i wan to run portqry from different forest using below script but i receive path can't be found error. while accessing the file from network share i can access it manually with no issue from remote domain
# Get forest name
$domain = "spos02600287.test.net"
$contextType = [system.directoryservices.activedirectory.Directorycontexttype]::Domain
$domain ="$domain"
$domainContext = new-object system.directoryservices.ActiveDirectory.DirectoryContext #($contextType,$domain)
#Query the Forest and PDC Role Emulator
$Server = [system.DirectoryServices.Activedirectory.Domain]::GetDomain($domaincontext)
$passwords = "newtemp123"
$user = "$domain\Administrator"
$password = $Passwords | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -argument $user, $password
$PDC =$server.Name
foreach ( $serv in $PDC){
$Server = "d.root-servers.net"
$Port = "53"
Invoke-Command -ComputerName $serv -Credential $creds -ScriptBlock {\\10.28.64.15\EXE\portqry.exe -n $Server -e $Port -p UDP }}
What you are experiencing looks like the famous PowerShell double hop issues.
Basically, when remoting via Invoke-command you can't access a remote location.
Also, You seem to be missing brackets after "-scriptBlock"?
Here is some more information on the issue.
And here, from MSDN.
The issue was resolved by just adding -authentication credssp in the invoke command line like below
Invoke-Command -ComputerName $serv -Credential $creds -authentication credssp -ScriptBlock {...}
Related
I am firing following script from remote machine to add the executer IP (192.168.4.231) in trusted list. but the below script is getting fired but not I am not getting desired results.
Please let me know is there any wrong way I am executing below script.
$servers = #("192.168.4.236")
foreach($server in $servers) {
$username = 'administrator'
$password = '*******'
$pw = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object Management.Automation.PSCredential ($username, $pw)
$s = New-PSSession -ComputerName $server -Credential $cred
Enter-PSSession $s
Invoke-Command -Session $s -Scriptblock {
Invoke-Expression 'winrm set winrm/config/client '#{TrustedHosts="192.168.4.231"}''
}
Write-Host "Completed"
Remove-PSSession $s
}
I'm trying to change passwords on more than 1000 hosts running windows server 2008/2012. They assigned to different domains, so I connect to them via their IP, all of them have PowerShell remoting open.
Stuck at my script implementation. For now I just want to connect to single host and change the password of the user or admin whatever.
Here is the code I use
$username = "UserWhose Password I want to change"
$password = ConvertTo-SecureString "users old password" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $password
$serverNameOrIp = "host ip address here"
$s = New-PSSession -ComputerName $serverNameOrIp -Authentication default -Credential $cred
#invoke the scriptblock remotely
$sb = {
"[ADSI]`$Admin=`"WinNT://$env:COMPUTERNAME/$env:USERNAME`""
"`$Admin.SetPassword(`"Users new password`")"
}
Invoke-Command -Session $s -ScriptBlock $sb
Remove-PSSession $s
Now, the console output I get:
PS C:\> ./script
[ADSI]$Admin="WinNT://WIN-TA49U0TR9GT/Administrator"
$Admin.SetPassword("Users new password")
PS C:\>
"WinNT://WIN-TA49U0TR9GT/Administrator" belongs to remote host, my local computername and a username are different.
I'm not getting any error or proper output here. The password isn't changing. If I try to run these commands manually on any host - it works.
Any suggestions? Maybe a working solutions?
You define the commands you want to run on the remote host as strings inside a scriptblock. When you invoke the scriptblock on the remote host it does what PowerShell does with all bare strings: echo them.
Remove the outer quoting and escaping and the code should work as you expect:
$sb = {
[ADSI]$Admin = "WinNT://$env:COMPUTERNAME/$env:USERNAME"
$Admin.SetPassword("Users new password")
}
The scriptblock already prevents variables from being expanded in the current context.
Posting complete working script, that accept console arguments, connect to specified host and change the user password.
ARGS = IP USERNAME OLDPASS NEWPASS
Hope this will help somebody
$serverNameOrIp = $args[0]
$username = $args[1]
$password = ConvertTo-SecureString -String $args[2] -AsPlainText -Force
$newPassword = $args[3]
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $password
$s = New-PSSession -ComputerName $serverNameOrIp -Authentication default -Credential $cred
$sb = {
param($newPassword)
[ADSI]$Admin = "WinNT://$env:COMPUTERNAME/$env:USERNAME"
$Admin.SetPassword($newPassword)
}
Invoke-Command -Session $s -ScriptBlock $sb -args $newPassword
Remove-PSSession $s
The following script fails on the last line with Get-WmiObject : Invalid namespace:
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred= New-Object System.Management.Automation.PSCredential ("domain\user", $password )
Write-Host "Entering PS Session..."
