I have to query my Active Directory from another windows server using PowerShell through LDAP. I got LDAP connection details, port number, login credential. However, after googling for hours I couldnt find a soultion to connect PowerShell to LDAP. I tried below cmdlet but all returned the error "the term ** is not recognised as the the name of a cmdlet".
New-AdfsLdapServerConnection
Test-LDAPConnection
Can someone please help. I want to connect to my LDAP and run a simple command like
Get-ADGroup -Filter 'Name -like "Sec-abc-xyz-123-U"'
later I want to write my full Powershell script and then use Task scheduler to automate my powershell script. Can someone please let me know how I could connect to LDAP?
As #Santiago Squarzon suggested, you need to install RSAT to use the AD PS Module
Related
I am attempting to automate the Skype for Business Server installation process in Powershell, I have a script that remotes into specified machines and begins preparing them as Front-End servers. The problem lies when certain SfB cmdlets (SfB commands are all of the form "verb-Cs...", ex. Get-CsUser or Get-CsPool) are run in remote sessions, they throw the double-hop error:
Exception: Active Directory error "-2147016672" occurred while searching for domain controllers in domain...
This is after running Enable-CsComputer, which enables the computer's role-based off its definition in the topology (topology was published successfully). The user object is in all required groups (RTCUniversalServerAdmins, Schema Admins, CsAdministrators & Local Admin rights on all SfB Servers). Oddly enough, the command 'Import-CsConfiguration -localstore" does not throw errors, and it's in the same remote session. There may be other local or domain groups that I need to be in, but I cannot pinpoint exactly which and have not seen them documented in the Skype build guides. Skype commands that have parameters to specify targets or just pull data, such as Get-CsPool or Get-CsAdForest, do not have errors because they are run in the local scope. The Enable-CsComputer has no parameter for the computer name, it has to be executed from that machine itself.
Enabling CredSSP delegation on each server is not an option, and I'm not understanding why there is a "second hop" in this command! If the second hop was a resource on a file server or database, that would make sense, and be easy to solve, but in this case, I can't track it. Can anyone tell me what I may be missing?
Here's a code sample to try and illustrate. From the jumbox I get the pool data to create an array, and a session is opened to each machine:
$ServerArray =get-cspool -identity $poolName
$i=0
$SessionArray = #{}
foreach($server in $ServerArray.Computers){$SessionArray[$i] = new-PsSession -ComputerName $server}
foreach($session in $SessionArray.values){
invoke-Command -session $session -scriptBlock {
#remote commands:
import-csConfiguration -<config file path> -localstore; #no errors
enable-CsReplica; #no errors
enable-cscomputer; #double hop error here
}}
If I log into that machine and run the same command, it executes fine but the intention of the project is to automate it on an arbitrary number of machines.
It looks like it's just trying to authenticate to a domain controller, which is reasonable. You'll have to approach this like any other double-hop issue.
Microsoft has an article dedicated to the double hop issue, and has a few solutions other than CredSSP that you can look at: Making the second hop in PowerShell Remoting
I've been trying to find a way to enter the username, password and token code for the Office 365 shell directly into the terminal and not have the normal secondary GUI window pop-up. Currently I have a basic script that logs in with:
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA + "\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse).FullName | Where-Object {$_ -notmatch "_none_"} | Select-Object -First 1)
Connect-MSOLService
Import-PSSession (New-ExoPSSession -UserPrincipalName USER#domain.tld) -AllowClobber -DisableNameChecking
Is it even possible to use strictly the TUI over the GUI for entering credentials?
Don't guess at how to do X or Y. It will just lead you down a very frustrated path. Always look to the help files and online docs.
What you are trying to do is a common practice, these days, and fully documented from Microsoft and many other web resources. There are specific module to assist with this use case.
Connect to Exchange Online PowerShell using multi-factor authentication
Connect to Exchange Online PowerShell by using MFA
1.On your local computer, open the Exchange Online Remote PowerShell Module ( Microsoft Corporation > Microsoft Exchange Online Remote
PowerShell Module).
2.The command that you need to run uses the following syntax:
Connect-EXOPSSession -UserPrincipalName <UPN> [-ConnectionUri <ConnectionUri> -AzureADAuthorizationEndPointUri <AzureADUri>]
Connect to Office 365 PowerShell
Step 2: Connect to Azure AD for your Office 365 subscription
> To connect to Azure AD for your Office 365 subscription with an
account name and password or with multi-factor authentication (MFA),
run one of these commands from a Windows PowerShell command prompt (it
does not have to be elevated).
