I need to write a program / script to change the account name and password on certain services running on a remote server. I intend to do it with Powershell. Is that the best solution or is there something else that would be more suitable?
A quick google search brought up this script:
$account="domain\userName"
$password="password"
$svc=gwmi win32_service -filter "name='alerter'"
$svc.change($null,$null,$null,$null,$null,$null,$account,$password,$null,$null,$null)
Am I mistaken in thinking the above script works on the local machine? If that is true, how do I do the same for a service on a remote machine?
The command is running on your local machine. Use the -ComputerName parameter to run it on remote systems.
$svc=gwmi win32_service -filter "name='alerter'" -ComputerName Server1,Server2
Related
I have written a script that allows to connect to a windows server machine using WinRM in order to run a script that exists on the Windows Server machine PS_Block_Access_Internet_GPO.ps1 but the script is not executed despite that the session was well created.
Besides the script needs administrator privileges to be executed, so how can I provide the needed privileges for script using PowerShell.
Enable-PSRemoting
Enter-PSSession -ComputerName Server.Admin.6NLG-AD
.\PS_Block_Internet_Access_GPO.ps1
To run a local script against a remote computer I would use use Invoke-Command, this doesn't need the script to be present on the remote computer.
Invoke-Command -ComputerName 'Server.Admin.6NLG-AD' -FilePath C:\Folder\myScript.ps1
As your script looks to create a GPO, you may likely need to use an alternative user account with appropriate permissions on your domain...
You can use the Credential param to specify an account like this:
Invoke-Command -ComputerName 'Server.Admin.6NLG-AD' -FilePath C:\Folder\myScript.ps1 -Credential Domain\Username
So here's my issue.
A company we acquired uses a jump box. Which is a server that I need to access to be able to jump to other server.
So I'm running a script to enter the jumpbox, and then run get-aduser to access 3 other domains that are accessible by this server.
If i use mstsc to remote into the box, i can run the command:
get-aduser -filter * -server firstdomain.com
this runs fine, and gathers all the users. However, if i run a script that uses psremoting, and then try to run the command above - it returns an error stating that it cannot find the server.
The commands look like this:
enter-pssession -computer 10.0.2.70 -credential (get-credential)
The command line changes to indicate that future commands are run through the server i've remoted into.
[10.0.2.70]: PS C:\windows\system32> get-aduser -filter * -server firstdomain.com
this returns the error stating that it cannot find the server. Any ideas?
It seems I can not find clearly written somewhere that when using WMI accelerator in a PowerShell script, you can not pass on authentication.
A little background ...
I am writing PowerShell scripts for SCCM 2012 and found, for instance, the following quite using :
PS R:\> ([wmi]((gwmi -namespace root\sms\site_AAA -class SMS_Application -filter
"LocalizedDisplayName LIKE '%Winzip_Tartempion%'")
.__PATH)).SDMPackageXML
When executed locally (on the SCCM primary server, it works fine and swiftly.
However, the following ends up in error when executed from my desktop computer running W7 :
PS R:\> ([wmi]((gwmi -namespace root\sms\site_AAA -credential $cred
-ComputerName CEMTECH
-class SMS_Application -filter "LocalizedDisplayName LIKE
'%Winzip_Tartempion%'")
.__PATH)).SDMPackageXML
For the time being, using a PSSession is out of the question.
With the current infrastructure I have to deal with, using SCCM commandlet is out of the question.
My only question here is : can you confirm that we can not pass any authentication with a WMI accelerator ? At that point, I am searching for that answer mainly for my curiosity. I found a way to manage with my current constraints. It is just that I find the accelerators so "elegant".
Now why do I need it ? I need to access "lazy properties" without using SCCM cmdlets, from a desktop computer to which the user is logged on with an account which will not be the same as the name authorized to connect/access the SCCM primary server.
What I still did not find is how to use "*.__PATH" with the Get-WMIObject cmdlet.
The WMI-accelerator [wmi] doesn't support alternate credentials.
Why do you need it? You could just run:
$obj = Get-WmiObject -namespace root\sms\site_P41 -credential $cred -ComputerName qs07352 -class SMS_Application -filter "LocalizedDisplayName LIKE '%Winzip_Tartempion%'"
$obj.Get()
$obj.SDMPackageXML
All our testboxes run on VMs (windows server 2003/08) and testers access them via remote desktop only.
Some maintenance steps require to kick all users from the system and deactivate access via remote desktop.
