
What is the correct way to set credentials for a directory when using EC2Launch sysprep?

eg flag

I created a startup script like this:

$FolderPath = "C:\Path\To\Your\Directory"
$UserAccount = "Domain\User" # Replace with the appropriate user or group
$Acl = Get-Acl $FolderPath
$AccessRule = New-Object 
System.Security.AccessControl.FileSystemAccessRule($UserAccount, "FullControl", 
"ContainerInherit, ObjectInherit", "None", "Allow") # Replace 'FullControl' with the desired permission level
Set-Acl $FolderPath $Acl

and set it to run in Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) > Startup > Powershell

But when I run EC2Launch sysprep the EC2 instance loses file permissions for Domain\User in C:\Path\To\Your\Directory. Specifically I am trying to get IIS to host a website out of either C:\users\admin\desktop\public or %SystemDrive%\inetpub\wwwroot so for tests I am giving Everyone Full Control on both of those directories. IIS hosts the sites before I do EC2Launch sysprep but after the permissions are gone. As one further test I go ahead and create an AMI after running EC2Launch sysprep and use that AMI for the Auto Scaling Group in an elastic beanstalk environment and it doesn't work there either.

Am I setting directory permissions for a user correctly? What account is it running under when it executes my scripts? Maybe that account needs to be ran as admin?

Basically though, I'm hoping someone knows the right way to give Domain\User access to C:\Path\To\Your\Directory in an AMI.

by flag

Instead of setting the permissions in the startup script, you can set them using the EC2Launch configuration file, because EC2Launch sysprep can reset settings when run.

First go create a powershell ( dont forget to replace the YourDomain and YourUser )

script $FolderPath = "C:\Path\To\Your\Directory"
$DomainName = "YourDomain"
$UserName = "YourUser"
$UserAccount = "$DomainName\$UserName"
$Acl = Get-Acl $FolderPath
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserAccount, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
Set-Acl $FolderPath $Acl

then we go to Ec2LaunchSettings.ps1 located at C:\ProgramData\Amazon\EC2-Windows\Launch\Script and add this at the end (Path\To\Your\Script.ps1 is the path of the script we created just before )

& "C:\Path\To\Your\Script.ps1"

then we save Ec2LaunchSettings.ps1 , now you can re run EC2Launch sysprep, it should work.

user875234 avatar
eg flag
FYI while this didn't get me all the way there it did point in the right direction. After another two days of pulling my hair out reading AWS documentation and not getting anywhere I switched to Azure. Not saying it's less difficult to work with but anyways. ...i might have been able to do it without ever running sysprep. which would have been nice because despite the 10 ways i tried userdata NEVER WORKED. If using azure apparantly you dont have to while if using AWS their official instructions are to generalize.

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.