PowerCLI

how do I use the guest credential in invoke-vmscript?

I have no problem using local admin password for guestuser and guiestpassword

but when I use a domainuser which is part of the local admin group. it fails with access denied

You will have to pass a PSCredential object, like this

$user = 'user@domain'

$pswd = 'MyPassword'

$cred = New-Object System.Management.Automation.PSCredential $User,$pswd

Invoke-VMScript -VM $vm -ScriptText $code -GuestCredential $cred

But it would help if you can show the code you are using, and a screenshot of the error you are getting.

#script to add second drive to windows VM. change Cd rom from E to D.

$vm = read-host "enter name of VM"

$capacity = read-host "enter size of drive in GB"

$guestuser = read-host "enter name of local administrator"

$pswd = read-host -AsSecureString

$cred = New-Object System.Management.Automation.PSCredential $guestuser,$pswd

$MyScript = @"

Get-WmiObject -Class Win32_Volume -Filter "DriveLetter = 'D:'" |

Set-WmiInstance -Arguments @{DriveLetter="E:"; Label="Label"}

"@

get-vm $vm | New-HardDisk -CapacityGB $capacity -ThinProvisioned -Confirm:$false

Invoke-VMScript -VM $vm -ScriptText $MyScript -ScriptType PowerShell -GuestCredential $cred

Invoke-VMScript -vm $vm -ScriptText "echo select disk 1 > c:\diskpart.txt && echo attributes disk clear readonly >> c:\diskpart.txt && echo select disk 1 >> c:\diskpart.txt && echo create partition primary >> c:\diskpart.txt && echo format fs=ntfs quick >> c:\diskpart.txt && echo assign letter D >> c:\diskpart.txt &&  echo exit && diskpart /s c:\diskpart.txt && del c:\diskpart.txt /q" -ScriptType BAT -GuestCredential $cred

It looks as if the account you are using doesn't have the authority to change drive letters.

Is the account a member of the local administrators group on that target station?

yes that domain account is part of local administrator group. tried other domain acounts which are also local admins and got same error

This must be a privileges issue.

Can you run 'whoami /priv' via Invoke-VMScript?

And prehaps try adding the EnableAllPrivileges switch on the Set-WmiInstance cmdlet.

here is my output

It looks like this might be a UAC issue.

What is the guest OS?

Perhaps have a go with  8.  Re: Invoke-VMScript to run ps commands as an administrator

i have uac turned off. this is windows 2012 r2. with local administrator user, it works fine. but not with domain admin

Were those privileges from the local admin or the domain admin?

Anything in the security eventlog?

domain admin. which is part of local admin group.

dont see any failed audits.

I tried this and I was able to get a txt file on c drive

$script = '

function Elevate-Process  {

param ([string]$exe = $(Throw "Pleave provide the name and path of an executable"),[string]$arguments)

$startinfo = new-object System.Diagnostics.ProcessStartInfo

$startinfo.FileName = $exe

$startinfo.Arguments = $arguments

$startinfo.verb = "RunAs"

$process = [System.Diagnostics.Process]::Start($startinfo)

}

Elevate-Process -Exe powershell.exe -Arguments "-noninteractive -command Get-Process > C:\test.txt"

'

Get-VM pavum | Invoke-VMScript -ScriptText $script -ScriptType PowerShell

So if you run the script elevated inside the guest OS, it works?

In fact you doing a Run as Administrator on the powershell.exe inside the guest OS.

But the Get-Process should run as well when it's not elevated.

Does it in your setup?

correct it works inside the guestos

Reading back through the thread, it could be that the guestuser is not recongnised correctly.

Did you try with the two formats for specifying a user?

• NetBIOS-domain/user
• user@FQDN-domain

revisting this problem I am having with $cred using omain credentials. only local creds are working

$cred = get-credential -username "domain\user" -message "enter password"

not working

$cred = get-credential -username administrator -message "enter password"

working

any idea?

I would start by checking if domain authentication works inside the guest OS.
Can you logon and try for example to connect to a network share with a domain credential.

yes domain creds work

I tried this

Invoke-VMScript -VM $VM -ScriptText "get-process" -ScriptType Powershell  ------   works

Invoke-VMScript -VM $VM -ScriptText "dir c:\" -ScriptType bat . ---------- works

but

Invoke-VMScript -VM $VM -ScriptText "ECHO RESCAN > C:\DiskPart.txt && ECHO SELECT Volume C >> C:\DiskPart.txt && ECHO EXTEND >> C:\DiskPart.txt && ECHO EXIT >> C:\DiskPart.txt && DiskPart.exe /s C:\DiskPart.txt && DEL C:\DiskPart.txt /Q" -ScriptType BAT

dos not work.

And the domain account I am logged into on powercli is a local administrator on the remote $vm

On the Invoke-VMScript calls that work, did you also try adding the guest credentials explicitly?

yes but the guest credential on worked for the local admin guest cred and not the domain guest cred

Clutching at straws now :smileygrin:

When you enter the guest credential, what format do you use?

Did you try with the two formats for specifying a user?

• NetBIOS-domain/user
• user@FQDN-domain

The VM is joined to a domain. Is that the same domain as the account's domain?

I tried both and same access denied error

weird, tried

Invoke-VMScript -VM $VM -ScriptText "ECHO RESCAN > C:\windows\temp\DiskPart.txt" -ScriptType BAT -GuestCredential $cred

and got

ScriptOutput

-----------------------------------------------------------------------------------------------------------------------|

-----------------------------------------------------------------------------------------------------------------------

looks to be a windows permission problem but I am local admin

problem is writing to c:\

I could write to c:\windows\temp

Could it be that you have "User Account Control: Admin Approval Mode for the built-in Administrator Account" enabled on that station?

Check via secpol.msc, Local Policies, Security Options.

This is unrelated to UAC being active or not.

Is there a difference when you run with the actual Administrator account of the guest, and with a domain account that is in the Local Administrators group?