I'm running an Ubuntu EC2 instance with Pwsh installed to remote execute AD commands on one of our servers. 2sd hop is set-up correctly and i'm able to run AD commands but when executing my script i get the following error (Scripts works fine directly on the 2sd hop machine):
The search filter cannot be recognized
+ CategoryInfo : NotSpecified: (:) [Get-ADUser], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADUser
+ PSComputerName : corpmaint02
#!/usr/bin/pwsh
$employeeEmail = 'myemail#contoso.com'
$session = New-PSSession -ComputerName corpmaint02 -ConfigurationName corpmaint02 -Credential contoso\myadminaccount
Invoke-Command -Session $session -ArgumentList $employeeEmail -ScriptBlock{
Get-ADUser -Filter "EmailAddress -eq '$employeeEmail'" -Properties EmailAddress | Disable-ADAccount
Write-Host $employeeEmail has been 'disabled.'
}
Remove-PSSession -ID $session.ID
[GC]::Collect()
Any help would be appreciated.
Update: new code:
#!/usr/bin/pwsh
$cred=Get-Credential domain\myadmin
$employeeEmail = 'myemail#contoso.com'
Invoke-Command -ComputerName corpmaint02 -Credential $cred -ConfigurationName corpmaint02 -Authentication Negotiate -ArgumentList $employeeEmail -$
Get-ADUser -Filter "EmailAddress -eq '$($Args[0])'" -Properties EmailAddress | Disable-ADAccount -verbose
Write-Host $employeeEmail has been 'disabled.'
}
I modified my code as follow and it works expect for the lack of permissions to disable the account which odd because my admin account has rights to do so.
Insufficient access rights to perform the operation
+ CategoryInfo : NotSpecified: (CN=xxxxx\domain,DC=com:ADUser) [Disable-ADAccount], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.DisableADAccount
+ PSComputerName : corpmaint02
New code to elevate:
#!/usr/bin/pwsh
$cred=Get-Credential domain\myadmin
$employeeEmail = 'user1#contoso.com'
Invoke-Command -ComputerName corpmaint02 -Credential $cred -ConfigurationName corpmaint02 -Authentication Negotiate -ArgumentList $employeeEmail,$cred -ScriptBlock{
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if ($testadmin -eq $false) {
Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
exit $LASTEXITCODE
}
Get-ADUser -Filter "EmailAddress -eq '$($Args[0])'" -Properties EmailAddress | Disable-ADAccount -verbose -Credential $Args[1]
}
Write-Host $employeeEmail 'has been disabled.'
Invoke-Command isn't running with elevated rights, so you can retrieve data but not make changes.
https://ss64.com/ps/syntax-elevate.html
If you use Invoke-Command to run a script or command on a remote computer, then it will not run elevated even if the local session is. This is because any prompt for elevation will happen on the remote machine in a non-interactive session and so will fail.
You can try self elevating in the Invoke-Command scriptblock (from the link above)
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
{
# Relaunch as an elevated process:
Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs
exit
}
# Now running elevated so launch the script:
& "d:\long path name\script name.ps1" "Long Argument 1" "Long Argument 2"
Related
Good afternoon everyone, I need to configure this script to run on AD machines, but I can only run it on the local machine, could you help me
I tried: $session = New-PSSession -ComputerName computer01
$events = Invoke-Command -ComputerName $session -ScriptBlock {`
param($days,$up,$down)
Get-EventLog `
-After (Get-Date).AddDays(-$days) `
-LogName System `
-Source EventLog `
| Where-Object {
$_.eventID -eq $up `
-OR `
$_.eventID -eq $down }
} -ArgumentList $NumberOfDays,$startUpID,$shutDownID -ErrorAction Stop
however it generated the error below:
Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of
strings.
At line:68 char:15
+ ... $events = Invoke-Command -ComputerName $session -ScriptBlock {`
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand
I have a script which needs to run from remote by passing on credentials in the script as as below:-
$UserName = Read-Host "Enter User Name:"
$Password = Read-Host -AsSecureString "Enter Your Password:"
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName , $Password
Set-Service -Name HiTrust -StartupType Automatic -ComputerName ServerName -credential $Credential
(Get-Service -Name "HiTrust" -credential $Credential -ComputerName ServerName).Start()
Exit
However I keep on getting error as below:-
Set-Service : A positional parameter cannot be found that accepts argument 'System.Management.Automation.PSCredential'.
At C:\Users\ucub\Desktop\Test.ps1:9 char:15
+ ... Set-Service -Name HiTrust -StartupType Automatic -Compute ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-Service], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SetServiceCommand
If you are on this PSVersion and below, here is your root cause of why this fails on Set-Service...
