfo, 
$Null)
#$ComputerDN = 
([ADSISEARCHER]"sAMAccountName=$($env:COMPUTERNAME)$").FindOne().Path
$ComputerDN
$Group = "groupname"
$group1dn= ([ADSISEARCHER]"sAMAccountName=$($Group)").FindOne().Path 
$Groupdn = [ADSI]"$group1dn"

// Check if computer already a member of the group.
If ($Groupdn.IsMember("LDAP://$ComputerDN") -eq $False)
{
# Add the computer to the group.
$Groupdn.Add("LDAP://$ComputerDN")
}

Script2

$credential= "domain/user & password"
Start-Process 
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Credential 
$credential  -ArgumentList "-file <path of script1>"
**OR**
Invoke-Command -FilePath <path of script1>-Credential $credential - 
ComputerName localhost

Both ps1 downloaded via CSE to machine and trigger the second script2

For start process it says access denied (because the CSE runs system account and may be unable to change the domain user.) Invoke command can impersonate, however, it requires the domain/user to be added to localadmin users group and enable psremoting on the machine, inspite of doing this still having issues.

Exception calling "InvokeMember" with "5" argument(s): "Access is denied.

The following exception occurred while retrieving member "IsMember": "An operations error occurred. "

How to get this done with CSE?

Solution

  • I figured out.. thanks for suggestions Cpt.Whale.

    I used only script1 (with expecting parameters of domain password) in CSE- that downloads on the machine after domain join. then used the protected settings in CSE to run the ps1 and pass the keyvault references. "commandToExecute": "[concat('powershell.exe -file Scrip1.ps1',' -password(param in the script1) ,parameters('keyvaultpass'))]"

    /Naveen