Running an entire DSC configuration as a user with admin rights

DSC
1

Hey guys, hope you’re all doing great. I’m new here so please be gentle :slight_smile:

I’m using DSC to automate the setup of my local Windows 10 machine (a bit of a different use case to the usual).

I understand that DSC runs as NT AUTHORITY\SYSTEM which is undesirable in my case. What I really want is for DSC to run as my username with elevation. The reasons are as follows:

  • I want to ensure all files created by DSC are owned by me
  • When running EXE installers, many use environment variables like APPDATA which differ when run as the SYSTEM user
So I have a little script to test with shown below:

[pre]
Configuration Sample
{
Import-DscResource -ModuleName PSDesiredStateConfiguration
Node ‘localhost’ {
File FileDemo
{
SourcePath = ‘C:\AppleBcInstaller.log’
DestinationPath = ‘C:\wow\bc.log’
}
Script Installation
{
TestScript = { $true }
GetScript = { @{ Result = “whoami says - $(whoami)” } }
SetScript = { }
}
}
}

Sample | Out-Null

Remove-Item c:\wow\bc.log -ErrorAction SilentlyContinue

Attempting to run the entire DSC configuration with my current username (fgimi)

$cred = Get-Credential -UserName fgimi -Message “Gimme your password”
Start-DscConfiguration -Path Sample -Wait -Credential $cred

$fileOwner = (Get-Item -Path C:\wow\bc.log).GetAccessControl().Owner
$scriptResult = (Get-DscConfiguration | where ResourceId -eq ‘[Script]Installation’).Result
Write-Output “The bc.log file has the owner $fileOwner”
Write-Output “The script result is $scriptResult”[/pre]

The output above is still:

[pre]
PS C:\Users\fgimi\OneDrive\Development> .\dsc2.ps1
The bc.log file has the owner NT AUTHORITY\SYSTEM
The script result is whoami says - nt authority\system[/pre]

So clearly passing the Credential to the Start-DscConfiguration cmdlet doesn’t do the trick.

I’m aware that you may pass Credential or PsDscRunAsCredential to individual resources, but I really want to avoid that if I can, and run the entire configuration as me.

Is this possible or can you suggest an alternative approach?

Huge thanks in advance
Fotis

2

You need to add a parameter to you configuration to accept a credential parameter:

Configuration Sample
{
param (
    [pscredential]$Credential
)

Import-DscResource -ModuleName PSDesiredStateConfiguration
    Node 'localhost' {
        File FileDemo
        {
            SourcePath = 'C:\AppleBcInstaller.log'
            DestinationPath = 'C:\wow\bc.log'
        }
        Script Installation
        {
            TestScript = { $true }
            GetScript = { @{ Result = "whoami says – $(whoami)" } }
            SetScript = { }
            PsDscRunAsCredential = $Credential
        }
    }
}

However, just be aware you need to secure your mof file in order to make this work. I would not advise to store the credentials as plain text. You can find how to secure your mof file here:

pwshliquori

3

[quote quote=149948][/quote]
Thanks so much for your reply and help, this does indeed work, but was hoping there would be a way to apply the credential to the entire DSC configuration instead of individual resources. Though it seems that this simply is not possible :frowning:

Another interesting point is that the File resource doesn’t seem to allow copying or setting the owner on the destination file. The Credential property is only used for accessing the source file. No matter what I do, the destination file ends up owned by NT AUTHORITY\SYSTEM

Edit: It seems that file is special, see https://stackoverflow.com/questions/49661060/for-a-desired-state-configuration-file-resource-why-does-credential-work-and-p?rq=1

Using PsDscRunAsCredential works perfectly in the Script resource but not File for this reason.

Cheers
Fotis