Chef-Client unable to assume correct permissions

Hi everyone,

Sorry in advance for the long post!!
I have a complex PowerShell script that involves establishing New-CimSession, importing and using the ActiveDirectory module.. all to do a domain join from a central build server we host. Now the interesting thing is that I can run this PowerShell script with no issues at all when I execute it as a number of different users from that build server, however when I attempt to run the chef-client which has only that one recipe (powershell_script block with the entire script listed in the code) I get all kinds of Access Denied error messages.

My workaround for now is to simply execute the script stored on the server instead of within the recipe and that works but I would like to be able to have it all in a recipe instead of storing the script on my build server.

A few facts:

  1. Build Server runs the chef-client every 15 minutes as SYSTEM
  2. Target server needs to be joined to the domain using "Add-Computer... " command
  3. PowerShell Script works when executed from build server, doesn't work within Chef recipe because of Access Denied issues.

Things I have tried (that I can still remember haha, there were a lot of things)

  • I have tried running the Scheduled Task as a different user
  • Scheduled Task is checked with "Run with highest privileges"
  • Target Server has Windows Firewall disabled
  • Tried specifying different username and password and "elevated true" after the code block in the recipe
  • Made sure that the credentials are correct for the CIM session
  • CimSession uses DCOM protocol

When using the script in Chef recipe (commented out CimSession, just trying Add-Computer cmd)

VERBOSE: Add-Computer to domain initiating..
VERBOSE: System.InvalidOperationException: Cannot establish the WMI connection to the computer '10.x.x.x' with the
following error message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).

When using the script in Chef recipe with CimSession (this is right before Add-Computer cmd)

VERBOSE: Server not on domain, attempting to add computer to the domain
VERBOSE: Establishing a cim session with local admin credentials
VERBOSE: Microsoft.Management.Infrastructure.CimException: Access is denied.

backProcessingContext callbackProcessingContext, T currentItem, Boolean moreResults, MiResult operationResult, String
errorMessage, InstanceHandle errorDetailsHandle)

Any help would be much appreciated!!