I started to write the maintenance scripts in powershell and am looking for a way to temporarily deactivate remote desktop. Is that possible, any straight-forward solutions to this?
What I have tried so far:
A colleague recommended turning-off the netlogon-service, but I can
still logon with remote-desktop.
Another colleague recommended disabling blocking the port for
remote-desktop with the firewall, but somehow that does not feel
right to me (?) because I don't want to change one part of a system
to affect another part. Am I too picky ... ? ;)
Any hints highly appreciated.
Cheers,
Tobi
You need to set
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections
value to 1 by default to disable remote desktop but needs to reboot.
Another way that seem not needing reboot (NOT TESTED):
$ts=get-WMIObject Win32_TerminalServiceSetting -computername remotemachinename
$ts.SetAllowTSConnections(0)
Now I have found a solution that works perfect for me. Windows Server 2008 comes with a feature called "Terminal Services Server Drain Mode"
... the TS Server Drain Mode prevents new users from logging onto the server, while allowing currently logged on users to reconnect to their existing sessions. By waiting for existing users to save their work and log off, the administrator can take a terminal server down for maintenance without causing user data loss.
Before I activate the drain mode I ensure that no one is logged in and then I active the drain mode with the following code:
Invoke-Command -ComputerName myServerHostName -ScriptBlock
{
Set-ItemProperty -Path "HKLM:\SYSTEM\Currentcontrolset\control\Terminal Server" -Name TSServerDrainMode -Value 1
}
Although I am changing a registry key, I am not required to reboot the server for the changes to be effective. This works without a reboot.
When I am done performing maintenance work I deactive drain mode with "-Value 0" and users are able to log in again.
Works like a charm!
My original answer was:
My perferred solution that I have found through extensive web search is as follows (also untested):
$Terminal = Get-WmiObject Win32_Terminal –Computer “ComputerName”
$Terminal.Enable($True)
Other possible and interesting code snippets, or variations on the topic, that I have found:
$myWmiObject = Get-WmiObject -namespace “rootCIMV2TerminalServices” -class Win32_Terminal -Computer “ComputerName” -Authentication PacketPrivacy
or
Set-WmiInstance -namespace “rootCIMV2TerminalServices” -class Win32_Terminal -ComputerName “ComputerName” -Authentication PacketPrivacy -Argument #{fEnableTerminal=0}
or
Get-WmiObject -ComputerName “ComputerName” -namespace root/cimv2/terminalservices -class Win32_Terminal -Authentication PacketPrivacy
I use this gWmi code frequently :
#Remote change logon /disable
$TS_Connector = gwmi Win32_TerminalServiceSetting -N "root/cimv2/terminalservices" -computername $ServerName -Authentication PacketPrivacy
$TS_Connector.Logons=1
$TS_Connector.Put()
and for enable logons
#Remote change logon /enable
$TS_Connector = gwmi Win32_TerminalServiceSetting -N "root/cimv2/terminalservices" -computername $ServerName -Authentication PacketPrivacy
$TS_Connector.Logons=0
$TS_Connector.Put()
instead of Invoke-command() because nead RCP openned, and RPC connexion are disabled by default on windows
Looking for something else this morning (coincidentally) I saw this: "Checking and enabling Remote Desktop with PowerShell".
Summary: involves registry manipulation.
I'm trying to automate application installation on new server instances, but I'm running into an issue when the user I'm impersonating hasn't logged onto the system before.
It seems there are some necessary files or registry entries created during profile creation at first logon that the application needs to access when installing.
My question is primarily how I can use powershell to automate the initition of a domain account profile on a Server 2008 instance?
My initial extremely hacky thought was to initiate an rdp session from a connection file using mstsc.exe, wait for the initial setup to complete, then log the user off, but I'm thinking there has to be a cleaner way.
Also, these processes must all be run locally from the machine using a local user account that has admin rights.
You could try running psexec from within PowerShell to create the user profile on the remote system before you start the install process.
psexec.exe \\Server.domain.com cmd
exit
I know this is an old thread but it was one of the results when I was looking for a way to create a user profile on several remote machines on a domain. Here's how I finally did it, though it is likely not the most efficient method:
Import-Module ActiveDirectory
$scriptblock = {}
$Cred = Get-Credential $env:userdomain\$env:username
$comps = Get-ADComputer -Filter "Name -like 'WS*'" | Select Name -expandproperty Name
foreach ($comp in $comps)
{
Invoke-Command -ComputerName $Comp -Scriptblock ${Scriptblock} -Credential $Cred -Authentication CredSSP
}