I have an Azure DevOps pipeline with a PowerShell task, which when triggered, successfully creates and configures a Windows Scheduled Task on my Windows Server.
The configuration sets the task to run using an AD Service account, 'Run whether the user is logged on or not' & 'Run with the highest privileges'.
When I try to run this task however, I get the message "The user account does not have permission to run this task."
If I manually create a scheduled task using all the same details, it runs without issue.
I've seen other threads about going into the C:\Windows\System32\Tasks folder, and change the security to update the Owner, but I still get the same result.
Has anyone had any luck setting a Scheduled task up via PowerShell script, and/or what the resolution to the permission issue?
After much tinkering around, I found that the Azure DevOps agent was set up using the default SYSTEM credentials.
I created a new ADO Agent that runs as an admin Service account, and when the Scheduled task was deployed, it ran without issue.
Related
I have create Azure CI Pipeline using Classic Editor where I have Command Line task which open WPF Application, now the issue is when I configure Agent as Service this WPF Application runs in background not showing interface on front, but the same task is running properly when Agent is not running as service.
I require to open WPF Application when running Agent as Service.
I have also tried configuring agent with User Account but still facing same issue. WPF application runs in background. In task manager its showing application running but not appearing on screen.
For e.g :- Below Command I am writting to open exe in Command Line Task of azure devops CI pipeline.
**cd /D D:\Application_Build\Executable
start Sample.exe**
Above command works properly when agent is not running as service, but fail when configure agent as service.
Above command works properly when agent is not running as service, but fail when configure agent as service.
Based on your description, when you run the Agent as interactive mode. Agent will run using the account of the user who run the Agent. Then it will have enough permission to run the script.
When you run the Agent as service, it will use the NT AUTHORITY\SYSTEM account.
The permissions of this account are restricted. So it could cause this issue.
You could create an agent with the admin account or the your user account.
.\config.cmd --unattended --url https://myaccount.visualstudio.com --auth pat --token myToken --pool default --agent myAgent --runAsService --windowsLogonAccount myDomain\adminccount --windowsLogonPassword Password
On the other hand, you could navigate to local system -> Service and find the running agent service.
Then you could change the logon account as admin account.
Here is a doc about create agent.
I have Build pipeline and release pipeline in Azure DevOps which works fine. I want to start the website using power shell script which is in repo ,only after post-deployment approvals in release pipeline. Do some initial Manual checks and start the website
Release Pipeline
Task 1: stop website
Task 2: deploy website
Do initial Manual checks before starting the website
Task 3: Start website using post-deployment approvals
I am afraid it is impossible to invoke powershell scripts from post-deployment approvals.
However, if your website is deployed to azure resources. You can run the powershell scripts by Invoking Azure Function from post-deployment gates. You will need to create a Azure function to start the website using powershell script. See document Create a PowerShell function in Azure using Visual Studio Code.
There is another workaround using Manual intervention task instead of post-deployment approvals.
You can add an agentless job to run Manual intervention task(Notify the users to approve) after website is deployed.
And then run the power shell script to start up your website in the next job see below:
I am trying to create RamDisk in DevOps agent servers using PowerShell task from Pipeline. The script can create the Ramdisk rive but unable to format and mount it. Its giving error that it needs elevated prompt.
How I can run PowerShell task with admin privileges in Azure DevOps pipeline
Since you add azure-devops-self-hosted-agent tag, I assume you are using a self-hosted build agent for build. Then you can try to update the build agent to run with an administrator account.
If you configured the agent to run as a service, it starts
automatically. You can view and control the agent running status from
the services snap-in. Run services.msc and look for the agent. If
you need to change the agent's logon account, don't do it from the
Services snap-in. Instead, try to re-configure the agent and run it
with an administrator account.
I have a python script that execute an automation script on remote SUT. and given that the script is working when execute locally with user tester and password xxx.
when I build the DevOps Azure pipeline I have checkout from GIT the project into the agent and then try to execute the code from the command line .
cd .\MatrixPro\TestFramework
python .\main.py -t profaund_tests.matrix_pro_rf_energy_across_impedances
this code gave me an error
E PermissionError: [WinError 5] Access is denied:
'//192.168.1.100\c$\'
seems that this script try to create report file on the SUT and doesn't have permission.
more over that the azure user agent have admin permission but I suspect that I need to change into the local user before execute the command.
note: I'm working on windows 10 .
what is the right method to solve this issue ? how can I figure out way this error occur ?
is their a simple way to change the pipeline permmision to work on local agent with local user and password?
When you run the build pipeline on Azure DevOps.
It's actually the build service account which is running the script. You should make sure the build service account have sufficient permission to Access: '//192.168.1.100\c$\'
To change the identity of the build agent, just go into Windows Services and change the identity of related Build service (service name is " Azure Pipelines Agent").
In the Services pane, right-click Azure Pipelines Agent.
Under Service Status, click Stop.
Click the Log On tab.
Specify the account you want to use for the service in the This
account text box.
Type the new password in the Password text box, and then type the
new password again in the Confirm password text box.
Under Service Status, click Start.
You should use a user to remote to that the server hold build agent and manually run the script to perform the deploy process. If that user is able to deploy succeed without any permission issue. Simply use this user as your build service account of Azure DevOps agent.
Hope this helps.
In VSTS I have a release definition, which needs to run a PowerShell script as administrator.
The release agent is configured to run as an account, which is a local administrator and has the required permissions, but UAC is restricting those permissions, unless PowerShell is executed "as administrator".
Can I run PS as admin from VSTS without disabling UAC completely on the server?
I don't think there is a way to do that using PS task. Can you try "Run PS on target servers" and provide admin creds. You will need to provide the machine name of the agent (so this is not ideal) as an input to the task. That might not require UAC. We will file this as a feature request.
I ran into this same problem. To fix it I did this (YMMV):
I uninstalled the Azure DevOps agent
Verified that the agent user was an admin
Reinstalled the Azure DevOps agent
When I originally installed the agent, the user the agent was running as was not an admin (I added that user to the Builtin\Administrators group after I installed the agent). I'm not sure if that caused a problem, but uninstalling/reinstalling solved it for me.
I do not think that the Inline or Path options are the issue. Maybe installing an Agent in the Deployment Environment Machine, assigning in the installation process the credentials of a user you are sure has administrative privileges on the SharePoint farm could help you. Then in VSTS verify that the agent is Online and working in the Deployment Group Section.
We got around not being able to use elevated Powershell commands by creating a light .Netcore Worker service with http request capability running in an elevated service privilege state. You can send a Invoke-RestMethod command from a regular Powershell YML task and it will trigger your custom logic on the other end of the ASP controller. We use it to remove Appx packages before re-installing for our Unit tests. The repo is located at, AzureAdmin