What I want to do is run this as the local user account and add the user with a vaiable like this:
runas=currentuser
# Grab the upn of the user
wait powershell $upn = whoami /upn
# Add the local user to the admin group of the machine
wait powershell add-localgroupmember -group 'Power Users' -member azuread\$upn
Unfortunately it doesnt work, probably as my syntax isnt right, can anyone help please?
The fundamntal issue is that the $upn variable is created and defined in your first call to powershell - but does not exist outside that scope, so doesn’t exist in the second call to powershell
You’ll also have the difficulty that a user cannot add itself to the local Administrators group - since the user is not already an Administrator, they cannot change the Administrators group.
I’m looking for a better way to retrieve UPN, but if you use ‘whoami’ then that process needs to run as the user (to retrieve the correct name), but the second command that actually adds the user will need to run as LocalSystem.
No, surprisingly I didn’t find an inspector to return a UPN directly so probably still need to run ‘whoami’ for that part, but after running whoami the tests would work (executing as LocalSystem, not as the user)
Would an approach like this work, which is really what @dgendera was suggesting? (assumption being a TEMP folder has been created). The run command is overridden to run as current user so would return the logged in user upn but the waithidden command would run as SYSTEM so have the rights to add the user?
override run
Hidden=true
RunAs=currentuser
run cmd.exe /c whoami /upn > C:\TEMP\upn.txt
parameter "upn" = "{line 1 of file "C:\TEMP\upn.txt"}"
waithidden cmd.exe /c net localgroup "Power Users" /add {parameter "upn"}