This grants your RunAs account the ability to create and manage cluster computer objects (CNO/VCOs) in the specified OU — Microsoft’s supported delegation model.
Import-Module ActiveDirectory
Write-Host "Granting AD permissions to $RunAsAccount on $ClusterOU..."
$ou = Get-ADOrganizationalUnit -Identity $ClusterOU
$acl = Get-Acl "AD:$($ou.DistinguishedName)"
$permission = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
(New-Object System.Security.Principal.NTAccount($RunAsAccount)),
"GenericAll",
"Allow"
)
$acl.AddAccessRule($permission)
Set-Acl -AclObject $acl -Path "AD:$($ou.DistinguishedName)"
Write-Host "✅ Delegation completed. $RunAsAccount can create cluster computer objects."Microsoft requires these rights so that Failover Clustering can authenticate remotely via PowerShell/WMI.
foreach ($node in $ClusterNodes) {
Write-Host "Configuring logon rights on $node..."
Invoke-Command -ComputerName $node -ScriptBlock {
param($RunAsAccount)
secedit /export /cfg C:\secpol.cfg
$content = Get-Content C:\secpol.cfg
# Grant 'Allow log on locally'
if ($content -notmatch "SeInteractiveLogonRight") {
Add-Content C:\secpol.cfg "SeInteractiveLogonRight = *$RunAsAccount"
}
# Grant 'Allow log on through RDP'
if ($content -notmatch "SeRemoteInteractiveLogonRight") {
Add-Content C:\secpol.cfg "SeRemoteInteractiveLogonRight = *$RunAsAccount"
}
secedit /import /cfg C:\secpol.cfg /db C:\secpol.sdb
secedit /configure /db C:\secpol.sdb /cfg C:\secpol.cfg /areas USER_RIGHTS
gpupdate /force
Remove-Item C:\secpol.* -Force
} -ArgumentList $RunAsAccount
}
Write-Host "✅ User rights updated on all nodes."
foreach ($node in $ClusterNodes) {
Invoke-Command -ComputerName $node -ScriptBlock {
Get-BitLockerVolume | ForEach-Object {
Suspend-BitLocker -MountPoint $_.MountPoint -RebootCount 1
}
}
}
Write-Host "🕓 BitLocker suspended for one reboot on all nodes."