How to elevate Runbook Powershell to create New-ADUser

Thomas Lu 41 Reputation points
2023-09-21T22:48:51.67+00:00

Hi all,

Per the title question, is there a way to elevate a runbook so as to be able to use the New-ADUser cmdlet in Powershell?

Previously, an agent-based hybrid worker allowed for the execution of Powershell scripts using an administrator account on an on-prem server. Since migrating to an extension-based hybrid worker, most of my scripts are hit with Access is denied errors as a result.

My situation is that I need to be able to automate the creation of users on our active directory.

We were previously able to do this by installing the Microsoft Monitoring Agent on our management server/domain controller, from which we could specify which domain account to use for the execution of the following Powershell script.

Param
(
  [Parameter (Mandatory= $true)]
  [object] $WebhookData
)

Import-Module ActiveDirectory
if (-not (Get-Module ActiveDirectory)){}

Import-Module Microsoft.PowerShell.Utility
if (-not (Get-Module Microsoft.PowerShell.Utility)){}

if ($WebhookData){
  $inObject = ConvertFrom-Json -InputObject $WebhookData.RequestBody

  $name             = $inObject.Name
  $givenName        = if($inObject.GivenName) {$inObject.GivenName} else {$name.Split(" ")[0]}
  $surname          = if($inObject.Surname) {$inObject.Surname} else {$name.Split(" ")[1]}
  $email            = if($inObject.Email) {$inObject.Email} else {("$givenName.$surname@domain.com").ToLower()}

  $upn              = $email
  $samAccountName   = $email.Split("@")[0]
}

New-ADUser -Name $name -DisplayName $name -GivenName $givenName -Surname $surname -EmailAddress $email -UserPrincipalName $upn -SamAccountName $samAccountName

Using the new extension-based hybrid worker, New-ADUser and anything that requires elevated privileges fails.

I've tried including the following elevation into my script,

if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }

but I'm still getting Access is denied.

Any guidance on how to get this working again would be much appreciated.

Thomas

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,234 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,443 questions
{count} votes

Accepted answer
  1. Luke Murray 11,076 Reputation points MVP
    2023-09-24T02:19:15.6966667+00:00

    Hi, Thomas.

    Jobs for Hybrid Runbook Workers run under the local System account of the worker.

    So your system, account, won't have access to Active Directory
    Reference: Service accounts

    Your best bet, would be to add a account that has the rights to make the changes, to a Credential object in Azure Automation

    $Cred = Get-AutomationPSCredential -Name "MyCredential"

    $Computer = Get-AutomationVariable -Name "ComputerName"

    Restart-Computer -ComputerName $Computer -Credential $Cred

    Reference: Use runbook authentication to local resources


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.