Add onprem AD group while provisioning Azure VM with ARM template -Azure virtual desktop-CodePudding

I have a requirement of provisioning a Azure VM with ARM template, which consists of creating machine, add domain join, register hostpool, enable Azure disk encryption. we will be using image. I tried to use Custom exten script at last to run a ps1 which can add the machine object to ad group.

Script1

$SysInfo = New-Object -ComObject "ADSystemInfo"
$ComputerDN = $SysInfo.GetType().InvokeMember("ComputerName", 
"GetProperty", $Null, $SysInfo, 
$Null)
#$ComputerDN = 
([ADSISEARCHER]"sAMAccountName=$($env:COMPUTERNAME)$").FindOne().Path
$ComputerDN
$Group = "groupname"
$group1dn= ([ADSISEARCHER]"sAMAccountName=$($Group)").FindOne().Path 
$Groupdn = [ADSI]"$group1dn"

// Check if computer already a member of the group.
If ($Groupdn.IsMember("LDAP://$ComputerDN") -eq $False)
{
# Add the computer to the group.
$Groupdn.Add("LDAP://$ComputerDN")
}

Script2

$credential= "domain/user & password"
Start-Process 
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Credential 
$credential  -ArgumentList "-file <path of script1>"
**OR**
Invoke-Command -FilePath <path of script1>-Credential $credential - 
ComputerName localhost

Both ps1 downloaded via CSE to machine and trigger the second script2

For start process it says access denied (because the CSE runs system account and may be unable to change the domain user.) Invoke command can impersonate, however, it requires the domain/user to be added to localadmin users group and enable psremoting on the machine, inspite of doing this still having issues.

Exception calling "InvokeMember" with "5" argument(s): "Access is denied.

The following exception occurred while retrieving member "IsMember": "An operations error occurred. "

How to get this done with CSE?

CodePudding user response：

To simplify script1 a bit, you can try using the WinNT names and skip searching AD:

$Group = "Domain Computers"
$Domain = 'CONTOSO'  # NETBIOS name
$ADGroup = [ADSI]"WinNT://$Domain/$Group"

# Check if computer already a member of the group. Computer accounts get $ at the end
If (-not ($ADGroup.isMember("WinNT://$Domain/$env:COMPUTERNAME$"))) {
  # Add the computer to the group.
  $Groupdn.Add("LDAP://$ComputerDN")
}

script2's Start-Process should be fine as long as the VM is already joined to the domain, and the cred username is in DOMAIN\user format. You could try testing the command below for example - no variables, just fill in the names.

It can be a pain to get the output of started processes. I added ;Read-Host 'waiting' to test true/false output in a shell window. If you can't run it interactively, you could use -RedirectStandardOutput 'c:\folder\result.out' and check the file

$Credential = Get-Credential CONTOSO\user
Start-Process powershell.exe -Cred $Credential -Wait -Arg `
  "-C ([ADSI]'WinNT://CONTOSO/Domain Computers').isMember('WinNT://CONTOSO/MyHostname$')"

On my PC, this returns an error start-process : Access is denied, but does successfully impersonate my domain user and start the process... so I'm not exactly sure what its deal is.

Invoke-Command works well for anything local to the machine, but it still counts as remoting. isMember() is not able to authenticate to your AD service because of second-hop restrictions. This behavior can be changed, but it's not recommended.

CodePudding user response：

I figured out.. thanks for suggestions Cpt.Whale.

I used only script1 (with expecting parameters of domain password) in CSE- that downloads on the machine after domain join. then used the protected settings in CSE to run the ps1 and pass the keyvault references. "commandToExecute": "[concat('powershell.exe -file Scrip1.ps1',' -password(param in the script1) ,parameters('keyvaultpass'))]"

/Naveen