A user reported encountering an issue with the "Power On Generic VM" script while using ControlUp at a customer’s site. Others responded with potential solutions and one user shared their process for releasing scripts on the ControlUp Community Slack channel. The original poster planned to run the script in a trigger on powered off VMs and asked if this would affect permissions. The conversation also delved into the necessary user permissions for scripts that use invoke-cuquery or similar functions and the importance of running as a domain user. A linked to a previous post about releasing scripts on the ControlUp Community Slack channel was also shared.
Read the entire ‘Troubleshooting Script Issues with "Power On Generic VM" in ControlUp’ thread below:
Issue with "Power On Generic VM"
Hi guys,
at a customer I ran into a (for me) strange issue with the "Power On Generic VM" script by @member
When I run the script via ControlUp console I get the following Error (see screenshot):
- FullyQualifiedErrorId : System.UnauthorizedAccessException,ControlUp.PowerShell.User.Cmdlets.QueryMonitorService.InvokeQueryCmdlet
If I am connecting via RDP, with the very same user which runs the script in Realtime Console and run the script "manually" via powershell.exe everything works as expected.
Do I miss something obvious?
EDIT:
The user running the script is "local admin" on Monitors so "Log on as a batch job" and "Logon as a service" is in place ("Deny log on as batch job" is empty)
does the account running the script also have that permission in the security policy?
Yes. Account has "Run shared Script Actions" and in Machine Actions the right to run that specific script action…
Or do you asking for another permission?
this script uses the build in action to power on vm’s so the user also needs the permission to do that
@member we might need to make this more clear in the description
Power On VM is also granted…
So the list of permissions would be:
• Log on as a batch job
• Logon as a service
• Run shared Script Actions
• Power On VM
• (permission to run the actual script)
yes?
I duplicated the script and checked "Execute script with .NET Engine"; changed execution context to "Other machine" and selected a monitor; changed security context to "Default" and modified the script like this and its working:
“`
.SYNOPSIS
This script performs a Power On on a VM
.DESCRIPTION
This script performs a Power On on a VM. The script uses the CU Actions in version 8.8 to action the power-on, regardless of the underlying hypervisor.
.PARAMETER hostname
The hostname to perform the action on, supplied via a trigger or right-click action against a VM
.NOTES
Version: 0.1
Context: Computer, executes on Monitor
Author: Bill Powell
Requires: Realtime DX 8.8
Creation Date: 2023-05-11
.LINK
https://support.controlup.com/docs/powershell-cmdlets-for-solve-actions
>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, HelpMessage = ‘hostname of machine to be actioned’)]
[ValidateNotNullOrEmpty()]
[string]$hostname
)
region ControlUpScriptingStandards
$VerbosePreference = $(if( $PSBoundParameters[ ‘verbose’ ] ) { $VerbosePreference } else { ‘SilentlyContinue’ })
$DebugPreference = $(if( $PSBoundParameters[ ‘debug’ ] ) { $DebugPreference } else { ‘SilentlyContinue’ })
$ErrorActionPreference = $(if( $PSBoundParameters[ ‘erroraction’ ] ) { $ErrorActionPreference } else { ‘Stop’ })
$ProgressPreference = ‘SilentlyContinue’
[int]$outputWidth = 400
if( ( $PSWindow = (Get-Host).UI.RawUI ) -and ( $WideDimensions = $PSWindow.BufferSize ) )
{
$WideDimensions.Width = $outputWidth
$PSWindow.BufferSize = $WideDimensions
}
endregion ControlUpScriptingStandards
region Define the CUAction
$RequiredAction = "Power On VM" # or any of "Force Power Off VM","Force Reset VM","Power On VM","Restart Guest","Shutdown Guest"
$RequiredActionCategory = ‘VM Power Management’
endregion
region Process Args
$hostname = $args[0] # the computername is passed as the only argument
endregion
region Load the version of the module to match the running monitor and check that it has the new features
function Get-MonitorDLLs {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)][string[]]$DLLList
