My company uses multiple tablets with Windows 10 managed by AAD and Intune. The devices have SIM cards with private (10.) non-static IP's. We are deploying images and files onto them by using Powershell.
These machines have to be reinstalled quite frequent and sometimes it can not download from the Blob using cellular or ethernet connection from the office. The problem is not permanent sometimes on some devices it occurs. Suspicious that the problem appears when multiple devices are on the same network or at place (cellular..). For example if I run the script at home it works.
Azure Networkings/Enabled from all networks config solves but doesn't it make it vulnerable?
These are on private network so i can not add them to the Azure firewall exception.
If I open the url from browser (which works when it works) throws me the same error as Powerhell.
$Wallpaper_filePath = "C:\Users\me\downloads\wallpaper1.jpg"
$Wallpaper_url = "https://eonhsdeploy.blob.core.windows.net/mycompany/Desktop/wallpaper1.jpg"
Invoke-WebRequest $Wallpaper_url -OutFile $Wallpaper_filePath -UseBasicParsing
Invoke-WebRequest : AuthorizationFailureThis request is not authorized to perform this operation.
RequestId:898e3643-f01e-0062-1130-371d50000000
Time:2023-02-02T18:03:57.5418157Z
At line:74 char:1
+ Invoke-WebRequest $Wallpaper_url -OutFile $Wallpaper_filePath -UseBas ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebReques
t], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCo
mmand
The script is working fine from my computer and also from tablets but when there is a massive reinstall session this is what happens.
Thank you for your help!
Related
I'm writing a script to add users remotely (via RSAT), from a windows machine that queries the Domain Controller of an Active Directory domain.
To do this, in the New-AdUser command I use the options -Server and -Credential , where ip is the ip address of the Domain Controller and credentials are the authentication credentials of a user with write permissions.
I state that LDAP connections work because I also perform other operations in the Domain Controller (Read).
The error I get when I try to add a user in the manner described above is this (x is a placeholder):
+ CategoryInfo: PermissionDenied: (CN = x, DC = x: String) [New-ADUser], UnauthorizedAccessException
+ FullyQualifiedErrorId: ActiveDirectoryCmdlet: System.UnauthorizedAccessException, Microsoft.ActiveDirectory.Management.Commands
.NewADUser
I was wondering if the problem is that it is not possible to perform write operations from non-joined machines in the active directory domain.
Working on grabbing windows 7 event logs remotely using powershell. My powershell script works locally.
Get-WinEvent -ComputerName localhost -LogName Security -MaxEvents 10
to access it remotely I modified it for
Get-WinEvent -ComputerName remotecomputer -LogName Security -MaxEvents 10
To access it remotely I modified the windows firewall to allow Remote Event Log Management (RPC) to allow it but I still get -
"Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.."
Saw some blogs about adding customsd to registry but that looked like it was for windows servers. Also tried using -Credentials and no luck, also, remote registy and rpc services are both running.
Any suggestions?
I wanted to put my answer on here that with admin rights it seems like you can query powershell logs using xml over the network. If you use xml it seems to use the windows credentials and winrm isn't necessary. We didn't even have to enable "remote event log management" in the windows firewall. If you have the right windows credentials it just works. Powershell is incredible.
I have a script that I need to write an audit event to the Windows Security log when it has completed showing the user who ran it.
I can write to any log apart from the security log.
How can I do this?
New-EventLog -LogName Security -Source "MyApp"
Write-EventLog -LogName Security -source "MyApp" -EntryType Information -EventId 1 -Message "Script run by X"
When the name is changed from Security to Application or System, it works - but, I keep getting the following when using Security:
Write-EventLog : The registry key for the log "Security" for source
"msevent" could not be opened. At line:1 char:1
+ Write-EventLog -LogName Security -source "msevent" -EntryType Information -Event ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Write-EventLog], Exception
+ FullyQualifiedErrorId : AccessDenied,Microsoft.PowerShell.Commands.WriteEventLogCommand
I am the admin and not sure why this happens, even after trying to modify registry security permissions.
Does anyone know how I can do this?
MS Documentation:
Only the Local Security Authority (Lsass.exe) has write permission for
the Security log. No other account can request this privilege. To
write an event to the Security log, use the AuthzReportSecurityEvent
function.
here is a link to the documentation: Event Logging Security
Also here is a link that covers accessing the Win API from powershell which should help with the implementation in case you absolutely have to use the Security log: Use PowerShell to Interact with the Windows API: Part 1
I am sorry to not provide a full example but due to time restrictions this will have to do it for now.
Regards
Eleveated processes can write to the security event log by using the AuthzReportSecurityEvent function.
The Vanara project provides .NET interop wrappers for this API and is available as a Nuget package for .NET developers. It would probably serve as a good starting point for creating something that was consumable via PowerShell.
