I'm looking for a way to reset the MFA for a specific user. Right now I'm using the command
Reset-MsolStrongAuthenticationMethodbyUpn -UserPrincipalName $user
However I don't think this is working properly. Here is my code:
Connect-MsolService -Credential $Cred
$user = "user#test.com"
Reset-MsolStrongAuthenticationMethodbyUpn -UserPrincipalName $user
Then, to check if the MFA was reset I do:
$userMFA = Get-MsolUser -UserPrincipalName $user |select -ExpandProperty StrongAuthenticationUserDetails
$userPhoneNumber = $userMFA.PhoneNumber
But the phone number is still there and isn't erased.
Am I testing this right? Maybe there is another way to check is the MFA was reseted, I'm just not another way to test it. Does anyone now if there is a better way to check if the code worked (through powershell or not)?
Related
I've been banging my head against a wall for far too long on this issue.
I'm attempting to launch a script from a GUI script. The idea is that a user will use their non-admin account, and have the script pass off their admin credentials to a script that does the actual work.
I've tried to use Invoke-Command and Start-Process with little to no success. I can either get the script to launch as admin, or pass parameters, but not both. The idea is that I collect a bunch of information about a user (name, job title, phone number etc) in a GUI form and pass those off to a script that will create a new account for that user.
I've tried the following lines to get this to pass off correctly, but I think I need way more eyes on the problem.
Invoke-Command -Credential { .\create-newuser.ps1 -givenname $Givenname -Surname $Surname } -Computername 'LocalHost'
#Many parameters excluded for simplicity.
And
Start-Process -filename pwsh -argumentlist ".\create-newuser.ps1 -Givenname $Givenname -Surname $Surname" -Credential $Creds
#Many parameters excluded for simplicity
Any help or advice would be greatly appreciated.
So basically I've been working forever on a PS remote self help script that originally was thought to be simple: Restart the spooler service, clear the queue, and print a test page on the default printer. Getting there however hasn't been so easy, due to security issues. After some hours, I was able to get my local user test account to accept the credentials of my domain administrator. I thought all was well, until I tried to replicate it on a local administrator's account, in which event access was denied. This is sort of important, because the majority of the accounts we will be deploying the script on are local admins. I suspect it may be a UAC issue, but I have no idea what I should do to work around the problem. Here's what I'm working with currently:
$v = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")
If ($v = "False")
{
$password = "ElPassword" | ConvertTo-SecureString -asPlainText -Force
$username = "Domainname\Username"
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
invoke-command {Stop-Service spooler} -comp $env:ComputerName -cred $credential
Remove-Item C:\Windows\System32\spool\PRINTERS\* -Force
invoke-command {Start-Service spooler} -comp $env:ComputerName -cred $credential
$printer = Get-WmiObject -Query " SELECT * FROM Win32_Printer WHERE Default=$true"
$PrintTestPage = $printer.PrintTestPage() } Else
{ Stop-Service spooler
$printer = Get-WmiObject -Query " SELECT * FROM Win32_Printer WHERE Default=$true"
Start-Service spooler
$PrintTestPage = $printer.PrintTestPage() }
The first thing this does is check if the current PS session is being run as admin; seeing as the users don't actually see the PowerShell window or script, and we recently started using the RMM tool, I'm still trying to figure out under what conditions the tool runs PS elevated - the documentation says that it runs with the credentials of the logged in user, but that doesn't seem to be the case, as an hour with their support team told me that the reason the script wasn't doing it's job on any admin accounts was because it wasn't being elevated. Anyways, after the check, it either passes credentials for the commands or it doesn't. This script seems to handle every scenario but that of a local admin account running PS non elevated. In that event, it simply denies me access where the exact same creds give me access on a regular user account. I'm not sure how to even approach this problem, so any help is appreciated.
I’m new to Powershell and am struggling to make a script work. I’ve read many articles here on Overflow and elsewhere and don’t see what I’m doing wrong. Any help would be appreciated.
