Running an entire DSC configuration as a user with admin rights

Welcome Forums DSC (Desired State Configuration) Running an entire DSC configuration as a user with admin rights

This topic contains 2 replies, has 2 voices, and was last updated by

 
Participant
2 months, 1 week ago.

  • Author
    Posts
  • #149909

    Participant
    Topics: 3
    Replies: 1
    Points: 64
    Rank: Member

    Hey guys, hope you're all doing great.  I'm new here so please be gentle 🙂

    I'm using DSC to automate the setup of my local Windows 10 machine (a bit of a different use case to the usual).

    I understand that DSC runs as NT AUTHORITY\SYSTEM which is undesirable in my case.  What I really want is for DSC to run as my username with elevation.  The reasons are as follows:

    • I want to ensure all files created by DSC are owned by me
    • When running EXE installers, many use environment variables like APPDATA which differ when run as the SYSTEM user

    So I have a little script to test with shown below:

    Configuration Sample
    {
        Import-DscResource -ModuleName PSDesiredStateConfiguration
        Node 'localhost' {
            File FileDemo
            {
                SourcePath = 'C:\AppleBcInstaller.log'
                DestinationPath = 'C:\wow\bc.log'
            }
            Script Installation
            {
                TestScript = { $true }
                GetScript = { @{ Result = "whoami says – $(whoami)" } }
                SetScript = { }
            }
        }
    }
    
    Sample | Out-Null
    
    Remove-Item c:\wow\bc.log -ErrorAction SilentlyContinue
    # Attempting to run the entire DSC configuration with my current username (fgimi)
    $cred = Get-Credential -UserName fgimi -Message "Gimme your password"
    Start-DscConfiguration -Path Sample -Wait -Credential $cred
    
    $fileOwner = (Get-Item -Path C:\wow\bc.log).GetAccessControl().Owner
    $scriptResult = (Get-DscConfiguration | where ResourceId -eq '[Script]Installation').Result
    Write-Output "The bc.log file has the owner $fileOwner"
    Write-Output "The script result is $scriptResult"

    The output above is still:

    PS C:\Users\fgimi\OneDrive\Development> .\dsc2.ps1
    The bc.log file has the owner NT AUTHORITY\SYSTEM
    The script result is whoami says – nt authority\system

    So clearly passing the Credential to the Start-DscConfiguration cmdlet doesn't do the trick.

    I'm aware that you may pass Credential or PsDscRunAsCredential to individual resources, but I really want to avoid that if I can, and run the entire configuration as me.

    Is this possible or can you suggest an alternative approach?

    Huge thanks in advance
    Fotis

  • #149948

    Participant
    Topics: 0
    Replies: 113
    Points: 589
    Helping Hand
    Rank: Major Contributor

    You need to add a parameter to you configuration to accept a credential parameter:

    Configuration Sample
    {
    param (
        [pscredential]$Credential
    )
    
    Import-DscResource -ModuleName PSDesiredStateConfiguration
        Node 'localhost' {
            File FileDemo
            {
                SourcePath = 'C:\AppleBcInstaller.log'
                DestinationPath = 'C:\wow\bc.log'
            }
            Script Installation
            {
                TestScript = { $true }
                GetScript = { @{ Result = "whoami says – $(whoami)" } }
                SetScript = { }
                PsDscRunAsCredential = $Credential
            }
        }
    }
    

    However, just be aware you need to secure your mof file in order to make this work. I would not advise to store the credentials as plain text. You can find how to secure your mof file here:

    https://docs.microsoft.com/en-us/powershell/dsc/pull-server/securemof

    pwshliquori

  • #149993

    Participant
    Topics: 3
    Replies: 1
    Points: 64
    Rank: Member

    Thanks so much for your reply and help, this does indeed work, but was hoping there would be a way to apply the credential to the entire DSC configuration instead of individual resources.  Though it seems that this simply is not possible 🙁

    Another interesting point is that the File resource doesn't seem to allow copying or setting the owner on the destination file.  The Credential property is only used for accessing the source file.  No matter what I do, the destination file ends up owned by NT AUTHORITY\SYSTEM

    Edit: It seems that file is special, see https://stackoverflow.com/questions/49661060/for-a-desired-state-configuration-file-resource-why-does-credential-work-and-p?rq=1

    Using PsDscRunAsCredential works perfectly in the Script resource but not File for this reason.

    Cheers
    Fotis

You must be logged in to reply to this topic.