使用Azure Runbook在远程VM上特定用户下调用Invoke-AzVMRunCommand和Start-Process [英] Invoke-AzVMRunCommand and Start-Process under specific user on remote VM using Azure Runbook
问题描述
我需要使用Azure Powershell Runbook在具有特定用户帐户的远程VM上运行Start-Process
I need to run Start-Process on a remote VM with specific user account using Azure Powershell Runbook
function Install-Postgres {
$username = "aact-import-vm1\aact-importer"
$password = "ChangeMe!"
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList `
@($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
write-output $cred
# run pg installer
Start-Process "C:\Program Files\WindowsPowerShell\Modules\Install-Postgres\postgresql.exe" -ArgumentList `
"--mode unattended", "--unattendedmodeui none",`
"--prefix `"C:\Program Files\PostgreSQL\10`"", "--datadir `"C:\Program Files\PostgreSQL\10\data`"",
"--superpassword `"ChangeMe!`"",`
"--servicename `"postgres`"", "--serviceaccount `"postgres`"", "--servicepassword `"ChangeMe!`""`
-Wait -Credential $cred;
}
$script = Get-Content Function:\Install-Postgres
Out-File -FilePath Install.ps1 -InputObject $script
#Note that the -ScriptPath should not point to the remote path(in remote vm), it should point to the local path where you execute the command Invoke-AzureRmVMRunCommand
$output = Invoke-AzVMRunCommand -ResourceGroupName $resourceGroupName -Name $vmName -CommandId 'RunPowerShellScript' -ScriptPath Install.ps1
write-output $output.Value
#after execution, you can remove the file
Remove-Item -Path Install.ps1
上面的脚本产生以下错误:
The script above produces the following error:
启动过程:由于错误而无法运行此命令:访问被拒绝。
如果我运行上述脚本没有特定的凭据,postgres安装程序会在日志中产生此错误:
If I run the script above without specific credentials the postgres installer produces this error in the log:
Executing icacls "C:\Windows\Temp/postgresql_installer_1ef9b3f2c6" /T /Q /grant "WORKGROUP\aact-import-vm1$:(OI)(CI)F"
Script exit code: 1332
Script output:
Successfully processed 0 files; Failed processing 1 files
Script stderr:
WORKGROUP\aact-import-vm1**$**: No mapping between account names and security IDs was done.
请注意,符号 $ 代替了用户名。
Please notice that there is symbol $ instead of user name.
但是,如果我在VM上运行它,则可以正常工作并在日志中生成以下行:
However, if I run it on the VM it works fine and produces this line in the log:
Executing icacls "C:\Users\aact-importer\AppData\Local\Temp\2/postgresql_installer_2662c862ff" /T /Q /grant "aact-import-vm1\aact-importer:(OI)(CI)F"
Script exit code: 0
As据我所知,如果我在没有凭据的情况下远程运行runbook脚本,则它将在NTAUTHORITY\SYSTEM下运行,这就是为什么postgres安装程序日志中使用符号$代替用户名的原因。如果我在本地运行它,它将使用适当的用户,并且一切正常。
As far as I can see, If I run runbook script remotely without credentials it runs under NTAUTHORITY\SYSTEM that's why there is symbol $ instead of user name in the postgres installer log. If I run it locally it uses proper user and everything works fine.
问题是:如何指定用户帐户在远程VM上运行启动进程?
The question is: how can I specify a user account to run Start-Process on the remote VM?
Same question on msdn https://social.msdn.microsoft.com/Forums/en-US/a7fa0ca8-5cba-42bb-8076-9a8d4a654beb/invokeazvmruncommand-and-startprocess-under-specific-user-on-remote-vm-using-azure-runbook?forum=azureautomation#a7fa0ca8-5cba-42bb-8076-9a8d4a654beb
推荐答案
对于有兴趣的人:
在获得MS支持的调查后,他们确认Runbook(非混合版本)始终在NTAUTHORITY\SYSTEM下运行
After investigation with MS support they confirmed that runbook (not hybrid) always runs under NTAUTHORITY\SYSTEM
这篇关于使用Azure Runbook在远程VM上特定用户下调用Invoke-AzVMRunCommand和Start-Process的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!