Is it possible to use the New-Service command to create a service using a gMSA account? I tried creating the credentials with a blank password but it fails because ConvertTo-SecureString expects the string to not be empty.
$password = ConvertTo-SecureString "" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("DOMAIN\dev-user$", $password)
New-Service -Name Service -BinaryPathName C:\Service -StartupType Automatic -Credential $credential
Start-Service -Name "Service"
I then tried setting the string to just a to see if it even cared about the password since this is a gMSA account and I got this error.
New-Service : Service '(Service)' cannot be created due to the following error: The account name is invalid or does not exist, or the password is invalid for the account name specified
EDIT: I know there are other ways I could accomplish this like Wmi-Object or sc.exe but I wanted to see if there was a means to do this via New-Service just to see if I am missing something or doing something wrong.
I found an answer for how to make a new blank SecureString and this worked
$credential = New-Object System.Management.Automation.PSCredential("DOMAIN\dev-user$", (New-Object System.Security.SecureString))
New-Service -Name Service -BinaryPathName C:\Service -StartupType Automatic -Credential $credential
Start-Service -Name "Service"
This answer assisted me in figuring out how to do this.
EDIT: Wanted to add this did not working on 2012r2 but worked on Windows 10 and 2016
Related
I'd like to write a PowerShell script which will update Teams members from input list/object. However if I run Connect-MicrosoftTeams command (to authenticate/connect to cloud service) for the first time I am asked to pick an account to use for login. This is an issue since I would like this script to be run as scheduled job. Is there a way how to avoid this when running Connect-MicrosoftTeams command ? Commands I am using:
$credential = Get-Credential
Connect-MicrosoftTeams -Credential $credential
I tried to use "-AccountId "email#address.com" but that didn't help. Of course later I will change Get-Credential to username and encrypted password
EDIT
If I run Connect-MicrosoftTeams -Credential $credential on other computer, where I've never been logged in with my account, instead of "Pick an account" window, I get credential window for username and password:
As commented, this is certainly a dissapointment, but Single-Sign-On cannot be enabled in Microsoft Teams.
See the discussion here
This should achieve what you're trying to do.
Credits to: https://www.jaapbrasser.com/quickly-and-securely-storing-your-credentials-powershell/
Save Credentials
$Credential = Get-Credential
$Credential | Export-CliXml -Path "<File path/name to save credentials"
Connect using saved credentials through MS Teams PowerShell
$Credential = Import-CliXml -Path "<path of exported credential>"
Connect-MicrosoftTeams -AccountId "<email>" -Credential $Credential
For that I always use this from Jaap Brasser:
https://www.jaapbrasser.com/quickly-and-securely-storing-your-credentials-powershell/
At the end I used other module 'AzureAD' and command 'Add-AzureADGroupMember':
# 'password' | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString $Password = "01000000d08c9..." | ConvertTo-SecureString
$Credentials = (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "user#domain.com", $Password)
Connect-AzureAD -Credential $Credentials
$AZ_USER=Get-AzureADUser -Filter "UserPrincipalName eq 'user#domain.com'"
$AZ_GROUP=Get-AzureADGroup -Filter "DisplayName eq 'teams_name'"
Add-AzureADGroupMember -ObjectId $AZ_GROUP.ObjectId -RefObjectId $AZ_USER.ObjectId
then I have to wait couple hours until Active Directory and Teams got synchronized and users were added to AD groups / Teams teams. It's not ideal, but it works with saved credentials and with no user interaction.
I am trying to connect to a sharepoint site from a PowerShell job running in an Azure App Service, whenever i try to connect it gives me the following error:
Authentication failed: A positional parameter cannot be found that accepts argument 'System.Management.Automation.PSCredential'.
When looking in the source code for the method Connect-PnPOnline for the positional parameter -Credentials it expects a CredentialPipeBind, which is a class public sealed class CredentialPipeBind
The class looks like it's meant to switch between a credential from the windows credential manager, or a powershell credential object.
The Azure job may be wanting to get the literal type from the positional parameter?
I tried giving it a
Function Set-SpsConnection ($url, $creds) {
$crpb = [SharePointPnP.PowerShell.Commands.Base.PipeBinds.CredentialPipeBind]::new($creds)
Connect-PnPOnline –Url $sharepointurl –Credentials $crpb
}
But to no avail, now it thinks i'm using SharePointPnP.PowerShell.Commands.Base.PipeBinds.CredentialPipeBind instead of CredentialPipeBind, maybe I can somehow reference the assembly so that i don't have to specify?
The issue seems to only appear when it is ran by a job or i start the script in the Kudu Console with .\scriptname.ps1 , when I execute the code in the Kudu console Copy-Paste it seems to work fine...
In my opinion this just seems like an inherent flaw within the azure job system, that it will only interpret litteral types and not run the same as on a client.