Exchange Online PowerShell Module has been around since circa 2016 from the MFA PowerShell team
There is even a script from the gallery, that specifically for EXO using MFA.
Connect to Exchange Online PowerShell using multi-factor authentication (MFA)
If you want to use multi-factor authentication (MFA) to connect to
Exchange Online PowerShell, you can't use the instructions at regular
Connect to Exchange Online PowerShell to use remote PowerShell to
connect to Exchange Online.
Download : MFA.ps1
I am trying to start a service on a remote computer using the following command on the cmdlet:
(Get-WmiObject -computer atl-fs-01 Win32_Service -Filter "Name='Alerter'").InvokeMethod("StartService",$null)
When I run the command I get the error Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). After some research it appears I need to set my username and password, but I cannot find anything that allows me to set these prior to accessing the remote computer. I also plan on making a script for this so I don't have to type out everything on the command line. PowerShell code for setting user and password would be helpful as well. Thanks.
You need to pass in the credential object (created with Get-Credential) using the "-Credential" switch.
See this MSDN article for more information and an example.
Chapter 13 (page 502) of Bruce Payette's (UTTERLY AWESOME) "Windows Powershell in Action, Second Edition" comprehensively covers configuration of remote Powershell admin. If you've not already asked Santa for a copy of this wonderful book, DO SO NOW! :)
In case you are in a hurry:
MSDN (and other sources) have some good documentation on how to
Enable remoting to a remote server
Connect from your local server to your remote server & execute commands
HTH.
I am having trouble accessing a shared network location while within a PowerShell remote session.
From the PowerShell prompt, I enter a new session:
Enter-PSSession server1
The session is properly created and entered. I then attempt to list the contents of the share:
dir \\server2\share1
The response is this error:
Get-ChildItem : Cannot find path '\\server2\share1' because it does not exist.
However, if I remote desktop into server1, bring up PowerShell, and execute the very same dir command, the contents are correctly listed.
I've tried various things using credentials, but that doesn't seem to fix it. I've also confirmed via the "whoami" command that I have the same identity in both examples.
What would cause this?
If you can't use credential delegation as mentioned above, you can mount (or just authenticate as below) the remote share in the remote session using explicit credentials, e.g.
[server1] ps> net use \\server2\share * /user:username
(prompts for password)
[server1] ps> dir \\server2\share
(listing)
This problem has nothing to do with powershell per-se; you are trying to replay your local credentials in a remote session to a third location and falling foul of the NTLM "double hop" limitation.
Read the section "Credential Delegation"
Here - Credit to Keith Hill
and perform the steps if you have not already done so.
Another option is kerberos resource delegation
eg:
$server_name = "my-server" $servers = #(get-adcomputer -identity $server_name)
$target = "target-server" $tgt_srv = get-adcomputer -identity $target
Set-ADComputer -Identity $to_delegate -PrincipalsAllowedToDelegateToAccount $servers
My network card is rubbish and until I get a new one I need a quickfix. My idea was to have a program ping my router and when the ping failed 3 or 4 times, it would reset the network adaptor for my wifi card, however I do not know the command line commands to do this!
I found the following in a stackoverflow question:
$adaptor = Get-WmiObject -Class Win32_NetworkAdapter | Where-Object {$_.Name -like "*Wireless*"}
$adaptor.Disable()
$adaptor.Enable()
However to run this the script needs to be running under admin privileges and I do not know how to fix that without manually launchign powershell to execute the script
This post shows how to elevate PowerShell scripts to Administrator access:
Elevate Powershell scripts
To do it, you create a scheduled task (without a set schedule), and set it to run elevated. Then, give your users rights to execute that task. This blog post describes the process in more detail:
http://huddledmasses.org/vista-setuid-how-to-elevate-without-prompting/
In addition, here is a blog post that goes over the Win32_NetworkAdapter class, and how to use it in PowerShell, in detail:
Using PowerShell to Manage Network Interfaces and Windows Services
http://rickgaribay.net/archive/2008/09/26/using-powershell-to-manage-network-interfaces-and-windows-services.aspx