Remote Access to Domain Controller Security Events - powershell

I would like to pull Security events from two Domain Controllers remotely to audit use of an account and to provide guidance for account lockouts.
Locally on the DC my Powershell works fine provided Powershell is run with Elevated privileges.
Remotely having added the account used to the AD "Builtin" folders security group "Event log readers", i can access events other than Security events remotely. However a line like below does not work for Security Events. Zero events are returned.
$events = Invoke-Command -ComputerName $dc -Credential $cred -scriptblock {Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[#Name='TargetUserName']=`'$account`']]"}
Tips appreciated how i get past the need for elevated privileges remotely ?

you can use the paramters ComputerName and Credential with the Cmdlet Get-WinEvent and query the events like this:
$events = Get-WinEvent -ComputerName $dc -Credential $cred -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[#Name='TargetUserName']=`'$account`']]"
or - if you stick to Invoke-Command you have to use $using:account instead of $account within the ScriptBlock (like #Mathias said in the comment) to send that local variable to the remote host
$events = Invoke-Command -ComputerName $dc -Credential $cred -scriptblock {Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[#Name='TargetUserName']=`'$using:account`']]"}

Related

Run Get-ClusterGroup on remote server using Central server

I have a centralized server from which i can run the following PowerShell command to get the clustergroup of cluster servers.
Enter-pssession -computername (ip-address) -credential (domain user)
And it prompts me to enter password then i get the session and execute
get-clustergroup
Okay till this it is fine.
Now i wanted to make this fully automated by converting in to a PowerShell script
The following commands works well when i run it in Powershell ISE and gets me the output of get-clustergroup
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$user = "domain\user"
$cred = New-Object System.Management.Automation.PSCredential ($user,$password)
Enter-PSSession -ComputerName IP.Add.RE.SS -Credential $cred
get-clustergroup
but when i save the about script and run with PowerShell i get the following error.
get-clustergroup: the cluster service is not running
I want to automate the process by writing script to get get-clustergroup output of four cluster servers.
i am new to PowerShell scripting. how can i save the output?
Instead of creating a session to the other server, you can run the following which will run the command on the remote computer and return the output to your console:
Invoke-Command -ComputerName <IPAddress> -ScriptBlock { Get-ClusterGroup } -Credential $cred
You can store that output into a variable if you wish for future retrieval.
Since -ComputerName can accept an array object, you can modify your command to include all four of your servers. Below shows how to use all of your computer names and store the output in the variable $Output:
$Output = Invoke-Command -ComputerName "Server1","Server2","Server3","Server4" `
-ScriptBlock {Get-ClusterGroup} -Credential $cred
$Output
Your computer names could also be stored in a variable as an array. Then that variable can be used in your -ComputerName parameter:
$Computers = "Server1","Server2","Server3","Server4"
Invoke-Command -ComputerName $Computers -ScriptBlock { Get-ClusterGroup } -Credential $cred
See Invoke-Command for more information.

Couldn't use Get-WinEvent from remote computer in VLAN

The remote computer are Win-10 VM in a VLAN.
We only have a few ports open in VLAN, including 3389 for Remote Desktop, 5985 & 5986 for powershell.
Remote Desktop works well.
But I couldn't to use powershell to remote debug on those computers,
If I run
Get-WinEvent -LogName System -Credential domain\test_user -ComputerName 10.100.155.1
I get this error
Get-WinEvent : The RPC server is unavailable
If I use invoke-command to execute the same script,
Invoke-Command -ComputerName 10.100.155.1 -Credential domain\test_user -ScriptBlock {Get-WinEvent -LogName System -Credential domain\test_user -ComputerName 10.100.155.1}
I will get another error:
[10.100.155.1] Connecting to remote server 10.100.155.1 failed with the following error message : Access is denied.
I have tried many solutions on internet, unfortunately, none is working. For example, I have checked if the services are running, if the firewall allows remote event management on remote computer, they looks alright.
Any idea where could be wrong?
Your problem is two-fold.
You cannot use WinRM (Invoke-Command) with an IP address. It uses Kerberos and Kerberos requires a DNS name.
You're passing your credentials and computername twice.
This should work without a problem:
$InvokeArgs = #{
ComputerName = 'Computername.domain.com'
Credential = (Get-Credential -Credential domain\test_user)
ScriptBlock = { Get-WinEvent -LogName System }
}
Invoke-Command #InvokeArgs
Access Denied is an Authentication Issue, double check your username and password.
I was working on a similar problem, trying to fetch count of system logons. Here's what worked for me:
$fetchEvents = { Get-WinEvent -FilterHashtable #{
Logname='system'
ProviderName='Microsoft-Windows-Winlogon'
StartTime=(get-date).AddDays(-10)
ID = 7001
} | Format-Table -Property TimeCreated, UserID, ID, MachineName }
Invoke-Command -ComputerName $ServerList -Credential $creds -ScriptBlock $fetchEvents

