Validate PowerShell DSC RunAsCredential


This is the first part of a blog series originally referenced here. – Validate the new features of PowerShell DSC

New Capability

A new property, PSDSCRunAsCredential, is now available to specify a user credential that should be used to execute all work performed by a DSC resource.

This capability is being introduced as a common property that can be used even for existing resources.


What is the purpose of this feature?

PowerShell DSC by default executes in the context of the machine System account, LocalSystem. That works well for the most part but there are cases where execution needs to occur in the context of a user account.


    • Installing MSI packages under a specific user context
    • Accessing a user’s registry hive
    • Accessing a user’s local directory
    • Accessing a network share
    • Accessing a user’s environment variables

What is the easiest way to test it?


Take any existing configuration script, identify a resource that should do work as a user account, and then add the PSRunAsCredential property to it. Note that PSDSCRunAsCredential is not currently compatible with Binary resources.

Update, replacing example script with improved scenario.
\In the following scenario, DSC would be used to deploy content stored on a device that does not support AD integrated machine authentication. An example might be a NAS appliance where a release share is staged.



Configuration ProvisionContent\    {        Import-DscResource -ModuleName 'xRobocopy'          Node localhost         {            xRobocopy Content            {                Source = 'C:\\release'                Destination = 'C:\\inetpub\\wwwroot\\myservice'                SubdirectoriesIncludingEmpty = $true                Retry = 10                Wait = 10                Restartable = $true                MultiThreaded = $true                LogOutput = 'C:\\ProvisionContent\\copylog.txt'               PSDSCRunAsCredential = $Node.UserCredentials            }        }    }    $ConfigData = @{        AllNodes = @(            @{                NodeName = 'localhost'                CertificateFile = 'C:\\ProvisionContent\\cert.cer'                UserCredentials = Get-Credential            }        )    }    ProvisionContent -out C:\\ProvisionContent -ConfigurationData $ConfigData   Start-DSCConfiguration -path C:\\ProvisionContent -verbose -wait -force


What should I expect to see?

In the example above, content should be copied from the network share to the local machine. If you delete the local copy of the content and then run the command below, it should return. You should also be able to update the content on the source share and run the same command, and the target node should receive the latest files.


Test resetting the file after it was deleted:

    Start-DSCConfiguration -UseExisting -Verbose -Wait


Can you help me set up my lab machine?


There is some setup required to securely store credentials on your test machine. If you are starting from scratch, you can use the example below to create a self-signed cert and configure LCM to use the cert for decryption.


Every LCM property which is currently set will be overwritten if specified here. Every configuration property not specified here will be cleared!


# Create working directory\if (-not $(Test-Path C:\\ProvisionContent)) {mkdir C:\\ProvisionContent}\\# Check if valid certificate is already present    \$Certificate = ls Cert:\\LocalMachine\\My | ? {$_.Subject -eq \"CN=Self Signed Cert\" -AND $_.PrivateKey.KeyExchangeAlgorithm} | Select -first 1\\# If no certificate is available, create one\if (-not $Certificate) {\@'\[NewRequest]\Subject = \"CN=Self Signed Cert\"\ProviderName = \"Microsoft RSA SChannel Cryptographic Provider\"\RequestType = Cert\'@ | out-file 'C:\\ProvisionContent\\cert.inf'\\certreq.exe -new -machine 'C:\\ProvisionContent\\cert.inf' 'C:\\ProvisionContent\\cert.cer'\}\\# Export certificate file\if (-not $(test-path 'C:\\ProvisionContent\\cert.cer')) {\    $CertificateFile = Export-Certificate -Type CERT -FilePath 'C:\\ProvisionContent\\cert.cer' -Cert $Certificate\    }\else {$CertificateFile = 'C:\\ProvisionContent\\cert.cer'}\\# Import certificate file to trusted root authorities so it is trusted on the local machine\if (-not $(ls 'Cert:\\LocalMachine\\Root' | ? {$_.Thumbprint -eq $Certificate.Thumbprint})) {\    $Import = Import-Certificate -FilePath $CertificateFile -CertStoreLocation 'Cert:\\LocalMachine\\Root'\    }\\# Create LCM configuration    \[DSCLocalConfigurationManager()]\Configuration SetCertificate\{\    Settings\    {\    CertificateID = $Certificate.Thumbprint\    }\}\\# Generate meta MOF\SetCertificate -out C:\\ProvisionContent\\# Apply the LCM configuration\Set-DscLocalConfigurationManager -Path C:\\ProvisionContent



How to provide feedback


If you click back to the intro post, there is a summary of options for providing feedbac. The best option is to use Microsoft Connect. Thank you so much for your time! It is sincerely appreciated.


Michael Greene
Senior Program Manager
PowerShell & Automation – ECG CAT Team




No Comments.