Objective
Local User Password change without admin rights -> Powershell AD Methods
Logging on a distant PC using Remote Desktop Connection (RDP), on this PC the password shall be changed
Problem
AD Module not recognized (cmdlet... error)
Installed RSAT AD LDS via RDP and the windows "manage optional features" approach
RSAT AD LDS is installed
Powershell still does not know about AD module (get-aduser not working)
Activated LDS in "turn on/off features" (https://i.ibb.co/WxF35VD/Capture.png)
Powershell still does not find AD module (get-aduser not working)
Listing "Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State" reveals that AD LDS tools are installed
Question
Somehow, the tools are installed but there is no ActiveDirectory module in the powershell folder
Am I missing a point somewhere?
• AFAIK, you won’t be able to make changes, i.e., add the RSAT roles required through ‘Programs and features’ section in Control Panel from Windows 8 and later versions. For this purpose and more clarity, kindly refer to the official documentation below for details: -
https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/remote-server-administration-tools
Thus, if your client Windows systems version is beyond Windows 8, then you would not be able to install the various roles and features as required under the ‘RSAT’ feature of optional feature in the Control Panel, rather you would need to install the RSAT’s various features regarding Windows Server roles through ‘Start --> Settings --> Apps --> Apps and Features --> Optional features’ section. Hence, from here, you can install any RSAT feature that you want to in your Windows 10 client system.
• Would suggest you to please execute the below cmdlet through an elevated console of Powershell on your Windows 10 client system and check again. It should be installed successfully. Also, do not forget to restart the system once the RSAT roles have been installed successfully, it would help to get the modified registry flags to get into effect: -
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
Once the above command has been executed successfully, please ensure that the below commands also get executed successfully. They will ensure that the ‘Active Directory’ module, if not present in the client system will be imported from the online Microsoft CDN library and installed.
Get-Module -Name ActiveDirectory -ListAvailable
Import-Module -Name ActiveDirectory
• You can also log into a distant PC using Remote Desktop Connection through your Windows 10 client system and change the password on that system by making a GPO (Group Policy Object) in your central policy server and set the policy as below to allow the users to access powershell without administrator privileges: -
Default domain policy/New GPO --> Edit --> Computer Configuration -->
Policies --> Windows Settings --> Security settings --> Restricted groups --> Remote Management Users --> Click on ‘Add’ --> Select the users from Active Directory --> Ok
Once you do this, then ensure that this policy is pushed on all the systems where you want users to run powershell remotely with administrator privileges. You can also add those users in a group and then add that group as a member of the ‘Remote management users’ group through group policy.
• You can check the permissions of a powershell session through the below command which clearly states that ‘Remote Management users’ are allowed access to the powershell session remotely. Please note that Windows Remote Management service needs to be started and run for the below command to run successfully and provide you with results.
(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
Related
I have installed ADLDS in my Windows 10 (21H2) machine, we don't have any domain controller, the idea is to use AD LDS for user management in our Plant SCADA application. I am trying to create an OU via powershell cmdlets. But i get the following error:
New-ADOrganizationalUnit : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
The same powershell cmdlets works fine with AD LDS instance installed in a server 2019. But i get issues when i run same powershell cmdlets in my windows 10 machine. When i checked the Server 2019 i can see there is a windows service "ADWS" running, but i don't find this in my windows 10 machine, so i am not sure if this is the issue as said in the error. i installed the RSAT:ADLS tools from optional feature, so couldn't figure out how to get this feature(ADWS) and get my cmdlets work in my windows 10 machine. ( i am able to create OU via ADSI edit, but the idea is we want to use powershell to automate) i would really appreciate if some one could shed somelight on this ( all my google search results are leading me nowhere :( )
I need to query some WMI values using PowerShell from Windows 10 devices. The script is executed in the context of a non-admin user by some software distribution tooling.
There is a local admin account, and for the current purpose (retrieving information before wiping the system) it wouldn't be a problem to put the password in the script. As automation is a hard requirement, there is no way to deal with UAC windows or the user to enter some credentials.
Is there any way to get
$sess = New-CimSession -Credential $admincred
to work without running into Access is denied, because it isn't run in an elevated context? Can I somehow self-elevate it by just having the admin credentials?
[Edit]
The comments asked to provide more concrete information:
I want to onboard many unmanaged (i.e. no software distribution tool, no domain join) Windows 10 devices to Windows Autopilot.
The devices are not at a specific site.
The device vendor can't provide the information.
