Current situation:
We've got a domain with mostly Win Server 2022, including one database server. Next to that our backup server is in a different (accessible) VLAN, but did not join the domain (still in Workgroup). I've got a shared folder on our backup-server with permissions to Everyone.
Future situation:
I would love to write a powershell-script that automatically sends file from our Database-server (in domain) to our backup server (workgroup).
I keep struggling with permissions and auomatically putting them into the PowerShell scripting ... Anyone has got a solution to this?
You can authorize against the share with net-use first, then call your powershell
net use \\server\share /user:<domain\username> <password>
Or if you want to go powershell only, use the New-PSDrive cmdlet.
New-PSDrive -Name P -PSProvider FileSystem -Root \\Server01\Public -Credential user\domain -Persist
Hope this helps.
Related
I have a list of servers, and then another list of services on each of those servers. I am trying to remove it, change a few values in the .bat and then install the services again. Right now I have started a remote Powershell Session using
$PSsession = New-PSSession -ComputerName $server -Credential $Credential
Enter-PSSession -Session $PSsession
I have been mainly using the Invoke-Command -ScriptBlock {//somecodehere} -Session $PSsession in order to run each of the commands that I have used so far. My initial approach was to use sc.exe config $serviceName obj=$username password=$passwd, but each time I make the change on the remote server, it tells me that there is a NativeCommandError and that there is a logon issue with the service.
Is there a way that I can use the credentials provided by the user in order to change the username/password of a service in a secure way? Or does anyone have any recommendations on a better approach I could research?
So my solution to my own problem was to create a script and copy it over to the server. Then it ran the sc.exe command inside of the machine itself. Since it is another machine, you can't send the credentials through as variables if they are a SecureString. So my solution is just to create those variables normally and then make sure to delete them afterwards.
If you are working with confidential data, don't forget that you usually need to overwrite the variable 3 times before deleting it.
I found several answers on the web, but not really what I was searching for.
The issue is as follows:
When restoring a file with "Networker", the ACLs of the file are the same ones as when the file was backed up, regardles of inheritance in the folder the file is restored to. Meaning the inheritence of ACL does not affect the newly restored file.
This leaves me with the problem that only 3 Accounts have the right to alter the ACL.
The user, the file belongs to
The domain Admins
The system account
To solve the issue I would like to run an automated script fixing the ACL and activating the correct inheritance.
The system user for the script has to be one of the three.
The User is changing and thefore not a valid choice, also I dont want to leave any domain admin credentials nor give domain admin rights to a service account.
This leaves me with the system account to do the job and here comes the question:
How do I execute a task in powershell under system account credentials?
I tried
$username = "NT Authority\System"
$password = ConvertTo-SecureString -String "" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist #($username, $password)
Since the password is an empty I can not really create credentials with it.
The name of the account in all locales is .\LocalSystem. The name,
LocalSystem or ComputerName\LocalSystem can also be used. This account
does not have a password.
https://msdn.microsoft.com/de-de/library/windows/desktop/ms684190(v=vs.85).aspx
So now I am a little bit confused as to how I can get this to work.
Edit:
The file system runs on EMC and is not a real Windows File System, but just kinda hooked onto a Linux system. So there is no local administrator account.
TL;DR
I want to inherit ACL Permissions on files using the system account with powershell, how?
https://github.com/mkellerman/Invoke-CommandAs
Made a function to Invoke-Command against local/remote computer using provided credentials or SYSTEM. Returns PSObjects, handles network interruptions and resolves any Double-Hop issues.
Try it out let me know if this resolves your issues.
If you're ok installing a (very useful) 3rd party program, you can try the following. It's a portable .zip, no real installation.
Run as administrator:
C:\WINDOWS\system32>nircmd.exe elevatecmd runassystem c:\windows\System32\cmd.exe
starts a new cmd window:
Microsoft Windows [Version 10.0.18362.418]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
nt authority\system
C:\WINDOWS\system32>
https://www.nirsoft.net/utils/nircmd.html
Domain Admins get access via the local Administrators group. Local Administrators can take ownership of any local object and subsequently grant new permissions to that object.
