Access denied adding domain user to local administrators group - powershell

When adding a domain user to the local administrators group I receive an access denied, this worked before and now sadly and strangely it no longer does.
$user = "mydomain/user"
$group = [ADSI]"WinNT://./Administrators,group"
$group.Add("WinNT://$user,user")
Exception calling "Add" with "1" argument(s): "Access is denied.
"
At C:\test\Untitled5.ps1:3 char:1
+ $group.Add("WinNT://$user,user")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
Logged on as a domain administrator
Same error using the PowerShell ISE or the console
Yet, I am able to add the user through the Computer Management MMC snap-in, no problem.

This is most likely User Account Control (UAC) related. Make sure you run PowerShell "As Administrator." Otherwise, if you're not running "as admin," you're running PowerShell under your user's account's standard user token, which doesn't have access to make this change.

Related

PowerShell error: Exception calling "FindOne" with "0" argument(s): "The user name or password is incorrect. "

There is a Windows Server VM in my department that hosts some of our Web Applications. We want one of this Web Applications to get, automatically, the user department based on his NT-USER. To do so, we imagine the following path:
User enters in the Website. His NT-User is automatically taken
by IIS Whindows Authentication;
We Powershell (using an Active
Directory API) using the NT-User as a parameter;
We finally get
the user name and department.
This API works fine in my personal computer, but not in the Server. I am executing a Powershell script like this:
$helpstring = find-user 'fie7ca' | select displayname, name, st, l, distinguishedname
$helpstring;
In my personal computer:
It works fine.
But then (in the Server), I receive the following error:
Exception calling "FindOne" with "0" argument(s): "The user name or password is incorrect.
"
At C:\Users\RBAdmin_App2\Documents\WindowsPowerShell\Modules\BC-Tools\User-Functions.psm1:496 char:11
+ $user = $searcher.FindOne()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DirectoryServicesCOMException
I am imagine that I need a Active Directory feature, use LDAP or something that I do not know.
This problem was regarding the company proxy.

PowerShell Script with Clixml and Taskscheduler

Here's the problem:
When I run my PowerShell script manually, everything works fine. But it doesn't work via task scheduling.
The reason is probably my stored credentials for Active Directory and Mobile Device Management.I stored them with "Export-Clixml" but the xml files cant be read when i open the script with task scheduler. Without it works perfect.
The task scheduler is executed with the same user who saved the credentials in the XML before.
I hope you understand what I mean.
Edit 1:
I've tried the Solution from "Bender the Greatest".
Unfortunately it still doesn't work. I exported my credentials with "Export-Clixml" and import them with "Import-Clixml".
It doesn't matter if I generate them manually via my admin account or via the system account (with psexec). If I then execute it via the corresponding account with which the credentials were generated, it still doesn't work.
But it seems to find the credentials (I saw that in the log). But The import doesn't seem to work.
If I manually include the credentials in the script it works fine, but I would have liked to store them encrypted.
[Lizenzauswertung] Überprüfe Zugangsdaten
[Lizenzauswertung] MDM Zugangsdaten gefunden - Credentials found
[Lizenzauswertung] MDM AccessToken gefunden - Credentials found
[Lizenzauswertung] AD Zugangsdaten gefunden - Credentials found
Here im trying to decrypt the Password from the XML File:
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:171 Zeichen:1
+ $PSCPW = $CredsMDM.GetNetworkCredential().Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:171 Zeichen:1
+ $PSCPW = $CredsMDM.GetNetworkCredential().Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
This is a replacement for the username to have the right spelling for a webrequest:
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:172 Zeichen:1
+ $RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:172 Zeichen:1
+ $RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Here you can see the errors that occur when importing the MDM credentials. The reason for the errors is described above. I edit the credentials after importing them before they are passed to the script.
The MDM Access Token is not encrypted and can be read.
The AD credentials are not processed beforehand, but passed directly to the AD commands. Therefore, no error is displayed here. Since it does not finish the AD report, which I saw in the log, these are not imported either.
Here is a little Codesnippet of the Import/Export. Just got the code here for the MDM credentials. The other queries are the same.
If (Test-Path $CredentialsMDM){
$CredsMDM = Import-Clixml -Path $CredentialsMDM
Write-Host "[Lizenzauswertung] MDM Zugangsdaten gefunden" -ForegroundColor Green
} else {
Write-Host "[Lizenzauswertung] MDM Zugangsdaten nicht gefunden" -ForegroundColor Yellow
Get-Credential -Message "Zugangsdaten für MDM / Airwatch" | export-clixml -path $CredentialsMDM
$CredsMDM = Import-Clixml -Path $CredentialsMDM
}
Write-Host "[Lizenzauswertung] Zugangsdaten überprüft" -ForegroundColor Green
$PSCUser = $CredsMDM.UserName
$PSCPW = $CredsMDM.GetNetworkCredential().Password
$RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
$AccessToken = $CredsMDMAT.accesstoken
$Auth = $CredsAD
(I am sorry for the spaghetti code.)
You need to provide the error you're getting but I'm going to take a shot in the dark here. I'm guessing you're either exporting secretAD.xml as one user and running your script as another user from Task Scheduler, or exporting secretAD.xml on another computer/server. By default, credentials are able to be decrypted only by the user that built it on that specific server. This is how Windows' Data Protection API (DPAPI) works.
The easy way to fix this is to generate secretAD.xml as the user you intend to run the script as. You can specify your own key for decryption, which can be used by any user on any box, but you will need to figure out a method of secure delivery of the decryption key to the runtime. If you want/need to run the script as NT Authority\SYSTEM, I recommend using psexec to open an interactive SYSTEM Powershell session, generate the credential, and then use Export-CliXml to serialize the credential to secretAD.xml.
Note that the default DPAPI key gets changed when an account password is rotated, so you'll need to remember to rebuild the credential when that happens.
I've found the solution to my problem.
The reason was that the path to the credentials was ".\secretMDM.xml".
The task scheduler executes the script at a different location.
Therefore I had to specify the whole path of the file.
Thanks for the help anyway.
Edit:
Out of interest I created the "Credential" - XML files with the Task Scheduler. Have a look where it stores the files ;)

