1

I'm trying to figure out how to map a file share to a particular user that I created using a Powershell script that is meant to be a service account. The end result is that my service account should be able to access the UNC path at "\\storageaccount.file.core.windows.net\share"

Below is how I create a service account through Packer's powershell provisioner.

$password = ConvertTo-SecureString "ServiceAccountPassword" -AsPlainText -Force
New-LocalUser "ServiceAccount" -Password $password -FullName "ServiceAccount"
Add-LocalGroupMember -Group "Administrators" -Member "ServiceAccount"

Because Packer executes Powershell code using the Packer generated user, I create a scheduled task to run a batch file on start up on the SYSTEM account.

"net use Z: \\storageaccount.file.core.windows.net\share azurestorageaccesskey /user:Azure\storageaccount /persistent:yes" | Out-File -FilePath "C:\MapAzureFileShare.bat" -Encoding "ASCII"
$action = New-ScheduledTaskAction -Execute "C:\MapAzureFileShare.bat"
$trigger = New-ScheduledTaskTrigger -AtStartup -RandomDelay 00:00:30
$settings = New-ScheduledTaskSettingsSet -Compatibility "Win8"
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType "ServiceAccount" -RunLevel "Highest"
$task = New-ScheduledTask -Action $action -Principal $principal -Trigger $trigger -Settings $settings -Description "Map Azure file share at startup"
Register-ScheduledTask -TaskName "MapAzureFileShare" -InputObject $task

The below script results in a network drive created for all users, unforunately, the network drive is a disconnected drive and inaccessible when I login as the service account I just created. It would say "The username or password is incorrect."

I also tried to create the scheduled task to run as the created user.

$action = New-ScheduledTaskAction -Execute "C:\MapAzureFileShare.bat"
$trigger = New-ScheduledTaskTrigger -AtStartup -RandomDelay 00:00:30
$settings = New-ScheduledTaskSettingsSet -Compatibility "Win8"
$task = New-ScheduledTask -Action $action -Trigger $trigger -Settings 
$settings -Description "Map Azure file share at startup"
Register-ScheduledTask -TaskName "MapAzureFileShare" -InputObject $task -User "ServiceAccount" -Password "ServiceAccountPassword"

Nothing gets mapped and it doesn't seem like anything happens if I manually run this scheduled task. BUT if I switch the above scheduled task to Run Only When User is Logged On and execute the task manually, the network map does get created.

If I try to run the batch file as the user I just created, the file share is mapped just fine.

Is there anything else I can try?

Mike
  • 826
  • 11
  • 31
  • I am not exactly certain what the solution is. I think this problem is caused by this. Network shares are not available to elevated processes unless created/activated by an elevated process. If you create a share as "bob", this share is not available to a program that is run with administrator rights. It is available if you run the equivalent of "net use" repeating the share mapping as an elevated process. – John Hanley Jan 10 '20 at 04:58
  • Thanks, I tried running the scheduled task with the highest privileges and that did not work either. I think what was wrong in the end was there was a bug with Windows 10 1809 that prevented me from auto reconnecting to network maps. I was able to resolve this in my post below. – Mike Jan 13 '20 at 17:59

2 Answers2

0

I was able to figure out how to create the network mapping via scripts and have it persist.

So instead of doing it in a round about way, using Task Scheduler to run as identity, I was able to just use PsExec to runas the account I wanted to use.

First generate a two batch files, one to save the Windows Credentials to the account I want to map to and one to actually do the mapping.

echo "cmdkey /add:storageaccount.file.core.windows.net /user:Azure\storageaccount /pass:serviceaccountpassword" | Out-File -Append -FilePath "C:\Credential.bat" -Encoding "ASCII"
echo "net use Z: \\storageaccount.file.core.windows.net\share /persistent:yes" | Out-File -Append -FilePath "C:\Map.bat" -Encoding "ASCII"

I then execute the batch files as the account that I want to map the network file share to via PsExec. I won't get into details how I automated installation of this.

More info https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

.\PsExec.exe -u "ServiceAccount" -p "ServiceAccountPassword" -h "C:\Credential.bat" /accepteula
.\PsExec.exe -u "ServiceAccount" -p "ServiceAccountPassword" -h "C:\Map.bat" /accepteula

Now, there's a tricky issue that took me awhile and thanks to a very helpful article to figure out. With the build version of 1809 of Windows 10 (October 2018). Network map is not automatically reconnected even if the network map exists and credentials exists. I decided to use Windows 10 1803 as my base image which allows the drives to be automatically reconnected when spinning up the VM.

More info http://woshub.com/could-not-reconnect-mapped-network-drives/

Mike
  • 826
  • 11
  • 31
0

I'm not sure if my solution solves exactly this issue, but I only used PowerShell to get a persistent file share in my package image. No need for psexec.

$password = ConvertTo-SecureString "SuperSecurePassword" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("YourDomain\YourUsername", $password)
New-SmbGlobalMapping -RemotePath \\fileshare.server.com\directory -Persistent $true -Credential $credential

I build a Windows 10 image, but the documentation has the prerequisite Windows Server 2022 Powershell. https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbglobalmapping

deckerch
  • 197
  • 1
  • 8