Running a script module with different than Default user
-
Hello, I have problem running a (powershell) script module under a different than "Default" user. The user is from a domain, the password is set correctly, however when I run a script module with this user, it does not work. When I just change the user to "Default", it works without any issue. There is no information why the execution failed, is there any option to turn on any more detailed log information?
INFO [4] PolicyExecutor - Executing Policy 518cd8fb-5df4-447f-9d63-3fdbb6387c2a (Install Ev)
DEBUG [4] PolicyExecutor - Evaluating Conditions For Install Ev
DEBUG [4] PolicyExecutor - No Conditions Found For Module
DEBUG [4] PolicyExecutor - Evaluating Conditions For Install Ev
DEBUG [4] PolicyExecutor - No Conditions Found For Module
INFO [4] ModuleScriptManager - Running Script Module: Install Ev
DEBUG [4] ServiceImpersonationTask - Starting Impersonation Task
DEBUG [4] ApiRequest - ProvisionedComm/Policy/GetImpersonationAccount/
INFO [4] ModuleScriptManager - 267011
INFO [4] ModuleScriptManager - Script Module: Install Ev Finished
ERROR [4] PolicyExecutor - An Error Occurred In Module Install Ev
ERROR [4] PolicyRunner - Aborting Current Policy -
Did you enable impersonation access in you web.config file?
-
@theopenem_admin Yes, I did. There was a different error in the log before I did that. Unfortunately it did not help.
-
Is your username in netbios\user format?
-
@theopenem_admin Yes, it is. I've tried to re-enter it again to prevent a typo error, but the result is the same. The account is correct, working, enabled, I can log in with these credentials without any problems. Even from the target computer.
-
It would be very useful to know what error occured. Something more detailed than just "ERROR [4] PolicyExecutor - An Error Occurred In Module Install Ev"
-
Could be problem with scripts and impersonation account. I'm redoing how impersonation is handled in the next version. Currently it relies on task scheduler. It will directly impersonate the user through code in the next version, might need to wait for that. Have you tried running a command module, just as a test. Something like whoami
-
I think I see the issue. It looks like the user needs to have batch logon rights for this to work. When I implemented this feature, I must have used a user that already had admin privileges. The easiest way to get this permission is to add the user to the backup operators windows group. I'll add this in the next release, so the user gets added, the process runs, and then the user will get removed from the group.
-
@theopenem_admin Hello, thanks. So just to be clear - I should add that domain account to a local Backup operators group on each computer?
-
Yes. I wouldn't do it for all computers. I would do it as part of your policy.
cmd module - add user to group
script module - run your script as the impersonated user
cmd module - remove user from groupThe commands are:
net localgroup "backup operators" username /addnet localgroup "backup operators" username /delete
Put the entire command in the command module command field, don't use the arguments field.
-
@theopenem_admin Thanks, I will try that.
-
This is now fixed in 1.5.0.