)
[int]$DLLsFound = 0
Get-CimInstance -Query "SELECT * from win32_Service WHERE Name = ‘cuMonitor’ AND State = ‘Running’" | ForEach-Object {
$MonitorService = $_
if ($MonitorService.PathName -match ‘^(?<op>"{0,1})\b(?<text>[^"]*)\1$’) {
$Path = $Matches.text
$MonitorFolder = Split-Path -Path $Path -Parent
$DLLList | ForEach-Object {
$DLLBase = $_
$DllPath = Join-Path -Path $MonitorFolder -ChildPath $DLLBase
if (Test-Path -LiteralPath $DllPath) {
$DllPath
$DLLsFound++
}
else {
throw "DLL $DllPath not found in running monitor folder"
}
}
}
}
if ($DLLsFound -ne $DLLList.Count) {
throw "cuMonitor is not installed or not running"
}
}
$AcceptableModules = New-Object System.Collections.Generic.List[object]
try {
$DllsToLoad = Get-MonitorDLLs -DLLList @(‘ControlUp.PowerShell.User.dll’)
$DllsToLoad | Import-Module
$DllsToLoad -replace "^.*\\",” -replace "\.dll$",” | ForEach-Object {$AcceptableModules.Add($_)}
}
catch {
$exception = $_
Write-Error "Required DLLs not loaded: $($exception.Exception.Message)"
}
if (-not ((Get-Command -Name ‘Invoke-CUAction’ -ErrorAction SilentlyContinue).Source) -in $AcceptableModules) {
Write-Error "ControlUp version 8.8 commands are not available on this system"
exit 0
}
endregion
region Perform CUAction on target
$ThisComputer = Get-CimInstance -ClassName Win32_ComputerSystem
Write-Output "Action $RequiredAction applied to $hostname from $env:hostname"
$Action = (Get-CUAvailableActions -DisplayName $RequiredAction | Where-Object {($.Title -eq $RequiredAction) -and ($.IsSBA -eq $false) -and ($_.Category -eq $RequiredActionCategory)})[0]
$Action
$Allrows = Invoke-CUQuery -Table $Action.Table -Fields * -Where "sName = ‘${hostname}’"
"———————-"
$Allrows
"———————-"
$Allrows.Data | ForEach-Object {
$VMTableRow = $_
$Result = Invoke-CUAction -ActionId $Action.Id `
-Table $Action.Table `
-RecordsGuids @($VMTableRow.key)
Write-Output "Action $RequiredAction applied to $hostname, result $($Result.Result)"
}
endregion
Write-Output "Done"“`
Ok, it worked just once… 😞
Seems Invoke-CUQuery is the problem…
If I run it manually $Allrows.Data looks good (its shorted but you get it):
“`Data : {@{key=a4c8e1f9-4b44-4e8a-b478-f0529f839c45; objectId=93758; […] AzureTotalBandwidthCost=}}
Success : True
Error :
ErrorCode : 0
Total : 1
Returned : 1
Stats : { DriverTime = 17, Channels = 0, SearchIni = 3, SearchIniNodeAvg = 0,333333333333333, SearchIniNodeMax = 1, Seek = 0, Collect = 0 }
CurrentTime : 19.04.2024 15:40:52 +02:00
RequestId : 545163a9-1516-47b1-91f6-2ffb1271addc“`
If I run it via SBA $Allrows.Data is empty:
“`Data :
Success : True
Error :
ErrorCode : 0
Total : 0
Returned : 0
Stats : { DriverTime = 2, Channels = 0, SearchIni = 2, SearchIniNodeAvg = 0, SearchIniNodeMax = 0, Seek = 0,
Collect = 0 }
CurrentTime : 19.04.2024 15:42:55 +02:00
RequestId : 6a55e063-dd66-4c51-9954-56886e555fc4“`
Hmm. I found my original post on releasing those scripts here: https://controlupcommunity.slack.com/archives/C054TRXJUQN/p1688056505493399
The only thing that might be relevant here is my testing methodology, which was to develop the power off and power on scripts at the same time, so I clearly ran the two scripts, one after the other, several times.
Ok… I plan to run the script in a trigger on powered off VMs…
Any script that uses invoke-cuquery or anything like it (export-cuquery, invoke-cuaction, etc), needs to run as a domain user. Else the monitor will try to evaluate if the is allowed to access the data you’re trying to access using the ControlUp security policy.
Do note that I mean the user listed under execution context. Not who-ever right clicks a machine in the console.
If you do not specify a domain user, the monitor will try to lookup if system or network service has permission to run the script. And I don’t think you could get permissions assigned to a computer account in the CU security policy (I guess you could make it member of a AD security group)
Continue reading and comment on the thread ‘Troubleshooting Script Issues with “Power On Generic VM” in ControlUp’. Not a member? Join Here!
Categories: All Archives, ControlUp Real-Time DX, ControlUp Scripts & Triggers