Enter-PSSession -Computer hyperVServer -Credential $cred
Start-Sleep -s 5
$server = "servername"
$query = "SELECT * FROM Msvm_ComputerSystem WHERE ElementName='" + $server + "'"
$VM = get-wmiobject -query $query -namespace "root\virtualization" -computername "."
However, when I enter this one-by-one into the console, it runs without issue.
I've added the Start-Sleep due to some timing issues... the session takes a few seconds to actually open. Any ideas why that line would fail only when this is running as a script?
Enter-PSSession is intended only for interactive use. If you want to run commands on a remote system in a script (non-interactively), you'll need to use Invoke-Command instead. Please run Get-Help Invoke-Command -Full for more details.
Not sure why it works in one and not the other, but I assuming it's something to do with your remote session. Here's a list of commands that do not require a remote session, but rather just take a computer name. http://technet.microsoft.com/en-us/library/dd819505.aspx
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred= New-Object System.Management.Automation.PSCredential ("domain\user", $password )
$server = "servername"
$query = "SELECT * FROM Msvm_ComputerSystem WHERE ElementName=$server"
$VM = get-wmiobject -query $query -namespace "root\virtualization" -computername hyperVServer -credential $cred
Edited your query concat too.
I'm trying to run Invoke-Command with an answer file to the user credentials but I can't seem to get it to finish running. I'm using a local administrator account so nothing on the domain. Here is what I have and the error:
$Username = "$Env:Computername\admin"
$Pass = ConvertTo-SecureString "12345" -AsPlainText -Force
$User = New-Object Management.Automation.PSCredential($UserName, $Pass)
Invoke-Command -ComputerName $Env:Computername -Credential $User -ScriptBlock {
$Path = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Name = 'DontDisplayLastUserName'
Set-ItemProperty -path $Path -name $Name -value 0
}
And the error:
[computer] Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: There are curren
tly no logon servers available to service the logon request.
Any help is greatly appreciated.
Working Solution:
$Username = "$Env:Computername\admin"
$Pass = ConvertTo-SecureString "12345" -AsPlainText -Force
$User = New-Object Management.Automation.PSCredential($UserName, $Pass)
Invoke-Command -ComputerName localhost -Credential $User -ScriptBlock {
$Path = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Name = 'DontDisplayLastUserName'
Set-ItemProperty -path $Path -name $Name -value 0
}
I finally figured out the problem, hit me kind of randomly. The following line needed to be changed.
Before:
Invoke-Command -ComputerName $Env:Computername
After:
Invoke-Command -ComputerName localhost
Without localhost it was looking at it like a remote computer and not allowing it access.
I'm working on a script that will check if a user is an Administrator and then if they're not it'll add them on the spot, logoff, and then I can log back on to test. This is the part I'm running into problems:
$Cred = Get-Credential ("$env:COMPUTERNAME\Administrator")
$Group = [ADSI]("WinNT://"+$env:COMPUTERNAME+"/Administrators,Group")
$User = $env:USERNAME
$Domain = $env:USERDOMAIN
Invoke-Command -Computername localhost -Cred $Cred -ScriptBlock {$Group.add("WinNT://$Domain/$User,user")}
Everytime I run this I get the following error:
You cannot call a method on a null-valued expression.
Any ideas what I can do to fix this issue?
Working solution:
$Cred = Get-Credential ("$env:COMPUTERNAME\Administrator")
$User = $env:USERNAME
$Domain = $env:USERDOMAIN
Invoke-Command -Computername localhost -Cred $Cred -ScriptBlock {
param ($User, $Domain, $ComputerName)
$Group = [ADSI]("WinNT://$ComputerName/Administrators,Group")
$Group.add("WinNT://$Domain/$User,user")
} -ArgumentList $User, $Domain, $ENV:COMPUTERNAME
Invoke-Command will know nothing about $Group variable, that's reason why it does not work like that. You need to pass your variables to scriptblock using -ArgumentList parameter.
Also: I would rather define things like $Group inside this scriptblock:
$Cred = Get-Credential ("$env:COMPUTERNAME\Administrator")
$User = $env:USERNAME
$Domain = $env:USERDOMAIN
Invoke-Command -Computername localhost -Cred $Cred -ScriptBlock {
param ($User, $Domain, $ComputerName)
$Group = [ADSI]("WinNT://$ComputerName/Administrators,Group")
$Group.add("WinNT://$Domain/$User,user")
} -ArgumentList $User, $Domain, $ENV:COMPUTERNAME
HTH
Bartek
PS: just one question: why not doing it simple way, with:
net localgroup administrators domain\user /add