Sunshine_S
Enthusiast
Enthusiast

Make the deployment owner/requestor, an administrator in Windows VM deployed through vRA

All VMs deployed through vRA are automatically connected to our enterprise domain using customization specifications. We can also enable remote logins for all domain users. But it is not a best practice to add all domain users to administrators group. I need to make sure that the user who has requested the deployment gets added as an administrator on his/her VM. The same domain account is used to login to vRA service broker. So we can get the username from input properties ${input.owner}. I want to know if there is any way to pass this value to the OS on first boot and make this user an administrator. Maybe cloudbase-init? But I'm not sure how to implement it using cloud-config.

Thank you!

Labels (4)
0 Kudos
3 Replies
bdamian
Expert
Expert

I know 3 ways to accomplish this in vRA8:

  • CloudBase-Init:
    • Pros: you don't need to do anything else
    • Cons: you need to install CloudBase-Init in your Windows and test it many times
  • Orchestrator:
    • Pros: is more clean and more flexible
    • Cons: you need a service account with admin privileges in the Windows
  • ABX:
    • Pros: is easier to implement (I guess)
    • Cons: you need a service account with admin privileges in the Window

If you can install CloudBase-Init in the Windows, I'll suggest this way to do it. 


---
Damián Bacalov
vExpert 2017-2018-2019-2020-2021-2022
https://www.linkedin.com/in/damianbacalov/
twitter @bdamian
0 Kudos
johnbowdre
Enthusiast
Enthusiast

I do this (and a few other things) with an ABX script. Details in my blog post here:

https://www.virtuallypotato.com/run-scripts-in-guest-os-with-vra-abx-actions/

It should be fairly easy to adapt that script to just handle the bit about adding the requester to the local Administrators group. I'm happy to help if you run into any issues.

0 Kudos
BrettK1
Enthusiast
Enthusiast

I basically use Johns method for this.

Slightly more complicated, I use vRO to create a Security Group and add the user to the group, but use Johns method to add the Security Group to the local admin group.  I also use that same ABX to nuke the local service account when I'm all done.  It's all greek to me, so this was the easiest method I could find (and frankly in the end we used the VMTools invoke-script for our Linux vRA deployments over using Ansible, even though we use Ansible for non-vRA deployments....)

0 Kudos