Craig_G2
Hot Shot
Hot Shot

Adding a user to a newly provisioned VM

Hi all,

I'm trying to figure out how to add or create a user based on the requestor of the VM..

I'm using a clone workflow in my blue print so I'm guessing that VirtualMachine.Admin.AddOwnerToAdmins is out of the question. Currently I have a script that runs after the vm is provisioned, part of this is to scan GuestAgent.log for VirtualMachine.Admin.Owner then create a local user and add it to the Administrators group.

I'm guessing that this isn't the best or right way to do things so any pointers would be appreciated

Thanks!

0 Kudos
45 Replies
d-fens
Enthusiast
Enthusiast

Late reply but maybe still of interest: instead of using the GuestAgent and have it done on the machine you can always do this in the MachineProvisioned step and with a Invoke-VmGuest call to the machine provisioned. With that approach you might be more flexible depending what other tasks you want to perform. Ronald

Ronald Rink d-fens GmbH
Craig_G2
Hot Shot
Hot Shot

Thanks for this!

I ended up using the legacy.workflow.user as it appears to be an external property - My guest script then strips the domain and adds the user to the local admins.

My plan is to migrate tasks like this in to to vCAC workflow stubs, like you suggested, as I feel that you have more control over what is going on!

Kind Regards

0 Kudos
stacycarter
Enthusiast
Enthusiast

eatVM - Can you share how your guest script stripped the domain from the legacy.workflow.user value?  I'll need to do the same, because I'm trying to use the sample guest script from the Guest script manager package and it already specifies the domain as a separate value.

0 Kudos
qc4vmware
Virtuoso
Virtuoso

I did this with the vCO workflow stubs.  It is really easy to get this going just a few setup things which is outlined in the extensibility document which was released with 6.0.1 then a simple workflow.  For windows systems this is what I did.  You will want to replace the QCrunProgramInGuest with the canned runProgramInGuest workflow.

var vmOwnerEmail = vCACVmProperties.get("__Legacy.Workflow.User");

var vmOwner = vmOwnerEmail.substring(0,vmOwnerEmail.indexOf("@"));


//Add Local Admins

programPath = "c:\\Windows\\System32\\cmd.exe";

workingDirectory = "c:\\Windows\\System32";

arguments = "/c net LOCALGROUP Administrators /ADD " + vmOwner +" >> c:\\runQconfig\\provisioning.log";

result = System.getModule("com.qualcomm.basic").QCrunProgramInGuest(vm,vmUsername,vmPassword,interactiveSession,programPath,arguments,workingDirectory,environment);

You can also add a custom property if you want people to specify a list of user or group names that sort of thing but the __Legacy.Workflow.User property should map to the owner.

Craig_G2
Hot Shot
Hot Shot

This is pretty much what I did, only difference is that I now get VirtualMachine.Admin.Owner in the original machine provisioned workflow stub and pass it to the vco workflow as an input.

Then have this function (which, on it's own is best suited to an action) to strip away suffix:

function getUserCode(user) {

  //removes upn from the output of VirtualMachine.Admin.Owner

  //and returns usercode

  user = user.replace(/@.*$/i, "");

  return user;

  }

Smiley Happy

0 Kudos
Craig_G2
Hot Shot
Hot Shot

I've attached my workflow for ref Smiley Happy

Not as streamlined as the code from qc4vmware but it works for me.

0 Kudos
DLally
Enthusiast
Enthusiast

EatVM, your script is exactly what I need.  Users are in a different domain than what the VM's are going to be in, so removing the UPN is perfect.  However when I run your workflow in my scenario, it completes fine but doesnt actually add the user to the admin group.   I can run the command locally on the VM and it add fine. 

0 Kudos
Craig_G2
Hot Shot
Hot Shot

Sadly you need to disable UAC in the template for in guest commands to run!

I provision the machine with UAC disabled then re enable it at the end of the vco workflow with another in guest script.

Will be able to give more info tomorrow if you need it?

Cheers

0 Kudos
DLally
Enthusiast
Enthusiast

Weird, UAC is already disabled. 

0 Kudos
Craig_G2
Hot Shot
Hot Shot

Will look at my workflow when i'm in work and get back to you. It's been a while since i've looked at that particular part of the workflow.

0 Kudos
DLally
Enthusiast
Enthusiast

That's i'd appreciate it! Smiley Happy

0 Kudos
qc4vmware
Virtuoso
Virtuoso

My experience with uac has been that sometimes I think it is disabled but it is not in fact disabled.  Sometimes I have to go in and enable then disable for the change to really stick.  If you login to your image with an account that is in the local admin group, then launch a command window, if the title bar for the command window doesn't show up as in administrator mode then running the in guest scripts will fail on windows.  I have only noticed this issue in 2012 and 2012R2.  Anyway after flipping it on/off and also making sure in the registry that a certain key is flipped.  Take a look at this article http://social.technet.microsoft.com/wiki/contents/articles/13953.windows-server-2012-deactivating-ua...

0 Kudos
Craig_G2
Hot Shot
Hot Shot

qc4vmware is right.. I have seen this too.

  • Double check the registry settings to make sure UAC is disabled.
  • Check that the programPath and workingDirectory attributes are correct
  • Try changing the arguments variable in the scriptable task to one of the following:
    • var arguments = "echo hello >> c:\test.txt";
    • var arguments = "echo Add user: " + user + " to " + " the " + group + " group >> c:\test.txt";
  • That will at least give you an idea if the script is running or not

Let us know how you get on! :smileylaugh:

0 Kudos
DLally
Enthusiast
Enthusiast

My VM's are 2008, but I still disabled UAC like the link stated to.  Verified the paths are fine.   So it looks like the script isnt even getting ran on my guest at this point.    I tried to ouput a text file to see if it was even executing and it's not outputing anything.

0 Kudos
Craig_G2
Hot Shot
Hot Shot

Wait - interactive session isn't set to true is it?? This needs to be false.

Try running the script from vco whilst logged on with the user you tell vco to use.

0 Kudos
Craig_G2
Hot Shot
Hot Shot

Here: guestAuth.interactiveSession = false;

0 Kudos
DLally
Enthusiast
Enthusiast

Ok I tried running it with the same user I was logged in with, still nothing.

Where do I need to add that new guestAuth to?  Sorry this is still all kinda new to me.

0 Kudos
Craig_G2
Hot Shot
Hot Shot

That should be in the second scriptable task in the workflow.. The param is already there, just check what it's value is.

0 Kudos
DLally
Enthusiast
Enthusiast

I noticed this mornign when looking at this workflow again, the vm variable's value says "not found" although I'm selecting a VM to run it on to test. 

0 Kudos