The users don't have administrative privileges
The users don't know the local admin password (I do)
Exposing the local admin password is less of a problem than the missing tech knowledge of the users (the password is considered legacy)
The firewall is preventing incoming traffic (no RDP, WinRM)
Code (Source):
$devDetail = (Get-CimInstance -CimSession $session -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'")
It is too time consuming to get the information using manual remote sessions with a tool like Teamviewer. Getting the users to download a tool from the intranet and running it would be a way to go. So I created a standalone application that builds and runs a customized PowerShell script. What won't work is getting it to run in an elevated session. I always end up with Access denied.
Can I somehow self-elevate it by just having the admin credentials?
No you cannot. UAC is designed to prevent exactly what you are trying to do. Related Q&A:
elevate without prompt - verb runas start-process
UAC Getting in the Way of EXE Install Powershell
Powershell provide credentials for RunAs
There may be many workarounds, but they all will have in common that you have to go to your machines (locally or remotely) at least once, gain administrative privileges and prepare something, e. g.:
A scheduled task that runs under your local administrator account or under SYSTEM and triggers the execution of your script
Disabling UAC (temporarily) (not recommended either way)
Installing any remote management software, services or accounts (with extra run as background job privilege)
SCCM is the method we deploy Windows updates to clients. We have a portion of computers that have a local group policy setting under:
Local Computer policy > Administrative Templates > Windows Components > Windows update
The setting is called "Specify intranet Microsoft update service location"
Basically the wuahandler.log is complaining of :
Enabling WUA Managed server policy to use server: http://servername.domain.local:8530
Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://servername.domain.local:8531 and Policy ENABLED
Failed to Add Update Source for WUAgent of type (2) and id ({C2F93D44-EAB3-4D5E-9330-7806157D92AD}). Error = 0x87d00692.
I can see that for whatever reason SCCM is not modifying the local group policy and its causing a conflict.
The pc's that have no issue have both the local group policy and policies under hklm > policies > windows update as the correct name (with port 8531).
I am basically asking how can i change the "specify intranet microsoft update service location ' using powershell or an automated method to remediate the 300 pc's that have a mismatched port number. modifying the HKLM keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ive already taken care of. But this is not doing anything to resolve my issue.
any help would be appreciated.
There are many articles all over the web on using PowerShell and local policy management. Just search for them. Using a string like 'PowerShell manage local policy' and you will get a long list to consume.
There is even a module via the MS PowershellGallery.com for Local Policy Management.
Find-Module -Name 'PolicyFileEditor' |
Save-Module -Path "$env:USERPROFILE\Documents\WindowsPowerShell\Modules" -Force
Install-Module -Name 'PolicyFileEditor'
And blogged about its use is here:
How to manage Local Group Policy with Powershell
You can even just secedit.
Take a look at this Q&A
So, sure you can mess with Local Policy, be if your SCCM settings getting overridden by a higher authority, then any setting you'd do wit PowerShell would as well.
Please make sure that in case of SCCM/MECM or installations with system user (NT-Authority\System) you do not use -Scope CurrentUser, otherwise you will have the same problem as described here: https://github.com/PowerShell/PowerShellGetv2/issues/651
In a system context Install-Module does not create a Documents folder in the system profile if -Scope CurrentUser is used.
If you want to use -Scope CurrentUser anyway, you have to create the folder "C:\Windows\system32\config\systemprofile\Documents\PowerShell\Modules" or at least "C:\Windows\system32\config\systemprofile\Documents" first, so that the module is installed for the system user.
I'm looking to write a PowerShell script to verify the security configuration of MSMQ on some of our servers, e.g. the contents of the Security tab when I run compmgmt.msc, then go to Computer Management (local) -> Services and Applications -> Message Queueing, then right-click -> Properties -> Security tab.
Note that this is not the same as Service Security (which I'm aware I can retrieve via Get-WmiObject -Query 'SELECT * FROM win32_service' | % PathName | Get-Acl.
MSMQ apparently has its own unique ACL set and custom permissions which I want to query to ensure that certain Service Principals have the correct permissions as part of a release script.
Does anybody know how to access these custom permissions ON WINDOWS SERVER 2008 ? I'm also aware that there's an MSMQ PowerShell module, but it's only available in 2012 and later versions of Windows Server.
You can import the System.Messaging assembly and use the .NET methods directly. You find a code example here on SO...
Salam every body
I need help to learn how
to Install,Configure and Manage dns using only powershell on Windows 2008?
This should get you started.
Installing DNS Server Role via Powershell
Open an elevated Powershell window and enter the following commands.
Import-Module Servermanager
Add-WindowsFeature 'DNS' -restart
For a more general guide about installing server roles via powershell, take a look at this page: Adding Server Roles and Features
On that page, just CTRL+F for Powershell.
Configuring DNS Server Role via Powershell
Since configuration is a very general topic, here's the link to the documentation:
Domain Name System (DNS) Server Cmdlets
You can list all the available commands with Get-Command –Module DnsServer