Running something like this as an administrator should do what you want:
takeown /f C:\some\file_or_folder /a /r /d:y
icacls C:\some\file_or_folder /reset /t /c /q
Never use the SYSTEM account for things like this.
I'm trying to build a custom VeeamZip backup script using PowerShell from a Windows 7 box. The box doesn't have the space requirements to hold the actual data itself, it's just the catalyst to manage the VeeamZip files.
I've been hunting around and found a solution here on SO to work around the fact that the PS-Drive command doesn't function using the -Credentials flag in PowerShell 2.0 using this snippet:
$net = new-object -ComObject WScript.Network
$net.MapNetworkDrive("u:", "\\share\point", $false, "user", "pass")
I can verify this is properly mounting the share and is searchable using Powershell, but when using the VeeamZip Powershell commands, the path U:\ isn't available.
I tried then using the net use command in Powershell which also mounted the volume, but even with /persistent:yes it won't show in Explorer and the backups fail.
What can I do? There has to be option to get this to work. I'm a Linux guy so I'm not powershell wiz.
EDIT: I've now updated to Powershell 3.0 and I still can't get it work...
I'm trying the following snippet, but only Powershell has access the new drive:
$credential = Get-Credential
New-PSDrive -Name V -PSProvider FileSystem -Root \\server\share -Credential $credential -Persist
EDIT: The New-PSDrive function now works to mount the volume in Explorer and can be browsed as expected as long as I don't launch PowerShell as administrator. The dilemma is now that I can't use the VeeamZip tool because it requires Admin to function. Ideas welcome.
I am trying to make a script in powershell (if you have suggestions for another tool to make this with please advise) that would map network drives for userA to map their own drives temporarily while userB is still logged in.
I tried to use both the New-PSDrive method, as well as the MapNetworkDrive method.
They both throw this error:
"Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again"
After I saw this, I tried disconnecting all drives associated with the server before connecting the desired share via:
net use * /d /y
net use \\server\ipc$
net use \\server\ipc$ /d /y
(thanks #jessehouwing !)
The same error still occurs.
If you want to check my connection code I have it below:
$net = new-object -ComObject WScript.Network
$net.MapNetworkDrive($drLetter, $share, $false, $user, $pass)
and
New-PSDrive -Name $drLetter -PSProvider FileSystem -Root $share -Credential $user -Persist
You are getting that error because you are not allowed to have multiple connection to the same resource with different credentials. I am going to Assume you don't just have a temporary connection to this resource defined by server.
What I always to in situations like this is use the IP address of the host. so...
net use \\10.10.10.10\ipc$
I am going to try and find the articles that discuss what is occurring here but in short this will allow the separate connections.
I am hoping someone can point me in the right direction.
I want to be able to sort of manage users' network printers remotely. Which means, either using something like PowerShell or C# to select the computer name or IP address, then choose the printer (which is on a print server so \PrintServer\Printer01) and have it install on the target user's machine.
I've seen something that did say because of permissions, I might have to fake the identity to properly have it installed for the user.
I noticed powershell has a Add-Printer cmdlet, but it tells me it's not recognized on my machine. But running something like: add-printer -r CompName -p \server\Printer01 would then have the remote computer CompName fetch the printer info from the print server and install it.
I'm not dreaming am I? lol
The Win32 functions AddPrinterDriver and AddPrinter can install printers on remote machines. However, you will have to copy all the necessary files for the driver to the remote machine's \windows\system32\spool\drivers\[w32x86|x64] directory prior to calling the AddPrinterDriver function.
These Powershell commands can help:
Add PrinterPorts
Add-PrinterPort -Name $PrinterPort -PrinterHostAddress $PrinterIP -ComputerName $Computer
Add Printers
Add-Printer -computername $Computer -name $PrinterName -PortName $PrinterName-DriverName "HP Universal Printing PCL 6"