$PSVersionTable.PSVersion
<#
Major Minor Build Revision
----- ----- ----- --------
5 1 17763 503
#>
(Get-Command -Name Set-Service).Parameters.Keys
# Results
ComputerName
Name
DisplayName
Description
StartupType
Status
InputObject
PassThru
Verbose
Debug
ErrorAction
WarningAction
InformationAction
ErrorVariable
WarningVariable
InformationVariable
OutVariable
OutBuffer
PipelineVariable
WhatIf
Confirm
You have unneeded stuff in the script as well.
I suggest refactoriung to this
(Get-Command -Name Invoke-Command).Parameters.Keys
# Results
Session
ComputerName
Credential
...
$ServerName = Read-Host 'Enter a target server name:'
$ServiceName = Read-Host 'Enter a target service name:'
Invoke-Command -ComputerName $ServerName -ScriptBlock {
"Executing service actions on $env:COMPUTERNAME"
Set-Service -Name $ServiceName -StartupType Automatic
Start-Service -Name $ServiceName
} -Credential (Get-Credential -Credential "$env:USERDOMAIN\$env:USERNAME")
The Problem is, that set-service doesn't have a credential parameter. Look here
Try something like this:
Enter-PSSession -ComputerName $computername -Credential $credentials
Set-Service -Name HiTrust -StartupType Automatic
or
Invoke-Command -ComputerName $computername -Credential $credential -ScriptBlock {Set-Service -Name HiTrust -StartupType Automatic}
I'm trying to set up PS Remoting/Win-RM and have the following:
$primary = 'server1'
$user = $env:UserName
$admUser = Get-Credential -UserName "domain\adm-$user" -Message 'Enter your *ADMIN* password:'
Enter-PSSession -ComputerName $primary -Credential $admUser {
hostname
}
However, this is returning the following error (I've tested this from a console and it works, so there's something wrong with my script):
Windows PowerShell credential request.
Enter your *ADMIN* password:
Password for user domain\adm-user1: ***************
Enter-PSSession : A positional parameter cannot be found that accepts argument '
hostname
'.
At line:5 char:1
+ Enter-PSSession -ComputerName $primary -Credential $admUser {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Enter-PSSession], ParameterBindingException
+ FullyQualifiedErrorId :PositionalParameterNotFound,Microsoft.PowerShell.Commands.EnterPSSessionCommand
What am I doing wrong? Thanks in advance!
Enter-PSSession opens a console connection to a remote system.
If you want to run a command on a remote system, you'd want to use Invoke-Command.
Also, you 100% always need to pass scriptblocks into some parameter (minus some edge cases where it's accepted by default). In this case, we need to use -Scriptblock.
Example:
Invoke-Command -ComputerName $primary -Credential $admUser -ScriptBlock {
hostname
}
or
$session = New-PSSession -ComputerName $primary -Credential $admUser
Invoke-Command -Session $session -ScriptBlock {hostname}
Invoke-Command -Session $session -ScriptBlock {$env:USERNAME}
Disconnect-PSSession -Session $session
Edited:
I have a powershell script that calls another script as elevated domain admin which returns an access denied error as follows:
Exception calling "Add" with "1" argument(s): "Access is denied.
"
At \\server\software$\!SystemSetup\PS_Scripts\LocalAdmin.ps1:16 char:5
+ $AdminGroup.Add($User.Path)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
Using this method to call the script produces the error:
$Cred = Get-Credential
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -NoExit -ExecutionPolicy Bypass -File $ScriptLocation" -Credential $Cred
However, If I just right click and run as administrator and enter my domain credentials to call the script (without using $Cred) works fine:
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -NoExit -ExecutionPolicy Bypass -File $ScriptLocation"
The script that I am calling looks like this:
$WindowsVersion = Get-WmiObject -Class Win32_OperatingSystem | ForEach-Object -MemberName Caption
If ($WindowsVersion -match 'Microsoft Windows 10 Enterprise') {
$DomainName = "DOMAIN.COM"
$ComputerName = (hostname)
$Username = (Get-CimInstance -ClassName Win32_ComputerSystem | Select-Object -ExpandProperty UserName).Split('\')[1]
$AdminGroup = [ADSI]"WinNT://$ComputerName/Administrators,group"
$User = [ADSI]"WinNT://$DomainName/$UserName,user"
$AdminGroup.Add($User.Path)
Write-Host "$Username added to Administrators"
} Elseif ($WindowsVersion -match 'Microsoft Windows 7 Enterprise' -or $WindowsVersion -match 'Microsoft Windows 7 Professional') {
$DomainName = "DOMAIN.COM"
$ComputerName = (hostname)
$Username = (Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty UserName).Split('\')[1]
$AdminGroup = [ADSI]"WinNT://$ComputerName/Administrators,group"
$User = [ADSI]"WinNT://$DomainName/$UserName,user"
$AdminGroup.Add($User.Path)
Write-Host "$Username added to Administrators"
} Else {
Write-Host "Could not determine OS version"
}
I cannot figure out why storing my domain admin credentials in $Cred and passing it to the script gives me the access denied once it gets to $AdminGroup.Add($User.Path)
Going off of TheIncorrigible1's comment, You can add this to your script at the beginning to check if it is running as admin. If it is not, it will relaunch as admin
If (-Not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
$Arguments = "& '" + $MyInvocation.MyCommand.Definition + "'"
Start-Process Powershell -Verb RunAs -ArgumentList $Arguments
Break
}
Then depending on your UAC setting you may be prompted to allow it to run with elevated privilege.
