VMware Cloud Community
jl999
Contributor
Contributor
‎11-12-2012 05:06 PM

Invoke-VMScript to run ps commands as an administrator

Hello, I'd like to run the following command:

$cn = "myComputer"

$text = "(Get-WmiObject Win32_ComputerSystem).Rename($cn)"

$vm = Get-VM oldName

$vm | Invoke-VMScript -ScriptText $text -GuestCredential $myCred

The command ran successfully against the vm. But the WMI call return value is 5 (probably access denied of sort), instead of 0.

If I log onto the VM, and open a PS window as Administrator, then run:

(Get-Win32_ComputerSystem).Rename($cn)

It would be successful, and after rebooting the VM, the name of the vm is changed.

But I can't get this working using Invoke-VMScript. It doesn't seem there's a way to invoke the command in an elevated PS session.

Any help is apprieciated.

Jason

Tags (2)
0 Kudos
22 Replies
LucD
Leadership
Leadership
‎10-05-2015 07:00 AM

I'll have to do some further testing then.

Which PowerCLI version are you using ?

And which PowerShell version do you have running in the guest OS ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Morten_Dalgaard
Enthusiast
Enthusiast
‎10-05-2015 07:08 AM

PowerCLI 6.0 Release 2

Client:

Windows Server 2012 R2 with default PowerShell install

VMware Tools 9.10.5 Build-2981885

$PSVersionTable.PSVersion

Major  Minor  Build  Revision

-----  -----  -----  --------

4      0      -1     -1

0 Kudos
clbarnett
Contributor
Contributor
‎10-05-2015 12:27 PM

Here's what I have found:

If:

(1.1.1.2.1.14 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to one of: 'Prompt for consent' or 'Prompt for credentials' or 'Prompt for credentials on the secure desktop' or 'Prompt for consent on the secure desktop' 
AND

1.1.1.2.1.26 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled')

--OR--

(1.1.1.2.1.14 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to one of: 'Prompt for consent' or 'Prompt for credentials' or 'Prompt for credentials on the secure desktop' or 'Prompt for consent on the secure desktop'

AND

1.1.1.2.1.26  'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Disabled'

AND you are not running as the Built-in Administrator account)

Then, you will not be able to run any script that requires elevated privileges in non-interactive mode.

Why:
If the UAC is configured to prompt, then the process *must* interactively prompt for consent or credentials, including Start-Process with 'runas'.


For the original user,  jl999, the 'solution' may be to change the policy to "Elevate without prompting" or "Prompt for consent for non-Windows binaries" in the build and then have the automation process set it to the correct level.  But once the build is done and security is set, this problem still exists.

If we can't use 'runas' to start powershell as an admin because it requires interactive mode, all my automation goes out the window. Any help on this is appreciated.