Craig_G2
Hot Shot
Hot Shot

Adding a user to a newly provisioned VM

Hi all,

I'm trying to figure out how to add or create a user based on the requestor of the VM..

I'm using a clone workflow in my blue print so I'm guessing that VirtualMachine.Admin.AddOwnerToAdmins is out of the question. Currently I have a script that runs after the vm is provisioned, part of this is to scan GuestAgent.log for VirtualMachine.Admin.Owner then create a local user and add it to the Administrators group.

I'm guessing that this isn't the best or right way to do things so any pointers would be appreciated

Thanks!

0 Kudos
45 Replies
DLally
Enthusiast
Enthusiast

Nevermind, that must be something to do with vco logging or something.  Either way, I ran it again and the vm value was populating as expected.  I did verify guestAuth.interactiveSession = false; as well. 

0 Kudos
Craig_G2
Hot Shot
Hot Shot

I'm really stumped...

Could you double check these settings in the templates registry:

HKLM\SOFTWARE\Microsoft\WIndows\CurrentVersion\Policies\System:

ConsentPromptBehaviorAdmin = 00000000

EnableLUA = 00000000

Also what could you export your work flow under a different name and attach it to the tread so I can take a look? I can't import the one I attached as I already have a newer version.

Cheers

0 Kudos
DLally
Enthusiast
Enthusiast

I verified those registry entries are as expected.  Here's the workflow. 

0 Kudos
DLally
Enthusiast
Enthusiast

Could the problem be anything to do with when doing this locally, command prompt needs to be ran as administrator.  Is that being done in the script or is there any way to do that? 

0 Kudos
Craig_G2
Hot Shot
Hot Shot

Did you see my PM?

Also, as you have disabled UAC you don't need to "run as administrator". The user running the script will need to have appropriate rights. I just use a local admin.

0 Kudos
Craig_G2
Hot Shot
Hot Shot

Try running it whilst logged in to launch notepad

var arguments = "/c notepad.exe";

0 Kudos
DLally
Enthusiast
Enthusiast

I'm not showing any PM's right now.  One thing though, with UAC disabled, i still have to run cmd as admin to run the command locally still. 

0 Kudos
Craig_G2
Hot Shot
Hot Shot

Here is what i've been trying to send:

http://pastebin.com/PpYBQz4e

For some reason it keeps barfing when i press submit

0 Kudos
DLally
Enthusiast
Enthusiast

Ok so I loads notepad, but it prompts me "a program running on this computer is trying to display a message".  So I have to hit view message then it'll show notepad opened or just hit ask me later.

0 Kudos
Craig_G2
Hot Shot
Hot Shot

Can you take a screenshot? It really sounds like UAC to me... I know you have checked it a million times but it shouldn't prompt you at all.

0 Kudos
DLally
Enthusiast
Enthusiast

Ok so it looks like it's working now.  I forgot to comment out the other var arguments.  It's adding the user.  Awesome, thanks so much for helping me through this.

One side question if you have time Smiley Happy

If I want to specify what domain to add it from, can I do that?  I noticed that sometimes it'll add the user from the root domain, and not the child domain that the machine is actually running on.    I have child domains for our test/dev/qa domains, so the way this removes the UPN is perfect.  I have 3 different blueprints based on what domain they're going on, so if I have to i can just create 3 different workflows for this and statically set what domain to join.  If that's possible?

0 Kudos
Craig_G2
Hot Shot
Hot Shot

I guess you could use a custom property in each blueprint:

vcac.blueprint.test = test

vcac.blueprint.dev = dev

vcac.blueprint.live = live

Then you can query this in vco..

My guess is that you would have to then use some logic to re appent the correct upn to the username based on which blue print is used...

if (blueprint == "test"){

    var localUser = userCode + "@test.domain.com";

}

Then pass localUser to the net localuser command... this should add the user from the correct domain then.

That's only off the top of my head though, can't be 100% sure without testing. 🙂

0 Kudos
DLally
Enthusiast
Enthusiast

I'll try it out, thanks you've helped me out tremendously!

0 Kudos
DLally
Enthusiast
Enthusiast

Do you have this to run a state change in vCAC after the machine is provisioned? 