According to my research, if you want to connect to a sharepoint site with Credentials in PowerShell, the parameter Credentials should be a PSCredential object or a string(the cert name credentials from the Windows Credential Manager). For more details, please refer to the article the issue and the document
For example
$name = "username"
$password = "password"
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($name, $secpasswd)
Connect-PnPOnline -Url https://hanxia.sharepoint.com/ -Credentials $mycreds
Get-PnPList
update
According to my test, we can run the script in Azure web job
Update the module to Azure vai kuduo
Create a web job. My script is as below
$ProgressPreference="SilentlyContinue"
Import-Module '<the path of your module>\SharePointPnPPowerShellOnline' -DisableNameChecking
$name = "username"
$password = "password"
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($name, $secpasswd)
Connect-PnPOnline -Url https://<>.sharepoint.com/ -Credentials $mycreds
Get-PnPList
Am using Powershell script to copy a folder from local system to remote VM.
The below script works fine when am running from my local system.
New-SelfSignedCertificate -DnsName dummy.southcentralus.cloudapp.azure.com -CertStoreLocation Cert:\LocalMachine\My
winrm create winrm/config/Listener?Address=*+Transport=HTTPS #{Hostname="dummy.southcentralus.cloudapp.azure.com"; CertificateThumbprint="9C207E7D249D385FDE9D4BBFE7AF7EB008RDGD"}
$pw = convertto-securestring -AsPlainText -Force -String <Password>
$cred = new-object -typename System.Management.Automation.PSCredential - argumentlist <username>,$pw
$session = new-pssession -computername dummy.southcentralus.cloudapp.azure.com -credential $cred
Copy-Item -Path C:\Jenkins\workspace\deploy-service\bin.zip -Destination F:\destpath\bin1.zip -ToSession $session
But when I use the same script in Jenkins at the build step. It throws me an error as given below.
"WinRM cannot process the request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified logon session does not exist. It may already have been terminated."
What I tried So Far to resolve this error:
I have ensured that winrm is setup on both the host machines involved. Infact with 'Unrestricted' access via set-ExecutionPolicy.
I have Ensured remote machine running as a non-domain user, because local machine is running as a non-domain user.
Used Invoke-Command.
Change in this line, fixed my issue.
$cred = new-object -typename System.Management.Automation.PSCredential - argumentlist <username>,$pw
as
$cred = new-object -typename System.Management.Automation.PSCredential - argumentlist <domainname>\<username>,$pw
PSCredential, would expect the credential to be with domainname\username rather than passing username alone.
Hi I have been trying to deploy model to analysis service by using XMLA script. I used deployment wizard and it worked fine. However when I tried to use command Invoke-ASCmd to deploy model to my analysis server. It got a error of targetinovation which I figured out to be my credential argument error.
The command I used:
$user = "myemail#outlook.com"
$PWord = ConvertTo-SecureString -String "password" -AsPlainText -Force
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $user, $PWord
Invoke-ASCmd -InputFile AW.XMLA -Server asazure://southeastasia.asazure.windows.net/azurejenkins -Credential $Credential
But when I not use the -Credential argument it prompt the window email login which work fine. How do I use this command without prompting the user to enter email and password?
Solution to this problem.
I need to create webapp/api in active directory of azure. Copy its application id, tenant id and authentication key which you need to go to keys section in your app.
Go to SQL management server program which connected to your analysis server. Go to security and add app:# in manual entry (in case you don't see your app in the list).
Then use the same command I used in the question but change some components. Change user email to your app id and password to your authentication key. Add tenant id.
Add-AzureAnalysisServicesAccount -Credential $Credential -ServicePrincipal -TenantId $TenantId -RolloutEnvironment "xxxxxx.asazure.windows.net"
Invoke-ASCmd -InputFile xx.XMLA -Server asazure://southeastasia.asazure.windows.net/xxxxxx -Credential $Credential
Hope this script help someone who has the same problem as mine.
I'm creating an Azure Function that will call a PowerShell script. In order to do this I need to have the PS script do an unattended login. So I created an application and Service Principal as follows:
# Create an Azure Active Directory Application that will be used for authentication in Powershell Automation scripts.
$Password = ConvertTo-SecureString '<MyPassword>' -AsPlainText -Force
$AzureAdApplication = New-AzureRmADApplication -DisplayName "PowerShellAdminApp" -Password $Password -HomePage "https://www.phoenix.com" -IdentifierUris "https://www.phoenix.com"
# Create the Service Principal
New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId
# Add permissions to the Server Principal
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $AzureAdApplication.ApplicationId.Guid
This all works correctly.
Then, in my PS script(s), I will log in, unattended, as follows:
$Username = "https://www.phoenix.com"
$Password = ConvertTo-SecureString "<MyPassword>" -AsPlainText -Force
$Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $Username, $Password
Login-AzureRmAccount -ServicePrincipal -Credential $Credential -TenantId '<MyTenantId'
This works as well. However, I feel like I'm not understanding something or I'm missing something. This is not at all secure. If I have to have this login code in all my PS scripts, I'm basically letting anyone who has access to these scripts see the tenant Id and the password to the app. They then could perform any activity the app can perform.
Am I doing this correctly or not understanding something?
You can use App Settings to define environment variables and store passwords there and in your code just read them:
$username = $env:username
$password = ConvertTo-SecureString $env:password -AsPlainText -Force
Here's how to configure that. https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings