使用 ARM 模板配置 Azure VM 时添加本地 AD 组 -Azure 虚拟桌面
我需要使用 ARM 模板配置 Azure VM,其中包括创建计算机、添加域加入、注册主机池、启用 Azure 磁盘加密。我们将使用图像。 我最后尝试使用自定义扩展脚本来运行 ps1,它可以将机器对象添加到广告组。
Script1
$SysInfo = New-Object -ComObject "ADSystemInfo"
$ComputerDN = $SysInfo.GetType().InvokeMember("ComputerName",
"GetProperty", $Null, $SysInfo,
$Null)
#$ComputerDN =
([ADSISEARCHER]"sAMAccountName=$($env:COMPUTERNAME)$").FindOne().Path
$ComputerDN
$Group = "groupname"
$group1dn= ([ADSISEARCHER]"sAMAccountName=$($Group)").FindOne().Path
$Groupdn = [ADSI]"$group1dn"
// Check if computer already a member of the group.
If ($Groupdn.IsMember("LDAP://$ComputerDN") -eq $False)
{
# Add the computer to the group.
$Groupdn.Add("LDAP://$ComputerDN")
}
Script2
$credential= "domain/user & password"
Start-Process
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Credential
$credential -ArgumentList "-file <path of script1>"
**OR**
Invoke-Command -FilePath <path of script1>-Credential $credential -
ComputerName localhost
两个ps1都通过CSE下载到机器并触发第二个脚本2
对于启动过程,它说访问被拒绝(因为CSE运行系统帐户并且可能无法更改域用户。) Invoke 命令可以模拟,但是,它需要将域/用户添加到 localadmin 用户组并在计算机上启用 psremoting,尽管这样做仍然存在问题。
使用“5”个参数调用“InvokeMember”时出现异常:“访问被拒绝。
检索成员“IsMember”时发生以下异常:“发生操作错误。 ”
如何使用 CSE 完成此任务?
I have a requirement of provisioning a Azure VM with ARM template, which consists of creating machine, add domain join, register hostpool, enable Azure disk encryption. we will be using image.
I tried to use Custom exten script at last to run a ps1 which can add the machine object to ad group.
Script1
$SysInfo = New-Object -ComObject "ADSystemInfo"
$ComputerDN = $SysInfo.GetType().InvokeMember("ComputerName",
"GetProperty", $Null, $SysInfo,
$Null)
#$ComputerDN =
([ADSISEARCHER]"sAMAccountName=$($env:COMPUTERNAME)quot;).FindOne().Path
$ComputerDN
$Group = "groupname"
$group1dn= ([ADSISEARCHER]"sAMAccountName=$($Group)").FindOne().Path
$Groupdn = [ADSI]"$group1dn"
// Check if computer already a member of the group.
If ($Groupdn.IsMember("LDAP://$ComputerDN") -eq $False)
{
# Add the computer to the group.
$Groupdn.Add("LDAP://$ComputerDN")
}
Script2
$credential= "domain/user & password"
Start-Process
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Credential
$credential -ArgumentList "-file <path of script1>"
**OR**
Invoke-Command -FilePath <path of script1>-Credential $credential -
ComputerName localhost
Both ps1 downloaded via CSE to machine and trigger the second script2
For start process it says access denied (because the CSE runs system account and may be unable to change the domain user.)
Invoke command can impersonate, however, it requires the domain/user to be added to localadmin users group and enable psremoting on the machine, inspite of doing this still having issues.
Exception calling "InvokeMember" with "5" argument(s): "Access is denied.
The following exception occurred while retrieving member "IsMember": "An operations error occurred.
"
How to get this done with CSE?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
为了稍微简化 script1,您可以尝试使用 WinNT 名称并跳过搜索 AD:
只要 VM 已加入域并且凭据用户名位于,script2 的
Start-Process就应该没问题。DOMAIN\user格式。例如,您可以尝试测试下面的命令 - 没有变量,只需填写名称。获取已启动进程的输出可能很痛苦。我添加了
;Read-Host 'waiting'来测试 shell 窗口中的 true/false 输出。如果您无法以交互方式运行它,您可以使用 -RedirectStandardOutput 'c:\folder\result.out' 并检查文件在我的电脑上,这会返回错误
start-process :访问被拒绝,但确实成功地模拟了我的域用户并启动了该过程......所以我不太确定它的交易是什么。Invoke-Command适用于计算机本地的任何内容,但它仍然算作远程处理。由于第二跳限制,isMember()无法对您的 AD 服务进行身份验证。此行为 可以更改,但不建议这样做。To simplify script1 a bit, you can try using the WinNT names and skip searching AD:
script2's
Start-Processshould be fine as long as the VM is already joined to the domain, and the cred username is inDOMAIN\userformat. You could try testing the command below for example - no variables, just fill in the names.It can be a pain to get the output of started processes. I added
;Read-Host 'waiting'to test true/false output in a shell window. If you can't run it interactively, you could use-RedirectStandardOutput 'c:\folder\result.out'and check the fileOn my PC, this returns an error
start-process : Access is denied, but does successfully impersonate my domain user and start the process... so I'm not exactly sure what its deal is.Invoke-Commandworks well for anything local to the machine, but it still counts as remoting.isMember()is not able to authenticate to your AD service because of second-hop restrictions. This behavior can be changed, but it's not recommended.我想通了..感谢鲸鱼船长的建议。
我在 CSE 中仅使用 script1(带有域密码参数),该脚本在加入域后下载到计算机上。
然后使用 CSE 中的受保护设置来运行 ps1 并传递 keyvault 引用。
"commandToExecute": "[concat('powershell.exe -file Scrip1.ps1',' -password(script1 中的参数) ,parameters('keyvaultpass'))]"
/Naveen
I figured out.. thanks for suggestions Cpt.Whale.
I used only script1 (with expecting parameters of domain password) in CSE- that downloads on the machine after domain join.
then used the protected settings in CSE to run the ps1 and pass the keyvault references.
"commandToExecute": "[concat('powershell.exe -file Scrip1.ps1',' -password(param in the script1) ,parameters('keyvaultpass'))]"
/Naveen