0 Kudos
DLally
Enthusiast
Enthusiast

I swear, things are never easy.  I got this to work on a VM I was testing with.  Now I'm trying to actually run it through MachineProvisioned and am having trouble once again.  It seems like UAC might be the issue.  It kicks off successfully and runs fine, it just doesn't add the user.  I tried the same EnableLUA registry key, UAC is off in control panel and still nothing.   I tried changing the var arguments = "/c notepad.exe"; while logged in and nothing is happening. 

0 Kudos
RonPSSC
Enthusiast
Enthusiast

Hi Ronald;

I'm also a little late off the mark with this one but I would really like to know how this can be done using the Machine Provisioned Stub Workflow instead of using the GuestAgent. I am really hoping to not have to install the Guest Agents on my Templates in order to get this to work. For info, I'm using vCAC 5.2 with vCO 5.5 as the orchestration medium. Any help would be appreciated....by anyone for that matter... Smiley Happy

Thanks. Ron

0 Kudos
RonPSSC
Enthusiast
Enthusiast

I followed Ronald Rink's [d-fens] suggestion, and with a little assistance from him, was able to develop both a vCO Workflow and a PowerShell Script to add the VM Requester to the Local Admin Group "without having to rely on the use of a Windows Guest Agent".

When I run the Workflow manually "everything" works perfectly!! The issue I'm having now is that I would like to tie the workflow into one of the vCAC State Changes in order to complete this task during the provisioning cycle.

Since I have a bit of Customization that takes place beforehand (at the Building Machine State) and then Customization Specs are used to join the Machine to the Domain, I figured the best place to introduce the Workflow would be at the "Machine Provisioned" State Change. Unfortunately when I do this, the workflow FAILS and the Machine gets DESTROYED. This is the error message I'm getting: "Illegal GUID format  (Dynamic Script Module name : getVirtualMachineEntityFromId#3)".  For info, VM Requesters are Domain Users and I'm running vCAC 5.2.

I am not entirely sure but it appears as though the failure occurs because the Machine is not "active" or accesible during the Machine Provisioned State, and, as a result, the Workflow (or rather PowerCli Script) fails to execute properly?

Is there a way to call the new vCO workflow "after" the Machine Provisioned State Workflow completes or are there any other options for me to achieve my objective using vCO? Incidentally, I don't consider myself seasoned at all in automation so forgive me if the solution may be obvious. If there is also anything that can be improved with either the new Workflow or this strategy, please don't be shy.

I've attached both the vCO Workflow and PowerCli Script as background info.

Thanks. Ron

0 Kudos
poorem
Enthusiast
Enthusiast

Ron,

The MachineProvisioned WF stub is the right place for what you're doing but Virtual Machines tend to enter whilst there whilst there are still changes happening to the Guest OS, particularly if you've used a vCenter Customisation spec to give a Windows VM its identity.

If you're using a vCO workflow (sorry but I'm not able to open yours where I am at the moment so you may already be doing this) then look at using an action such as vim3WaitToolsStarted, which can be found in com.vmware.library.vc.vm.tools, to delay your powershell call until the guest OS is up and running.

The message you're getting however doesn't suggest to me that this is the issue. I'll try and take a look later when I'm not at a client site.

Michael

0 Kudos
RonPSSC
Enthusiast
Enthusiast

Thanks for your input, Michael. Took your advice and added the vim3WaitToolsStarted Action Element but it's still failing in the same manner. (Btw, I'm not sure if the vim3WaitToolsStarted element was added correctly). In any event, I think this Element may be needed regardless and is a great suggestion.

Suffice it to say though, I think you're correct in that my problems lie elsewhere. Looks like something is not right with the initial Action Element getVirtualMachineEntityFromId although as I mentioned, the Workflow runs perfectly when manually inputting a Machine ID.

Thanks for looking into this..

Ron

0 Kudos
d-fens
Enthusiast
Enthusiast

Hi Ron, according to the error message you quoted the ID of the virtual machine inside the vcac stub is not passed correctly to the vco workflow. If I remember correctly the vco workflow expects an ID in string form and the vcac VirtualMachine ID is in GUID format. So you would have to use the "ToString()" method to convert to ID into string format , like "VirtualMachine.ID.ToString()".

You also wrote that runnung the workflow manually succeeds - afurther indicator that conversion is not done correctly.

So check the VCAC stub action where you call the actual workflow with its parameters or send a screenshot, so we can further examine that.

Regards,

Ronald

Ronald Rink d-fens GmbH
0 Kudos