Unlocking an AD user with Powershell - powershell

I’m new to Powershell and am struggling to make a script work. I’ve read many articles here on Overflow and elsewhere and don’t see what I’m doing wrong. Any help would be appreciated.
I'm trying to create a script that will unlock an AD user remotely while I'm logged-on to may computer as a local admin. Here's my script:
Import-module Activedirectory
New-PSSession -ComputerName <Remote ComputerName> -Credential
<domain admin credential>
Import-Module Activedirectory
Unlock-ADAccount
Read-host “Press any key”
I try to execute this from my computer logged-on as a local admin, but pass domain admin credentials. The script is run as an administrator in Powershell. After I enter my domain password and indicate which user I want to unlock, the message I get is: “Insufficient access rights to perform the operation”.
If I run this code interactively in Powershell, line by line, it will unlock the account. If I run a script asking only to see if the user is locked, it will give me an answer. If I run the above script from my computer logged-on as the domain admin, it will run and unlock the user.
I don’t understand why it will not run when I’m logged-on as local admin, given that I’m passing domain admin credentials. Any help would be appreciated.

You're creating a PSSession, but not using it. Try something like this (untested):
$computer = "test1"
$cred = Get-Credential
$user = Read-Host User to unlock
$sess = New-PSSession -ComputerName $computer -Credential $cred
Invoke-Command -Scriptblock { param($ADuser) Import-Module Activedirectory; Unlock-ADAccount -Identity $ADuser } -ArgumentList $user -Session $sess
Read-host “Press any key”

Although you could create a PSSession, if you have RSAT installed and have access to the ActiveDirectory module there is no need to do that. Instead, just use the credential parameter on each AD cmdlet. For instance, to unlock a user account using alternate credentials, use the following:
Unlock-ADAccount -Identity username -Credential (get-credential)

Related

Skype for business Move-CsUser command prompts for sign in after moving 10-15 users and doesn't accept the credential

I am trying to move bulk users(900+) from SfB On-Premise to SfB-Online using Move-CsUser PowerShell Cmdlet. Below is the code snippet:
$INP = Get-Content -Path <txt file path>
$SESSION = New-CsOnlineSession
Import-PsSession $SESSION -AllowClobber
foreach($USER in $INP)
{
Move-CsUser -Identity $USER -Target 'sipfed.online.lync.com' -ProxyPool 'ProxyPool_FQDN' -UseOAuth -Confirm:$False
}
It works fine for 15-20 users and moves them successfully to SfBOnline however, after that it prompts for Office admin credentials again saying "We couldn't sign you in. Please try again" and doesn't accept the credential anymore. Keeps prompting the same.
NOTE:
I have followed all the possibilities from Technet with no luck.
Disabled MFA from the global admin Office account - No luck.
Tried using -UserList parameter to move bulk users - Same issue.
Any help would be much appreciated.

How to open Windows Powershell (Elevated) without admin rights?

I wanted to turn on The Windows Subsystem for Kali Linux. But it requires me to execute powershell as admin.
This is for executing a command on my pc. I have tried task scheduler but it did not work.
An "elevated" Command Prompt or Powershell session is, in fact, a session with admin rights. If you do not have credentials that grant you admin rights on the system, you cannot open an elevated session. There is no way to circumvent this. Talk to whoever is the administrator of your computer.
Can you put a line in the PS to elevate the commands?
# Set the variable
$cred = Get-Credential -credential domain\privaccount$
then depending on the comment, add
-credential $cred
For example:
$cred = Get-Credential -credential domain\MyAdmin$
Get-ADUser -Filter * -SearchBase $ou -credential $cred
What command are you trying to run elevated?

