SureBackup - Custom Powershell script to run after restore

[superdevo]

Hello,
i'm in need to reset the password for an AD account on a DC.
This DC is part of the Application Group in a surebackup job.
I am using the Test Script area in the application group indicating path, name and %vm_ip% : X.X.X.X

I am aware that the script is ran remotely from the Veeam server initiating the job.
Any chance you can help me writing the PS correctly?
i am using

Set-ADAccountPassword -Identity 'blabla' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "PASSWORD" -Force)

Thanks,
David

[Egor Yakovlev]

Hi David,
listed powershell cmdlet is right, however
- don't forget to invoke command on a remote domain controller, since script will be executed locally on Veeam server(where no AD Snapin exists).
- use masquerade IP address of a DC in the Veeam Virtual Lab
Something like this(with no -Credentials it will run under Veeam Backup Service account, which must have permissions to access ADDS)

Code: Select all

$session = New-PSSession -ComputerName 172.17.56.10
Invoke-Command $session -Scriptblock { Set-ADAccountPassword blablabla }

/Egor

[chris.arceneaux]

On top of what Egor mentioned, you might need to enable remote PowerShell sessions on your DC.This would be done apart from the SureBackup job. Try creating a remote PS Session to see if this is necessary in your live environment:

Code: Select all

$session = New-PSSession -ComputerName 172.17.56.10

[superdevo]

Thanks for the replies, really helpful!
I am getting ready to test the script, but i have a question regarding the credentials.
Given that the Veeam service account does not have ADDS access, is it possible tu run something like this:

$session = New-PSSession -ComputerName 172.17.56.10 -Credential DOMAIN\account
Invoke-Command $session -Scriptblock { Set-ADAccountPassword blablabla }

Will surebackup prompt me for the password? If not, is there a workaround?

Thanks,
David

[jhoughes]

No, the scripts need to be written in a non-interactive fashion. There is no user interaction with the script run, nor any way for it to give you a credential prompt.

I would suggest using the 'Better Credentials' module to work with the Windows credential manager for this (https://www.powershellgallery.com/packa ... ntials/4.5).

Otherwise, you could create credential files on the VBR server, but that is a less secure method of handling them.

[superdevo]

I am using Get-StoredCredential and i've created a credential using the same user i set in the application group for that VM.
When i run it from the veeam server manually everything works fine... when surebackup runs it i get:

Code: Select all

11.2019 11:45:22] <63> Info     [CreateProcessWLogon] Calling CreateProcessWithLogonW. User: svc_activeroles. Domain: CORP. CmdLine: C:\Windows\system32\windowspowershell\v1.0\powershell.exe -NoLogo -NonInteractive -NoProfile -Command "C:\scripts\SetDummyPWD.ps1" . WorkingDir: C:\Program Files\Veeam\Backup and Replication\Backup
[25.11.2019 11:45:22] <63> Info     [CreateProcessWLogon] CreateProcessWithLogonW call success
[25.11.2019 11:45:22] <64> Info     [CreateProcessWLogon] CreateProcess thread completed
[25.11.2019 11:45:22] <65> Info     [SureBackup] [vhdc-dccor03p] [ScriptTests] [Console] Get-StoredCredential : CredRead failed with the error code 1312.
[25.11.2019 11:45:22] <65> Info     [SureBackup] [vhdc-dccor03p] [ScriptTests] [Console] At C:\scripts\SetDummyPWD.ps1:8 char:10
[25.11.2019 11:45:22] <65> Info     [SureBackup] [vhdc-dccor03p] [ScriptTests] [Console] + $creds = Get-StoredCredential -Target "CORP_svc_activeroles"
[25.11.2019 11:45:22] <65> Info     [SureBackup] [vhdc-dccor03p] [ScriptTests] [Console] +          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[25.11.2019 11:45:22] <65> Info     [SureBackup] [vhdc-dccor03p] [ScriptTests] [Console]     + CategoryInfo          : InvalidOperation: (CORP_svc_activeroles:String) [Get-StoredCredential], Exception
[25.11.2019 11:45:22] <65> Info     [SureBackup] [vhdc-dccor03p] [ScriptTests] [Console]     + FullyQualifiedErrorId : 1,PSCredentialManager.Cmdlet.GetStoredCredential
[25.11.2019 11:45:22] <65> Info     [SureBackup] [vhdc-dccor03p] [ScriptTests] [Console]  
[25.11.2019 11:45:22] <65> Info     [SureBackup] [vhdc-dccor03p] [ScriptTests] [Console] WARNING: Unable to convert Credential object without username or password to PSCredential obje

ct


I dont understand if it's a permission issue. anything comes to mind?

[oleg.feoktistov]

Can you, please, share the exact script being executed during a surebackup job?