Here's the updated, still getting the same errors.
$UserCredential = Get-Credential
$contacts = Import-Csv "C:\temp\testgal.csv"
Start-Job -Name Loop -ScriptBlock {
param([pscustomobject[]]$contacts, [System.Management.Automation.PSCredential[]]$UserCredential)
$session2 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $session2
Connect-MsolService -cred $UserCredential
foreach ($c in $contacts){
........
}
} -ArgumentList (,$contacts, $UserCredential)
Wait-Job -State Running | Receive-Job
Get-Job -State Completed | Remove-Job
I'm trying to create a vast number of contacts in 365 using a script and would like to run parallel jobs to speed it up, I built a loop inside a job and tested it worked using the following inside the loop to make sure it could extract the correct variables from the CSV.
$name = $c1.displayname
New-Item -Path "C:\Temp\Output" -Name "$name" -ItemType "file"
Now when I attempt to run the loop with the commands in the title as below
$contacts = Import-Csv "C:\temp\gal\testgal.csv"
Start-Job -Name Loop -ScriptBlock {
param([pscustomobject[]]$contacts)
foreach ($c in $contacts){
$name = $c.displayName
$rawProxy = $c.proxyAddresses
$proxysplit = $rawproxy -split '(?<!\\);'
$proxyquoted = $proxysplit.replace('x500','"x500').replace('x400','"x400').replace('X500','"X500').replace('X400','"X400')
$proxy = $proxyquoted
New-MailContact -ExternalEmailAddress $c.Mail -Name "`"$name`"" -Alias $c.mailNickname -DisplayName $name -FirstName $c.givenName -Initials $c.initials -LastName $c.sn -AsJob
Set-MailContact -Identity $c.mailNickname -CustomAttribute1 "CreatedWithScript" -CustomAttribute3 $c.extensionAttribute3 -EmailAddresses $proxy -AsJob
Set-Contact -Identity $c.mailNickname -City $c.l -Company $c.company -Department $c.department -Office $c.physicalDeliveryOfficeName `
-Phone $c.telephoneNumber -PostalCode $c.postalCode -Title $c.title -AsJob
}
} -ArgumentList (,$contacts)
Wait-Job -State Completed | Receive-Job
Get-Job -State Completed | Remove-Job
It fails saying the following for each loop:
The term 'New-MailContact' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the
name, or if a path was included, verify that the path is correct and
try again.
+ CategoryInfo : ObjectNotFound: (New-MailContact:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : localhost
The term 'Set-MailContact' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the
name, or if a path was included, verify that the path is correct and
try again.
+ CategoryInfo : ObjectNotFound: (Set-MailContact:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : localhost
The term 'Set-Contact' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the
name, or if a path was included, verify that the path is correct and
try again.
+ CategoryInfo : ObjectNotFound: (Set-Contact:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : localhost
Is there a trick to running these commands inside background jobs?
You need to import the correct powershell module, in this case the Office365:
Import-Module MSOnline
You will also need to authenticate so pass username and password down to your job and create credentials objects:
$contacts = Import-Csv "C:\temp\gal\testgal.csv"
Start-Job -Name Loop -ScriptBlock {
param([pscustomobject[]]$contacts, [string]$username, [string]$password)
Import-Module MSOnline
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($username, $secpasswd)
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $creds -Authentication Basic -AllowRedirection
Connect-MsolService –Credential $creds
foreach ($c in $contacts){
...
}
} -ArgumentList (,$contacts, $username, $password)
Wait-Job -State Completed | Receive-Job
Get-Job -State Completed | Remove-Job
NB. This is untested but should put you on the right track.