I need to check if a specific domain user is a member of a local administrators group.
I prefer to use Powershell, but the problem is that we are not allowing WinRM so I can't use PSRemoting, so I can't run Get-LocalGroupMember or something.
Thanks alot for your help.
I recommend you to have a look on PowerView. Get-NetLocalGroup queries the information via WinNT provider or on demand via WinAPI.
Refer to harmj0y's blog for more information.
Related
I am currently using O365 Graph API to create services for customers and realized that some of the capabilities that customers need, i.e. creating transport rules or accessing quarantined email information, are only available through PowerShell.
Can a vendor create transport rules or execute PowerShell commands for their customers? Similar to how vendors register their Azure AD application and request permissions, is there a way to run PowerShell command for customers by a vendor?
Documentation is not really helpful on this front.
When using Graph, I don't think you can, but if you want to do it with Powershell, if you're a Microsoft Partner, and have configured yourself as an advisor (delegated access permissions) for your clients (invite them to add you, or add yourself if you have their consent and global admin access to their tenancy).
Adding a partner to a tenant:
https://learn.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges
See a bit of additional info here:
https://learn.microsoft.com/en-us/office365/enterprise/powershell/manage-office-365-tenants-with-windows-powershell-for-delegated-access-permissio
When running Powershell commands, you'll need to refer to the TenantID when running a command on the client's tenancy (rather than your own).
A simple example of this might be:
Get a list of TenantIDs:
Get-MsolPartnerContract -All | Select-Object TenantId
Get a list of mailboxes for one of the TenantIds listed above:
Get-Mailbox -TenantID "asddfsdfadfg-dsfgsdfg-sdfgsdfg-dsfgsdfg"
This relies on you having logged into the Powershell session with a user that has administrative 'Partner' permissions in your partner tenancy.
Hopefully that helps somewhat!
Want to identify the users/login with Administrative access on server to migrate them to new server's. I have tried Select * from $System.TMSCHEMA_ROLE_MEMBERSHIPS but these give information regarding the particular database i need more at server level.
Ssas users are done quite differently from normal databases. Ssas uses only the active directory account of the user trying to connect.
On server level the only security is done in the properties of the server, there you can select active directory users with administrative access to the server.
On database level you can create roles, give them access to (part of a) database and link active directory users/groups to them.
Using the analysisservices namespace of microsoft you already mentioned you can look trough every role in every database and note the permissions.
As far as I know you can't actually use this namespace to see all the administrators of the user. But unless you have an unreasonable amount of administrators the best solution might be to just open the server in sql server management studio, click on properties, security and write down all the AD members manually.
I hope this helps you and good luck!
Goal: Give users an account (domain user or basic, doesn't matter) and have them use Get-DhcpServerv4Lease cmdlet to convert their DHCP leases to reservations via the powershell web access feature using a web browser.
Issue/problem: I already made my own AuthorizationRule by importing that specific cmdlet but I feel like its missing others modules in order to authenticate/login? I can login if I grant microsoft.powershell configurationrule but cant if I grant the custom one that I made.
Error received upon login with my own custom configuration:
The Windows PowerShell Web Access gateway cannot establish a connection to the destination computer. Contact the gateway administrator. The error at the gateway is: The WS-Management service cannot process the request. The service is configured to reject remote connection requests for this plugin.
Question: Is there some other module I need to add to my custom rule or maybe there is a way to know what permissions microsoft.powershell contains so that I could mirror/copy them into my own rule?
Thanks
The quick answer: Remote Powershell needs to be enabled on the target system!
You can use System names, IP addresses or the FQDN. All of them will work (Use a mix as well)
To keep your Rules simple: Use Groups! Here is a Gist that could help you a bit. I have just a few rules and use AD Groups to manage the access (Systems and Users)
Please execute this (in an elevated PowerShell): Enable-PSRemoting -Force
You have to do this on all systems that you would like to access via the Web Gateway.
You will find a lot more Info about this on TechNet.
I'm building a PowerShell script that requires local administrator rights on the server it's run on and I would need to check that the user has those rights.
The problem is that the user might not be directly in the local Administrators group, but in a domain group that's in the local group and has the permissions that way. Then again the local Administrators group might have several domain groups as members.
Is there a way to "simply" check whether the user has local admin rights or not without going through Get-ADGroupMember for all the nested domain groups in Administrators or so?
edit: For example, one option could be a simple command that returns "Access denied" if the user is not local admin, but such a command that would be "safe" to execute just for this purpose.
I found this approach, which is quite lovely, on Garrett Serack's Git repository.
If ( ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{"You're a wizard Harry!"
#DoAdminThingsHere
}
ELSE{"Not an Admin!"}
Seems to get the job done. It determines the current permission level of the user using .net types.
The helpdesk will be using a script I wrote to set out of office replies and to modify folder permissions but are running into permission issues using them. Is there any resource that would indicate what permissions each powershell command in the exchange cmdlet takes to be able to be ran? Failing that does anyone know the specific permissions needed to set OoO and modify folder permissions?
I did find this that gives specific roles needed to do various things but it's not quite what I'm looking for. These roles give access to far more than what we need.
EDIT: The Auto Reply role is all that is required to set allow use of the Set-MailboxAutoReplyConfiguration. Looking into the others still.
That seems to be as granular as the roles get.
If you want to restrict them further, you can set up one or more remote sessions they can connect to that use a delegated account that is an Exchange role member, and constrain the session to just being able to run your script.