我们使用 TeamCity 作为 CI 服务器。在我们的构建管道中,我们需要在某个阶段运行 powershell 脚本,该脚本将检查点应用于专用 Hyper-V 服务器上托管的某个虚拟机。
TeamCity 代理以特殊用户身份工作,我们称该帐户为 TCAgent。它的密码在许多人之间共享。为了允许此用户在 Hyper-V 服务器上执行 powershell 脚本,我需要允许该用户登录到服务器,这是非常不安全的。
因此,我需要用户 TCAgent 能够在服务器上执行某些脚本,但仅此而已。我该如何实现这一点?
答案1
您可以在本地组策略(gpedit.msc)或实际组策略中设置这些设置。
计算机配置 > Windows 设置 > 安全设置 > 本地策略 > 用户权限分配 > 拒绝本地登录
Deny log on locally
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.
Important
If you apply this security policy to the Everyone group, no one will be able to log on locally.
Default: None.
计算机配置 > Windows 设置 > 安全设置 > 本地策略 > 用户权限分配 > 作为批处理作业登录
Log on as a batch job
This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows.
For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.
Default: Administrators
Backup Operators.
这两个设置应该可以完成您想要做的事情。