Share via

How to elevate Runbook Powershell to create New-ADUser

Thomas Lu 41 Reputation points
2023-09-21T22:48:51.67+00:00

Hi all,

Per the title question, is there a way to elevate a runbook so as to be able to use the New-ADUser cmdlet in Powershell?

Previously, an agent-based hybrid worker allowed for the execution of Powershell scripts using an administrator account on an on-prem server. Since migrating to an extension-based hybrid worker, most of my scripts are hit with Access is denied errors as a result.

My situation is that I need to be able to automate the creation of users on our active directory.

We were previously able to do this by installing the Microsoft Monitoring Agent on our management server/domain controller, from which we could specify which domain account to use for the execution of the following Powershell script.

Param
(
  [Parameter (Mandatory= $true)]
  [object] $WebhookData
)

Import-Module ActiveDirectory
if (-not (Get-Module ActiveDirectory)){}

Import-Module Microsoft.PowerShell.Utility
if (-not (Get-Module Microsoft.PowerShell.Utility)){}

if ($WebhookData){
  $inObject = ConvertFrom-Json -InputObject $WebhookData.RequestBody

  $name             = $inObject.Name
  $givenName        = if($inObject.GivenName) {$inObject.GivenName} else {$name.Split(" ")[0]}
  $surname          = if($inObject.Surname) {$inObject.Surname} else {$name.Split(" ")[1]}
  $email            = if($inObject.Email) {$inObject.Email} else {("$givenName.$******@domain.com").ToLower()}

  $upn              = $email
  $samAccountName   = $email.Split("@")[0]
}

New-ADUser -Name $name -DisplayName $name -GivenName $givenName -Surname $surname -EmailAddress $email -UserPrincipalName $upn -SamAccountName $samAccountName

Using the new extension-based hybrid worker, New-ADUser and anything that requires elevated privileges fails.

I've tried including the following elevation into my script,

if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }

but I'm still getting Access is denied.

Any guidance on how to get this working again would be much appreciated.

Thomas

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
Windows for business | Windows Server | User experience | PowerShell
Answer accepted by question author
  1. Luke Murray 11,521 Reputation points MVP Volunteer Moderator
    2023-09-24T02:19:15.6966667+00:00

    Hi, Thomas.

    Jobs for Hybrid Runbook Workers run under the local System account of the worker.

    So your system, account, won't have access to Active Directory
    Reference: Service accounts

    Your best bet, would be to add a account that has the rights to make the changes, to a Credential object in Azure Automation

    $Cred = Get-AutomationPSCredential -Name "MyCredential"

    $Computer = Get-AutomationVariable -Name "ComputerName"

    Restart-Computer -ComputerName $Computer -Credential $Cred

    Reference: Use runbook authentication to local resources

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.