Reputation: 11
Start-process / runas returns "user name or password is incorrect" as long as user profile hasn't been created on AzureADOnly joined devices
I'm trying to start a process with a different user in a Powershellscript (via start-process) on an Azure AD only joined device - the problem doesn't occur on Hybrid joined devices. I am using Windows 10 Enterprise 20H2 with the newest patches this month.
The different user has the following Properties:
- Created in our on-premise Active dircetory
- Synced to our Azure Active Directory via Azure AD Connect
When I try to launch a process as a different user with start-process (I can also use runas,the result stays the same), it returns that the user name or password is incorrect: user name or password is incorrect
The result is also the same, when I use the Azure UPN (like shown in the Azure Active Directory admin center) or the %localdomain%\%Logonname% (localdomain stands for our on-premise active directory name)
I can "hop around" the problem, when I start the cmd.exe as a secondary user with the GUI (shift + rightlick, "run as different user") like this (I use the Azure AD UPN of the different user - the method with %localdomain%\%Logonname% won't work). Afterwards the following events occur:
- cmd.exe launches correctly
- The userprofile for the different user gets created below C:\users\%logonname%
- the start-process commands are now working correctly, when I restart the powershell session and specify the user as %localdomain%\%Logonname%
My Question:
Can I force the creation of the userprofile (like if run cmd.exe as a different user via the GUI) via Powershell or cmd.exe ?
My goal is to automate this and the userprofile will get created automatically on the first run of my Powershell script (this something I can check with a test-path of the userprofile or working with try /catch when using start-process).
Background:
I have a Powershellscript, which automatically starts the computermanagement / registry with a dedicated Admin account, from which the password is retrieved from an Azure Keyvault. It can also map a c$ share with these credentials. So if I want to Manage a remote computer, I just start the script, it will automatically pull the credentials and start the computer management with the correct priviledges on my client. I can rotate the password weekly and store it in the Azure Keyvault. I never need to know the password of the different user - I just need to know my credentials to access the Azure Keyvault. The call of (for example the computermanagement) is realized like this:
Start-Process "powershell.exe" -argumentlist "-noprofile -windowstyle hidden -command & {mmc compmgmt.msc /computer=$computername}" -Credential $sharedadmin -WorkingDirectory 'C:\Windows\System32'
Upvotes: 0
Views: 2921
Answers (1)
Reputation: 11
I've found out the solution by myself: How to select user in Task Scheduler on Azure AD joined device
On Azure AD only joined devices, you need to specify the username with "AzureAD\upn" when the userprofile hasn't been created so far. As soon as the userprofile exists, you can work with "%localdomain%\%Logonname"
Upvotes: 1
Related Questions
- Azure Connect-AzAccount in runbook with managed identity fails
- Set-AzureADUser : Error occurred while executing SetUser Code: Authentication_Unauthorized
- azure App registration using powershell does not create a service principal
- Azure Powershell throws "Unknown User Type"
- Azure User Assigned Identity fails to read AzureAD
- Create PSCredential from AzureAD User
- Set-AzureADuser failing
- Get-AzureDomain, GetAzureADUser, etc return Authentication_Unauthorized, User Not Found
- AzureAD PowerShell New-AzureRmRoleAssignment keeps failing
- Add-AzureAccount -credential not working as I'd hoped