Powershell script guidance

I am looking for powershell code for installing software packages in remote machines which are in ADS domain.While installing I have to pass my admin credentials. How can I do this?
Guidance required
You can store your password to be used on a remote computer using the Get-Credential command like this:
`$Credential = Get-Credential
You'll see a prompt like this appear:
I would recommend storing the applications you need to install in a central place, that all of your remote devices can reach. I'll assume you've stored them in the UNC Path: \\FileServer\Application
Let's say you wanted to install 7Zip and had it present in that path:
$Credential = Get-Credential
$Computers = 'RemotePC1', 'RemotePC2'
Invoke-Command -ComputerName $Computers -Credential $Credential `
-ScriptBlock {& \\FileServer\Application\7Zip.msi} -ArgumentList '/q INSTALLDIR="C:\Program Files\7-Zip"'

Invoke-command doesn't need credentials

I have 2 servers (windows server 2012 R2) in the same domain.
I execute a command on server01:
Invoke-Command -ComputerName server02 -Credential Administrator -ScriptBlock {Get-Culture}
I give the password of my Administrator (of server2) and it works well.
But when I try:
Invoke-Command -ComputerName server02 -ScriptBlock {Get-Culture}
It also seems to work. Probably because the 2 servers are in the same domain. While I only want it to work when you can provide the right credentials. Can someone help me with it?
You are probably doing this by Domain Admin account or account that it's in Domain Admins group or so.
In any case this results because your account has privelegies on that computer.
With which user do you execute the script on server01? Does that user have permissions on server02 too? If your user has admin permission on server01 and server02 then no credentials are neccessary... (as far as I know)
To check if the provided credentials are valid have a look here:
https://gallery.technet.microsoft.com/scriptcenter/Test-Credential-dda902c6
Or something like this:
$cred = Get-Credential #Read credentials
$username = $cred.username
$password = $cred.GetNetworkCredential().password
# Get current domain using logged-on user's credentials
$CurrentDomain = "LDAP://" + ([ADSI]"").distinguishedName
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,$UserName,$Password)
if ($domain.name -eq $null)
{
write-host "Authentication failed - please verify your username and password."
exit #terminate the script.
}
else
{
write-host "Successfully authenticated with domain $domain.name"
}
Which was found here (but I haven't tested it):
https://serverfault.com/questions/276098/check-if-user-password-input-is-valid-in-powershell-script

Why can I pass credentials to a regular user but not a local administrator?

So basically I've been working forever on a PS remote self help script that originally was thought to be simple: Restart the spooler service, clear the queue, and print a test page on the default printer. Getting there however hasn't been so easy, due to security issues. After some hours, I was able to get my local user test account to accept the credentials of my domain administrator. I thought all was well, until I tried to replicate it on a local administrator's account, in which event access was denied. This is sort of important, because the majority of the accounts we will be deploying the script on are local admins. I suspect it may be a UAC issue, but I have no idea what I should do to work around the problem. Here's what I'm working with currently:
$v = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")
If ($v = "False")
{
$password = "ElPassword" | ConvertTo-SecureString -asPlainText -Force
$username = "Domainname\Username"
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
invoke-command {Stop-Service spooler} -comp $env:ComputerName -cred $credential
Remove-Item C:\Windows\System32\spool\PRINTERS\* -Force
invoke-command {Start-Service spooler} -comp $env:ComputerName -cred $credential
$printer = Get-WmiObject -Query " SELECT * FROM Win32_Printer WHERE Default=$true"
$PrintTestPage = $printer.PrintTestPage() } Else
{ Stop-Service spooler
$printer = Get-WmiObject -Query " SELECT * FROM Win32_Printer WHERE Default=$true"
Start-Service spooler
$PrintTestPage = $printer.PrintTestPage() }
The first thing this does is check if the current PS session is being run as admin; seeing as the users don't actually see the PowerShell window or script, and we recently started using the RMM tool, I'm still trying to figure out under what conditions the tool runs PS elevated - the documentation says that it runs with the credentials of the logged in user, but that doesn't seem to be the case, as an hour with their support team told me that the reason the script wasn't doing it's job on any admin accounts was because it wasn't being elevated. Anyways, after the check, it either passes credentials for the commands or it doesn't. This script seems to handle every scenario but that of a local admin account running PS non elevated. In that event, it simply denies me access where the exact same creds give me access on a regular user account. I'm not sure how to even approach this problem, so any help is appreciated.