Hi Team,

I have an issue with a cmd script and PS script during virtual machines recompose.

The recompose call the 'post_install.cmd' which is doing action on registry and software (uninstall/install), adding some accounts on the machine : These works, except for the command 'redircmp' :

redircmp "CN=XXX,OU=YY,OU=ZZ,OU=NN,DC=A,DC=B,DC=C,DC=D"

Then, I put this on the cmd to call a Ps script :
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell  -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\XXX\post_install\Move_OU_Exclu.ps1""' -Verb RunAs}"

My PS script  :

$LogTime = Get-Date -Format "dd-MM-yyyy HH-mm-ss"
$LogFile = 'C:\XX\post_install\'+"Move_OU_Exclu_LOG_"+$LogTime+".log"
---------"1 - Part 1 " | Out-File $LogFile -Append -Force
Set-StrictMode -Version 2.0
Set-Location $env:USERPROFILE
$LocUSREnv=(Get-Location)
---------"2 - Capture variable ExecutionPolicy"| Out-File $LogFile -Append -Force
$scopeCuser = (Get-ExecutionPolicy -Scope CurrentUser)
"Variable scopeCuser : $scopeCuser" | Out-File $LogFile -Append -Force
$scopeuserP = (Get-ExecutionPolicy -Scope UserPolicy)
"Variable scopeuserP : $scopeCuser" | Out-File $LogFile -Append -Force
$scopemachine = (Get-ExecutionPolicy -Scope LocalMachine)
"Variable scopemachine : $scopeCuser" | Out-File $LogFile -Append -Force
$scopemachineP = (Get-ExecutionPolicy -Scope MachinePolicy)
"Variable scopemachineP : $scopeCuser" | Out-File $LogFile -Append -Force
$scopeProcess = (Get-ExecutionPolicy -Scope Process)
"Variable scopeProcess : $scopeCuser" | Out-File $LogFile -Append -Force
#Configuration de ExecutionPolicy pour l'utilisateur courant
Set-ExecutionPolicy -Scope CurrentUser Bypass -Force
------------"3 - Variables" | Out-File $LogFile -Append -Force
$ComputerName = ($env:Computername)
"Variable ComputerName : $ComputerName" | Out-File $LogFile -Append -Force
$CurrentUser = ($Env:Username)
"Variable CurrentUser : $CurrentUser" | Out-File $LogFile -Append -Force
$GroupeCible="CSNV_VM-Exclu-Secu-CMCB_GG"
"Variable GroupeCible : $GroupeCible" | Out-File $LogFile -Append -Force
$nme=Get-ADComputer $ComputerName | select -ExpandProperty SamAccountName
"Variable nme : $nme" | Out-File $LogFile -Append -Force
$grp=Get-ADGroup $GroupeCible| select -ExcludeProperty DistinguishedName
"Variable grp : $grp" | Out-File $LogFile -Append -Force
If($grp -like $ComputerName) {
    "OK, Workstation in the AD Group" | Out-File $LogFile -Append -Force
    }
    Else {
        Try{
            "Start adding workstation $ComputerName in AD Group $GroupeCible" | Out-File $LogFile -Append -Force
            Add-ADGroupMember -Identity $GroupeCible -Members $nme -Server "XXXXXX" -ErrorAction Stop
            }
            catch{
$boolError = $true
$strError = $_
"Machine $ComputerName operation for AD Group $GroupeCible retour:$strError" | Out-File $LogFile -Append -Force
$global:BoolAtLeastOneError = $true
    }
        }
set-ExecutionPolicy -Scope CurrentUser $scopeCuser -Force

But when it runs my command calling PS, the account running the PS script isn't the good one (it was the machine account).

In fact, some colleagues told me it was a service account that ran the script but after returning my log, it turns out to be the machine account or the local admin account.

That's why my script can't move the machine into the AD group.

My goal is to add my workstation into the AD group or to run my script with a domain account.

I tried to run immediatly my PS script during the recompose without running the cmd, and now it's the local admin account which is used.

I don't get it at all. And I'm restricted with my rights.

I hope you understand what I mean.

If you know the process exact of recompose, I will be glad to know it and to know what account is used for the recompose.

Thank you all.

Regards,