I'm trying to create a script that will unlock an AD user remotely while I'm logged-on to may computer as a local admin. Here's my script:
Import-module Activedirectory
New-PSSession -ComputerName <Remote ComputerName> -Credential
<domain admin credential>
Import-Module Activedirectory
Unlock-ADAccount
Read-host “Press any key”
I try to execute this from my computer logged-on as a local admin, but pass domain admin credentials. The script is run as an administrator in Powershell. After I enter my domain password and indicate which user I want to unlock, the message I get is: “Insufficient access rights to perform the operation”.
If I run this code interactively in Powershell, line by line, it will unlock the account. If I run a script asking only to see if the user is locked, it will give me an answer. If I run the above script from my computer logged-on as the domain admin, it will run and unlock the user.
I don’t understand why it will not run when I’m logged-on as local admin, given that I’m passing domain admin credentials. Any help would be appreciated.
You're creating a PSSession, but not using it. Try something like this (untested):
$computer = "test1"
$cred = Get-Credential
$user = Read-Host User to unlock
$sess = New-PSSession -ComputerName $computer -Credential $cred
Invoke-Command -Scriptblock { param($ADuser) Import-Module Activedirectory; Unlock-ADAccount -Identity $ADuser } -ArgumentList $user -Session $sess
Read-host “Press any key”
Although you could create a PSSession, if you have RSAT installed and have access to the ActiveDirectory module there is no need to do that. Instead, just use the credential parameter on each AD cmdlet. For instance, to unlock a user account using alternate credentials, use the following:
Unlock-ADAccount -Identity username -Credential (get-credential)
I'm having a bit of a wierd problem.
At my company we use seperate admin accounts for all AD modification puposes (for eg. if my normal AD ID is User01 then my admin a/c wud be something like User01_adm -> this has the modification rights over ad users / groups). Now, i can make changes like say change the login script from ARS web console using my adm a/c but if i use the same in powershell script i get "Access denied" [System.UnauthorizedAccessException]. Is there a difference between the way these both are setup (web console & powershell console?)
I'm using below part for connecting to ARS server with my adm credentials:
#Connect to ARS server
$GetCreds = Get-Credential -Credential $null
$ConnectARS = Connect-QADService -service $ArsServer -Proxy-Credential $GetCreds
#make changes
$PopulateData = Set-QADUser -Identity $UserID -Credential $GetCreds -ObjectAttributes #{scriptPath=$LogonScr}
Can any1 pls point wht am i doing wrong?
Any help would be highly appreciated...
I've nowhere to try it, but shouldn't it be:
#Connect to ARS server
$GetCreds = Get-Credential -Credential $null
$ConnectARS = Connect-QADService -service $ArsServer -Credential $GetCreds
#make changes
$PopulateData = Set-QADUser -Identity $UserID -Connection $ConnectARS -ObjectAttributes #{scriptPath=$LogonScr}
Ok, got it figured out, it was too simple:
it was mere -Proxy switch missing in Set-QADUser statement
working fine now, thx all for help :)
I have written a script to update a lot of users in Active Directory. It is taking about 10 seconds to run the update, and that seems like too long.
Here is my command:
Set-ADUser $userName -StreetAddress $address1 -Server "MyWickedCoolServerName"
I also tried something like this:
Set-ADUser $userName –Replace #{st=$address1} -Server "MyWickedCoolServerName"
As you can see I have to specify the server each time since we don't have the default one set up, could this be causing the issue? Also, I am running this script remotely on my pc which is not on the domain, so I have to use "runas" to run powershell and have access to AD. Could that be causing the issue?
Any suggestions on what I can look at to see where the performance issue is?
Your command will not work, because your computer is not joined to the Active Directory domain. Since you said that your computer is not domain-joined, you will have to use the -Credential parameter of the Set-ADUser command in order to run it successfully.
$Credential = Get-Credential;
Set-ADUser -Identity $userName -StreetAddress $address1 -Server MyWickedCoolServerName -Credential $Credential;