Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,013 questions
Run custom script extension as domain user
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 0%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Change4324
1
Reputation point
Hi,
Goal: AD Join storage account running CSE to run as domain user and execute script
I’ve been trying to run a script on a domain joined VM (using CSE) to domain join a storage account. The requirement for this is that it has to run with a hybrid/domain admin. I have already tested executing this script as local admin account and it has worked perfectly fine in running the script as the domain admin in a new session (using admin credentials & Invoke-Command). However when I execute this script through custom script extension I get the following error:
Error
"message": "New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message : Access is \r\ndenied. For more information, see the about_Remote_Troubleshooting Help topic.\r\nAt C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\1.10.9\Downloads\0\customScript.ps1:46 char:25\r\n+ ... erSession = New-PSSession -Credential $credential -Authentication Cre ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n
The precise line it fails in the script is here:
New-PSSession -Credential $credential -Authentication Credssp;
Steps tried (so far)
• I understand that CSE runs scripts as a system account so was trying to reproduce the issue using Invoke-CommandAs with system user but could not repro the issue.
• I’ve also tried to run this using psexec similar to the example found here (line 173 & 177): https://github.com/Azure/wvdquickstart/blob/ede9daad93a80056cbb4d187990dd769733182b3/Uploads/WVDScripts/001-AzFiles/cse_run.ps1 but have had no luck yet as I get auth & other failures
Note: I've found that I have to add the domain user to the local admin group when running invoke command otherwise I get access denied, which may perhaps be a restriction from my enterprise AD (that is locally).
- My code $group = ADSI
$group.add("WinNT://$domainUser,user") $domainSession = New-PSSession -Credential $domainCredential -Authentication Credssp; try{
Invoke-Command -Session $domainSession -ScriptBlock {pwsh -ExecutionPolicy Unrestricted -File $Using:joinDomainScriptPath $args
}
Azure Virtual Machines
{count} votes
-
James Hamil 27,211 Reputation points Microsoft Employee Moderator2021-02-12T22:35:56.383+00:00 Hi, we are investigating your issue and will update you shortly.
Best,
James -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 32%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
Jitendra Rai 231 Reputation points2021-02-18T11:06:37.057+00:00 Thanks and I would recommend to have local user should run as an administrator (either domain user administrator) or (local administrator) to create PSSession otherwise session will fail. Could you please confirm your access?
"To create remote sessions and run remote commands, by default, the current user must be a member of the Administrators group on the remote computer or provide the credentials of an administrator. Otherwise, the command fails.".
Please find more detail in the below documents.
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_requirements?view=powershell-7.1
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_pssessions?view=powershell-7.1
Sign in to comment
Sign in to answer