Hi all,
Per the title question, is there a way to elevate a runbook so as to be able to use the New-ADUser
cmdlet in Powershell?
Previously, an agent-based hybrid worker allowed for the execution of Powershell scripts using an administrator account on an on-prem server. Since migrating to an extension-based hybrid worker, most of my scripts are hit with Access is denied
errors as a result.
My situation is that I need to be able to automate the creation of users on our active directory.
We were previously able to do this by installing the Microsoft Monitoring Agent on our management server/domain controller, from which we could specify which domain account to use for the execution of the following Powershell script.
Param
(
[Parameter (Mandatory= $true)]
[object] $WebhookData
)
Import-Module ActiveDirectory
if (-not (Get-Module ActiveDirectory)){}
Import-Module Microsoft.PowerShell.Utility
if (-not (Get-Module Microsoft.PowerShell.Utility)){}
if ($WebhookData){
$inObject = ConvertFrom-Json -InputObject $WebhookData.RequestBody
$name = $inObject.Name
$givenName = if($inObject.GivenName) {$inObject.GivenName} else {$name.Split(" ")[0]}
$surname = if($inObject.Surname) {$inObject.Surname} else {$name.Split(" ")[1]}
$email = if($inObject.Email) {$inObject.Email} else {("$givenName.$surname@domain.com").ToLower()}
$upn = $email
$samAccountName = $email.Split("@")[0]
}
New-ADUser -Name $name -DisplayName $name -GivenName $givenName -Surname $surname -EmailAddress $email -UserPrincipalName $upn -SamAccountName $samAccountName
Using the new extension-based hybrid worker, New-ADUser
and anything that requires elevated privileges fails.
I've tried including the following elevation into my script,
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }
but I'm still getting Access is denied
.
Any guidance on how to get this working again would be much appreciated.
Thomas