VMware Cloud Community
koolpavan007
Contributor
Contributor

How to set a PowerCLI script to run with Site Recovery Manger service account.

My PowerCLI script is below:-

Connect-VIServer 10.0.0.1

foreach($nic in (Get-Cluster -Name CPTHI05 | Get-VM -Name Vase*| Get-NetworkAdapter)){
    switch -regex ($nic.Name){
    '.+[1|2|3]'{Set-NetworkAdapter -NetworkAdapter $nic -Connected:$false -StartConnected:$false -Confirm:$false}
    '.+[4|5|6]'{Set-NetworkAdapter -NetworkAdapter $nic -Connected:$true -StartConnected:$true -Confirm:$false}
    }
}

Disconnect-VIServer 10.0.0.1 -Confirm:$false

Primary Site Recovery Manager SRM service account is :- JNJ\NAsupport

and Recovery Site Recovery Manager SRM service account is :- JNJ\MPsupport

Issue is:-

I have created the recover step in the Site Recovery manager recovery plan as below:-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -psc "C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI\vim.psc1" -file C:\Vaseline\vase.ps1

(If I loginto the PowerCLI console or command prompt manually with my domain account and run the script it will work fine... the same script if it runs from SRM Recovery Plan TEST or RUN this command will give below error:-

Once the SRM Test get complete I get below error under the SRM TEST History Report:-
Success: "File C:\Vaseline\vase.ps1 cannot be loaded because the execution of scripts is
disabled on this system. Please see "get-help about_signing" for more details.
+ CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordE
xception
+ FullyQualifiedErrorId : RuntimeException

"

I need help on how to configure my powercli script mentioned above to run with above mentioned SRM service accounts.

Thank You

I appreciate LUCD for my previous PowerCLI questions.

Reply
0 Kudos
20 Replies
LucD
Leadership
Leadership

It looks as if the account under which the SRM scripts run, didn't set the PowerShell execution policy.

Can you run in the guest OS with SRM acocunt the following

Get-ExecutionPolicy

and eventually change it with

Set-ExecutionPolicy RemoteSigned


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
koolpavan007
Contributor
Contributor

I have manually set the execution policy as unrestricted on both the SRM servers. Thank You Lucd for your prompt reply please help me here

Reply
0 Kudos
alanrenouf
VMware Employee
VMware Employee

Make sure you do what Luc suggests under the 32bit PowerCLI as SRM uses 32bit PowerCLI.

Blog: http://virtu-al.net Twitter: http://twitter.com/alanrenouf Co-author of the PowerCLI Book: http://powerclibook.com
Reply
0 Kudos
LucD
Leadership
Leadership

Remember I told you to run the 32-bit version, hence the C:\Windows\SysWOW64 folder.

Did you start a 32-bit PS session when executing the Set-ExecutionPolicy ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
koolpavan007
Contributor
Contributor

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Windows\SysWOW64\WindowsPowerShell\v1.0> Get-ExecutionPolicy
Unrestricted
PS C:\Windows\SysWOW64\WindowsPowerShell\v1.0>


on both the SRM servers I have set it to unrestricted....

I can't login to the SRM server with the SRM service account because as per my company securty standads we deny service account to login to the computer locally..

Reply
0 Kudos
LucD
Leadership
Leadership

Can you do

[system.IntPtr]::Size

from that PS prompt ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
koolpavan007
Contributor
Contributor

PS C:\Windows\SysWOW64\WindowsPowerShell\v1.0> [system.IntPtr]::Size
4

Reply
0 Kudos
koolpavan007
Contributor
Contributor

Under the Recovery plan i have created the command step at recovery plan as below:-

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -psc "C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI\vim.psc1" -file C:\Vaseline\vase.ps1

Reply
0 Kudos
LucD
Leadership
Leadership

Ok, that proves you are running a 32-bit session (had to make sure Smiley Wink)

Next step, make sure the SRM runs with the account, you think it is running with.

Try to make SRM run the following line (instead of the script).

That should allow us to find the actual account.

C:\WINDOWS\SysWOW64\windowspowershell\v1.0\powershell.exe -command "[Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent() | select -ExpandProperty Identity > C:\account.txt" 

In the file C:\account.txt you should find the account.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
koolpavan007
Contributor
Contributor

When i go to RUN and type this C:\account.txt I will get below error.
Windows cannot find 'C:\account.txt'. Make sure you typed the name correctly, and then try again.

And SRM server runs with the service account.. because once i open the VCenter server in both Protected and recovery site and when I open Site Recovery Manager appliation from both the VCenter servers it will prompt me to enter the SRM service account once it authenticate properly then only SRM will load.

This means the SRM is running with Service account fine witout any issue.

Reply
0 Kudos
LucD
Leadership
Leadership

It could be that the account doesn't have write rights in the C:\ root.

Try changing the path to a folder everyone can write to.

All errors you showed seem to indicate that the account doesn't have the correct execution policy.

When you set the execution policy, in a 32-bit PS session, to Unrestricted, the SRM script still says there are no execution rights.

That's why I would like to confirm that the account the script runs under is actually the account you think it is.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
koolpavan007
Contributor
Contributor

Now I have placed the powercli script in D drive under the folder script.and also i had modified in the recovery plan the command is below...

Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -psc "C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI\vim.psc1" -file D:\script\vase.ps

when i perform SRM TEST i am getting below error

Error: User designed callout 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -psc "C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI\vim.psc1" -file D:\script\vase.ps1
' has not returned in 300 seconds.

Reply
0 Kudos
LucD
Leadership
Leadership

The error message seems to indicate that SRM is trying to execute your D:\script\vase.ps1 script and not the command I gave ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
koolpavan007
Contributor
Contributor

What is your command I am not able to view it .. could you please type it here once again.

Reply
0 Kudos
koolpavan007
Contributor
Contributor

not able to see the command could you please type the commnand ..thank you

Reply
0 Kudos
LucD
Leadership
Leadership

C:\WINDOWS\SysWOW64\windowspowershell\v1.0\powershell.exe -command "[Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent() | select -ExpandProperty Identity > C:\account.txt"

It's all on 1 line


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
koolpavan007
Contributor
Contributor

AuthenticationType : Negotiate
ImpersonationLevel : None
IsAuthenticated    : True
IsGuest            : False
IsSystem           : True
IsAnonymous        : False
Name               : NT AUTHORITY\SYSTEM
Owner              : S-1-5-32-544
User               : S-1-5-18
Groups             : {S-1-5-32-544, S-1-1-0, S-1-5-11}
Token              : 996

Above is the result in the account.txt

Reply
0 Kudos
LucD
Leadership
Leadership

That's what I suspected, the scripts triggered by SRM run under the System account (the Name property), and not the JNJ\NAsupport account.

Now how to fix this ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
koolpavan007
Contributor
Contributor

how to proceed now Lucd

Reply
0 Kudos