ADSI commands causing Access Denied errors

I'm attempting to set the description attribute in ADSI via PowerShell, but keep getting "access denied". It's executing from a non-privileged user, but the user does have Write All Properties permissions over this object. With those permissions, I don't see why I would need to be a DA to write to that attribute.
Example shown here:
$Computer = [ADSI]"LDAP://cn=TESTER,cn=Computers,dc=lab,dc=local"
$Computer.Put("description", "test")
$Computer.setinfo()
$Computer.setinfo() Exception calling "setinfo" with "0" argument(s): "Access is denied. " At line:1 char:1 + $Computer.setinfo() + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI`
When I don't include the parenthesis (eg: $Computer.setinfo), it sets the attribute locally but never pushes it to AD. Yes i'm running in an elevated PS session.
As #Lee_Dailey mentioned, you'd better include the error message in the original post.
About the issue, are you running the script in an elevated prompt? It does not matter whether user has permissions on AD object or not if the resource requires running in elevated prompt. You should explicitly run as administrator if it needs. Can you please check again to see if that is the case here?

Can't set an user mailbox to a shared mailbox (Exchange)

I want to set an user mailbox to a shared mailbox with the command below:
Set-Mailbox user#domain.com -Type shared
I'm getting this error message back (Sorry for bad format):
The operation couldn't be performed because object 'user#domain.com' couldn't be found on
'server-vm-02.domain.com'.
+ CategoryInfo : NotSpecified: (:) [Set-Mailbox], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=SERVER-VM-37,RequestId=1f445bc7-6d4c-4443-a0b3-8a0617d8e83a,TimeStamp=22.05.201
12:11:51] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 96F1E1EA,Microsoft.Exchange.Management.Recip
ientTasks.SetMailbox
+ PSComputerName : server-vm-37.domain.com
I've tried it when the user is enabled and disabled in AD.
In the Portal Admin Center the Account is blocked, but in my oppinion it doesn't matter.
And yes I typed the address correctly, I typed instead of the address the name as well as the username, nothing worked.
Before doing a Set-Mailbox try a Get-Mailbox. Are you sure there is a mailbox under this UPN ? Are you on the Exchange Server or on your computer when you run this cmdlet ?

Import contacts from GAL to users accounts in Office 365

my organization move to Office 365 and users should have all GAL contacts on their folder contacts and phones. I try to use a Steve!
But I've got:
Exception calling "AutodiscoverUrl" with "1" argument(s): "Autodiscover blocked a potentially insecure redirection to h
ttps://autodiscover-s.outlook.com/autodiscover/autodiscover.xml. To allow Autodiscover to follow the redirection, use t
he AutodiscoverUrl(string, AutodiscoverRedirectionUrlValidationCallback) overload."
At C:\PS\Import-MailboxContacts.ps1:159 char:9
+ $service.AutodiscoverUrl($EmailAddress);
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : AutodiscoverLocalException
Any ideas how I can add contacts?
In that script you reference you need to change the line
$service.AutodiscoverUrl($EmailAddress);
to
$service.AutodiscoverUrl($MailboxName,{$true})
This will essentially allow redirection of Autodiscover you need for Office365