Many Windows Servers running in AWS EC2 do not need to be domain-joined to an Active Directory system. If you are using a DevOps approach to building these kinds of Windows instances in EC2, you are inevitably going to be faced with the question of how to add local users and groups. As @pshdo writes in the help text for his excellent Carbon module for PowerShell, it can be extraordinarily hard to add local Windows users and groups. Microsoft supplies PowerShell cmdlets for Active Directory (New-ADUser and Add-ADGroupMember) but, for some reason, does not supply equivalent cmdlets DevOps folks to use to add local users and groups to non-domain joined Windows Servers.
What follows below is an AWS Cloud Formation template snippet that does this rather conveniently. The JSON code assumes you are using an AWS Windows Server 2012 R2 AMI to seed the instance. It illustrates a technique I used successfully to
- Add three Cloud Formation parameters (
CarbonGroupName,CarbonUserNameandCarbonPassword) to the template - Transfer the PowerShell 5 installation .msu to the EC2 instance from an S3 bucket. (Download the .msu from Microsoft and upload it to the S3 bucket first)
- Create a PowerShell script on the instance that calls Carbon’s
Install-UserandAdd-GroupMembercmdlets - Install PowerShell 5
- Install Carbon from the PowerShell Gallery
- Run the PowerShell script that was created, substituting the values from the three parameters passed to the Cloud Formation template to create the local user and add it to the Carbon-created group as well as the Windows built-in group
Remote Desktop Users.
Here’s the snippet. I hope it helps you. And if you use it, be sure to thank @pshdo — it’d be so much harder without Carbon.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Cloud Formation template snippet to create a local userid and group in non-domain-joined Windows Server 2012 R2 instance. (c) 2017 Air11 Technology LLC -- licensed under the Apache OpenSource 2.0 license, https://opensource.org/licenses/Apache-2.0",
"Metadata": {
"AWS::CloudFormation::Interface": { ....
"Parameters": { ....
"CarbonGroupName": {
"Description": "Name of local group to be created",
"AllowedPattern": "[a-zA-Z0-9]+",
"Type": "String",
"Default": "CloudFormationGroup"
},
"CarbonUserName": {
"Description": "Local user to be added to \"Carbon Group Name\"",
"AllowedPattern": "[a-zA-Z0-9]+",
"Type": "String",
"Default": "CloudFormationUser"
},
"CarbonPassword": {
"Type": "String",
"Description": "Password for the userid being added",
"MaxLength": "32",
"MinLength": "8",
"Default": "ThisIsNotAValidPasswordChangeIt"
}...
"Resources": { ...
"WindowsServerECInstance": {
"Type": "AWS::EC2::Instance",
"Metadata": {
"AWS::CloudFormation::Init": {
"configSets": {
"config": [
"StandardSetup"
...
]
},
"StandardSetup": {
"files": {
"c:\\cfn\\modules\\Win8.1AndW2K12R2-KB3134758-x64.msu": {
"source": "https://somes3bucket-cloudformation-assets.s3.amazonaws.com/Win8.1AndW2K12R2-KB3134758-x64.msu"
},
...
"c:\\cfn\\scripts\\CreateLocalGroupandUser.ps1": {
"content": {
"Fn::Join": [
"", [
"Import-Module Carbon;",
"Install-Group -Name ",
{
"Ref": "CarbonGroupName"
},
" -Description \"Added by Carbon\"; ",
"$cred = New-Credential -Password ",
{
"Ref": "CarbonPassword"
},
" -UserName ",
{
"Ref": "CarbonUserName"
},
";",
"Install-User -Credential $cred -Description \"Installed by Carbon\" -UserCannotChangePassword;",
"Add-GroupMember -Member ",
{
"Ref": "CarbonUserName"
},
" -Name ",
{
"Ref": "CarbonGroupName"
},
";",
"Add-GroupMember -Member ",
{
"Ref": "CarbonUserName"
},
" -Name \"Remote Desktop Users\";",
"\n"
]
]
}
}
},
"commands": {
"a-powershell5": {
"command": "powershell.exe wusa.exe c:\\cfn\\modules\\Win8.1AndW2K12R2-KB3134758-x64.msu /quiet /forcerestart /log:C:\\cfn\\log\\wusa-log.kb3134758.txt",
"waitAfterCompletion": "forever"
},
"b-install-carbon-from-powershell-gallery": {
"command": "powershell.exe Install-Package Carbon -Force -ForceBootstrap",
"waitAfterCompletion": "60"
},
"c-create-local-user-and-group": {
"command": "powershell.exe -command c:\\cfn\\scripts\\CreateLocalGroupandUser.ps1"
}...
Leave a Reply