I’m trying to setup Windows Server AppFabric Cache on my local computer. Eventually I get to the point of connecting my C# .NET application to the distributed cache and I get an error. To confirm that the cache is up and running and configured correctly I execute the
“Get-CacheClusterHealth” in PowerShell. When I do this I get the following error:
Get-CacheClusterHealth :
ErrorCode:SubStatus:Failed to connect to hosts
in the cluster At line:1 char:23
+ Get-CacheClusterHealth <<<< -debug
+ CategoryInfo : NotSpecified: (:) [Get-CacheClusterHealth], DataCacheException
+ FullyQualifiedErrorId : Microsoft.ApplicationServer.Caching.DataCacheException,Microsoft.ApplicationServer.Cachi
ng.Commands.GetCacheClusterHealthCommand
I'm installing AppFrabic Cache on a work computer that is attached to a domain. Since I just need a proof-of-concept I'm using XML provider. In the past I have successfully installed AppFabric Cache in other environments, but having issues installing on my local computer.
Since Appfabric Cache is somewhat of a beast to configure, I thought it would be beneficial that I provide the steps I went through to reproduce the issue:
I finally figured it out. After I registered the host using "Register-CacheHost" I should have called "Add-CacheHost".
After I called "Add-CacheHost" I then called "Get-CacheClusterHealth". I finally got the results I expected.
The primary purpose was to create a Proof-Of-Concept in C# that would access AppFabric Cache on a local computer. When I executed the application which was running under my credentials I received the following error:
This is error seems to be a catch-all error. I've seen this error multiple times for different issues.
Since the application was executing with my credentials I needed to give my account permissions to access the cache. It did this by using "Grant-CacheAllowedClientAccount"
Now the cache is working with my application. I was able to get this to work on a computer that was attached to the domain and also to a computer that was in a workgroup.
We have a fairly complex system we're developing involving a few different applications (MVC, http-based WCF, TCP-based WCF, ADFS, and some generic Worker Roles), all deployed to Azure. For local debugging, we need these to run in the local Dev fabric as well as IIS. I've accomplished pretty much everything I need to and it all works, with the exception of one thing: I can't predict what IP address various things will bind to in the Dev Fabric. Sometimes it's 127.0.0.1, sometimes it's 127.0.0.3, and sometimes it's 127.0.0.4 (and maybe some others?). For my config file transforms and ADFS relying-party trusts, I need to know what these IPs will be in advance.
How do I manage/control (or at least predict) these IP addresses specifically for my web site? (WCF is all good) If I can actually get everything deployed to my dev fabric with the proper IPs being referenced, then everything works! However, it's very cumbersome to do and takes several tweaks to web.config and app.config transformation files every single time I need to (not to mention reconfiguring the ADFS server every time it changes), so this isn't a sustainable situation by any means!
We had a similar challenge with an ASP.NET MVC solution that uses a second web role running a WIF STS for Claims-Based Authentication. The web.config of the MVC application needed to know the non-load balancer IP address of the STS when running in the local emulator.
In addition, we have custom code building URL routes that only sees the internal IP address (127.255.0.X) assigned by the emulator. These routes would cause problems when passed back through the load balancer. We also shutdown the Default Web Site in IIS to guarantee the port remapping done by the emulator.
With the Azure 1.8 SDK, we observed the local emulator would consistently assign the 127.255.0.X addresses when the application was started from the command line and all other deployments in the dev fabric were removed.
We built a PowerShell script to startup the Web Roles from the command line once the solution was packaged inside VS2010. We have a build configuration and web transformation called AzureLocal we use to package for the local emulator.
Import-Module WebAdministration
Stop-WebSite 'Default Web Site'
$env:WindowsAzureEmulatorInstallPath = (Get-ItemProperty -Path "Registry::HKLM\Software\Microsoft\Windows Azure Emulator" -Name InstallPath).InstallPath
$env:ServiceHostingSDKInstallPath = $env:WindowsAzureEmulatorInstallPath + '.NET SDK\2012-10'
$env:Path = $env:WindowsAzureEmulatorInstallPath + 'emulator;' + $env:WindowsAzureEmulatorInstallPath + 'devstore;' + $env:ServiceHostingSDKInstallPath + 'bin;' + $env:Path
csrun /devfabric:start
csrun /devstore:start
csrun /removeAll
csrun /devfabric:clean
csrun Application\Foobar.Extensions.Azure\csx\AzureLocal Application\Foobar.Extensions.Azure\bin\AzureLocal\app.publish\ServiceConfiguration.Local.cscfg
Write-Host "Application Pools to Attach for Debugging"
get-item IIS:\AppPools\*
$ie = New-Object -ComObject InternetExplorer.Application
$ie.Navigate("https://127.255.0.1:444")
$ie.Visible = $true
Your applications sounds to have more moving parts than our STS and MVC combination, but if you can script the startup outside Visual Studio then you can get predictable address assignment.