Running Azure startup tasks as a real user

In my post about enabling PowerShell. I mentioned I got blocked for a while and would explain later why and what happened.

Problem: Windows Azure runs startup tasks as localsystem. Some startup tasks need to be running in the context of a user.

Solution: Use the task scheduler in Windows Server to execute the command.

A few people have already asked how to apply the technique to other things so here goes.

Lets take a look at the original startup task I was trying to execute.

netsh advfirewall firewall add rule name="Windows Remote Management (HTTP-In)" dir=in action=allow service=any enable=yes profile=any localport=5985 protocol=tcp

Powershell -Command Enable-PSRemoting -Force

This doesn’t work because the powershell command “Enable-PSRemoting” doesn’t work unless it runs as an elevated user that belongs to the administrators group. Localsystem doesn’t belong to this group.

In my original blog post, I showed how you could enable this using winrm. But sometimes you want this something to happen when the role starts.

To make a task run as a user account as a startup task simply create a new task for the Windows Scheduler to execute as shown below.

netsh advfirewall firewall add rule name="Windows Remote Management (HTTP-In)" dir=in action=allow service=any enable=yes profile=any localport=5985 protocol=tcp

 

net user scheduser Secr3tC0de /add

net localgroup Administrators scheduser /add

 

schtasks /CREATE /TN "EnablePS-Remoting" /SC ONCE /SD 01/01/2020 /ST 00:00:00 /RL HIGHEST /RU scheduser /RP Secr3tC0de /TR "powershell -Command Enable-PSRemoting -Force" /F

schtasks /RUN /TN "EnablePS-Remoting"

Works like a charm. Hopefully you can figure out how to run your own commands instead of PowerShell.

It is safe to say that you probably want to secure the username and password that is created. I think ideally a wrapper that can read a username and encrypted password from config, create all the scheduled tasks and then execute them. Maybe that is a job for next time.

THIS POSTING IS PROVIDED “AS IS” WITH NO WARRANTIES, AND CONFERS NO RIGHTS

3 thoughts on “Running Azure startup tasks as a real user

  1. David, Good article. I had a similar problem, and one of Ryan and Steve’s weekly videos briefly mentioned the lack of users on an Azure VM at the very end as the tip of the week.
    I found out that a software component that I was trying to install in a startup task was failing because it needed to be installed in the context of a user. I used an approach similar to yours where I created a user then ran the software install in the context of that user. Instead of the task scheduler, I used the good old psexec utility from sysinternals.

    I appreciate your post because this is a very subtle problem that is hard to diagnose.

Comments are closed.