Invoke-Command behavior clarification

I'm running into some trouble with the Invoke-Command cmdlet. I am logged into my local machine with my domain identity, which has admin rights on $server. If I manually enter my credentials, then use Invoke-Command, I get the error:
Cannot open Service Control Manager on computer ''. This operation might require other privileges.
# Works
Get-Service -ComputerName $server-ErrorAction Ignore
# Doesn't work
$cred = Get-Credential
Invoke-Command -ComputerName localhost -ScriptBlock {param($serverIPAddress) Get-Service -ComputerName $server -ErrorAction Ignore} -Credential $cred -ArgumentList $server
Is there something special about the built-in credentials that makes this work?
This is the classic kerberos double-hop.
The special thing that's happening is that the local computer has your credentials. It can talk to a remote computer and prove it has the credentials, without ever sending them.
However if the remote computer needs to access something on a third computer (second hop), it cannot prove it has the credentials (because it doesn't), so it cannot authenticate.
This is Kerberos working as designed.
Using Invoke-Command to localhost is still doing a remoting connection, so it still counts as a hop. The Get-Service call is a second hop.
Consider:
Invoke-Command -ComputerName $server -ScriptBlock { Get-Service -ErrorAction Ignore } -Credential $cred
That will work (as long as powershell remoting is enabled on the remote machine).
Otherwise, you need to enable kerberos delegation, or CredSSP, or (best if possible) rework whatever you're doing to not require a double hop.
Be wary of CredSSP (and delegation in general).

Powershell (Version 2.0) remote execution of services with credentials

I want to start/stop apache and mysql services on remote machine by using powershell version 2.0 (Windows Server 2008). I found syntax for remote execution as follow:
(Get-WmiObject -Computer myCompName Win32_Service -Filter "Name='myServiceName'").InvokeMethod("Stop-Service",$null)
But I have to provide credentials (DOMAIN_NAME\USERNANE and PASSWORD) also for this exceution. I am new to powershell and need help for correct syntax (example will be easy to understand and implement).
Get-WMIObject accepts the -Credential parameter. You shouldn't be keeping your credentials in plain text in your script, so you'll want to prompt for them.
$creds = get-credential;
(Get-WmiObject -Computer myCompName Win32_Service -Filter "Name='myServiceName'" -credential $creds).InvokeMethod("Stop-Service",$null)
If you have PSRemoting enabled on the remote system, you can do this without WMI.
$creds = get-credential;
Invoke-Command -computername myCompName -credential $creds -scriptblock {(get-service -name myServiceName).Stop()};
Update based on comments
Since you're running this as a scheduled job, you should not be storing or prompting for credentials at all. Configured the scheduled job itself (via Scheduled Tasks) to run under the required user account, then either of the following should work:
# Your original code
(Get-WmiObject -Computer myCompName Win32_Service -Filter "Name='myServiceName'").InvokeMethod("Stop-Service",$null)
# If you have remoting enabled
Invoke-Command -computername myCompName -scriptblock {(get-service -name myServiceName).Stop()};

Get-WmiObject with credential fails when within Start-Job scriptblock

I am successfully retrieving some information from Windows 2000 machines using the Get-WmiObjet cmdlet. These machines are not part of our domain so I am using the -Credential parameter to pass local administrator credentials.
I am now trying to run several WMI queries in parallel using Start-Job but I can't get even one query to work.
When I run the following:
Start-Job -initializationscript {$cred = get-credential -credential administrator} -scriptblock {gwmi win32_computersystem -ComputerName 10.1.2.3 -Credential $cred}
a job is created, I am prompted for the credentials, but the job never completes, its state is always "Running".
Of course:
C:\>$cred = Get-Credential -credential administrator
C:\>gwmi win32_computersystem -ComputerName 10.1.2.3 -Credential $cred
works just fine.
How do I get Get-WmiObject to run successfully within Start-Job with alternate credentials?
Thanks for your help.
Try this:
$cred = Get-Credential -Credential Administrator
Start-Job -scriptblock {Param ($cred) gwmi win32_computersystem -ComputerName 10.1.2.3 -Credential $cred} -ArgumentList $cred
Looks like the background job is blocked for input and has been running forever for that reason.