VMware: Execute scripts by Invoke-VMScript as Administrator

Hi,

this post addresses the issue that, when Windows UAC is enabled, you could not execute scripts with elevated Administrator permissions by PowerCli’s Invoke-VMScript. In my opinion when I execute scripts on VMs in more then 80% of these cases I need elevated user rights.

Some other workarounds like creating a schedule tasks and execute them, starting Powershell as noninteractive are not reliable enough.

First of all I have no general solution for this topic. Just a workaround.

The approach is

  • To enable the Builtin Administrator Account and use it only for Invoke-VMScript and a create second login for the daily use.
  • Rename the Administrator Account
  • Use a strong password
  • Disabled it as soon it is no longer requiered, i.e. execute scripts after cloning then disable it.
  • Prevent the local Administrator to log in from network

For the Builtin Administrator Account (SID: S-1-5-…-500) it is possible to disable UAC and leave it active for all others Users. The related policy is

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
User Account Control: Use Admin Approval Mode for the built-in Administrator account: Disabled

To prevent the Administrator to logon from network add it to the policy

Computer Configuration/Windows Settings/Security Settings/Local Policies/User rights assignment
Deny access to this computer from the network

For example this makes it possible to rename the Windows Computername without doing a sysprep

Invoke-VMScript -VM win7vm1 -Guestuser win7adm -GuestPassword "Password" -ScriptType bat -Scripttext "wmic path win32_computersystem where ""Name='%computername%'"" CALL rename name='win7vm1'"
----------------------------------------------------------------------------------------
|  Method execution successful.
|  Out Parameters:
|  instance of __PARAMETERS
|  {
|      ReturnValue = 0;
|  };
----------------------------------------------------------------------------------------

After finshing all tasks disable the user

Invoke-VMScript -VM win7vm1 -Guestuser win7adm -GuestPassword "Password" -ScriptType bat -Scripttext "net user win7adm /Active:No" -ErrorAction SilentlyContinue

If somebody has a better solution please let know!!

Michael

Leave a Reply