I have a Windows cluster provisioning script. I am not able to execute the New-Cluster command as Administrator. It says that the user should be a domain user to be able to execute the command.
I m trying to use PSExec to login as a domain user and try if the command is working, but still with no success.
C:\Users\Administrator\Desktop\PSTools\PsExec.exe -s -u name -p "pass" -accepteula cmd /c "powershell -noprofile & { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File"C:\scripts\cluster-config.ps1" " -Verb RunAs; exit }"
(I have passed the params correctly while executing)
The cluster-config.ps1
param(
[Parameter(Mandatory=$true)][string]$clusterName,
[Parameter(Mandatory=$true)][string]$srv1,
[Parameter(Mandatory=$true)][string]$srv2,
[Parameter(Mandatory=$true)][string]$clusterIP
)
#Create and configure the WinCluster
New-Cluster -Name $clusterName -Node $srv1,$srv2 -StaticAddress $clusterIP -AdministrativeAccessPoint ActiveDirectoryAndDns
How can I create a Windows Cluster as ad Administrator? Unfortunately direct login with domain user credentials is not possible.
In order to create the new Cluster, you need to have the rights to be able to create a new Cluster computer account in Active Directory. A normal Domain User does not have rights to create a new computer account in Active Directory unless they have the rights delegated to them.
Your statement "direct login with domain user credentials is not possible" is not possible at all. A cluster in an Active Directory creates a physical Computer Account in Active Directory. If you do not have access/don't login to Active Directory you cannot create a cluster.
Usually for a cluster, a Domain Administrator has to first create the cluster (and thereby creating the appropriate Computer account). Then using that newly created account, delegate access. Once the cluster has the appropriate rights delegated to it, if can create the Computer Accounts needed to create the roles needed for the cluster.
Create the cluster with a Domain Administrator login. This will create the initial Active Directory Computer account.
In Active Directory we need to then delegate control for the computer account and Configured Cluster name CLUSTERNAME with rights to add computers to the domain (so that it has rights to add the resources to AD):
Active Directory Users and Computers -> right-click domain -> Delegate Control
Enter Computer Name – CLUSTERNAME
Delegate the following common tasks -> Join a Computer to the domain
This is not a question about not being able to start a PSSession, rather about apparently different access rights when in a PSSession.
Following set of commands work
Start a Powershell prompt
Run cmd /c sc queryex WerSvc
Following set of commands don't work
Start a Powershell prompt
Run Enter-PSSession localhost
Run cmd /c sc queryex WerSvc
My user has the right to execute sc queryex but apparantly not when in a PSSession. Does anyone have any idea where I should start checking access rights?
Edit cudo's to PetSerAl
Below the output of whoami /all in the standard powershell prompt and in the PSSession.
PS C:\Users\xxxxxxxx> whoami /all
USER INFORMATION
----------------
User Name SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx User S-1-5-21-348289982-344025507-1237804090-35554 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP Alias S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\Users\xxxxxxxx> enter-pssession localhost
[localhost]: PS C:\Users\xxxxxxxx\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx User S-1-5-21-348289982-344025507-1237804090-35554 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP Alias S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
whoami /all output shows that you use interactive logon to run PowerShell, while PowerShell remoting use network logon by default, when creating session. You can use -EnableNetworkAccess parameter to use existing interactive session instead of creating new network logon.
If you look at WerSvc service security descriptor (you can do so with sc.exe sdshow WerSvc command), than you can see that it give permissions to access service to interactive logon and not give such permissions for network logon. Thus you see difference in behavior.
May it be possible, that you start a elevated Powershell and after Enter-PSSession you end up in a less privileged shell?
Try to check with this line:
[bool]$isElavated = (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
I'm a mac user making my first foray into windows development and I've run into some confusing admin privilege errors. I'm running a Windows 10 install via Bootcamp on my macbook pro that I just set up yesterday (I haven't "activated windows" ie not paid for it, not sure if that would make a difference with my issue). I'm an administrator and also the only user on the system, which I confirmed by first checking through the Settings app, and then by running these commands:
C:\Users\will\code\chrome-native-messaging>net user "%username%"
User name will
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/26/2016 1:38:13 PM
Password expires Never
Password changeable 9/26/2016 1:38:13 PM
Password required No
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/28/2016 1:03:42 PM
Logon hours allowed All
Local Group Memberships *Administrators *Ssh Users
Global Group memberships *None
The command completed successfully.
C:\Users\will\code\chrome-native-messaging>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
will
The command completed successfully.
However, when I run another command suggested in an SO thread to verify my admin status, I get an access denied error:
C:\Users\will\code\chrome-native-messaging>fsutil dirty query %systemdrive%
Error: Access is denied.
Any pointers on how to successfully run this command are much appreciated. thanks!
Did you launch the command prompt with Run as Administrator?
fsutil requires the command prompt to be elevated. You can check this by seeing if "Administrator: C:...\cmd.exe" is in the command prompt's title bar.
I have a service running at local system account (NT AUTHORITY\SYSTEM). This service shall connect to local subversion repository. Is this possible?
I tried this
svn export --non-interactive http://localhost/svn/MyRepository TargetFolder
but it does not work. As far as I know I cannot set any password for "NT AUTHORITY\SYSTEM". I don't like to use my personal account and put my password there as clear text.
My SVN runs on VisualSVN-Server
You should never use SYSTEM account for such tasks for numerous security reasons. Create and use a dedicated local Windows or Active Directory account with limited permissions.
Setting up the cached authentication credentials for the System user requires running an svn.exe command as the System user. Windows Vista+/Server 2008+ doesn't make that easy.
Install psexec from https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
Start an elevated cmd.exe as Administrator.
Run "psexec -i -s cmd.exe".
A new cmd.exe should appear which is running as the System user.
Type whoami. Verify the output reads something like "nt authority\system".
Perform a subversion command like "svn --username your-svn-user list your-https-repo-url".
When prompted by svn.exe, enter the password for your-svn-user.
The "svn auth" command allows you to examine the cached credentials.
Note if a new SSL certificate is installed on the Subversion server, you'll have to repeat this process.
For more responses on this topic: How do you run CMD.exe under the Local System Account?
I've written a VBScript to connect a Win2k3 SP2 server to multiple Win2k3 + SP2 & WinXP + SP3 machines via WMI in order to query the systems Win32_OperatingSystem and Win32_ComputerSystem classes.
Set loWMISvc = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=Pkt}\\" & lsStore & "\root\cimv2")
Note: 'lsStore' is the IP address of the computer system I successfully connection too prior.
I then attempt to create a new object to the remote system where it keeps returning a permission denied error (output of script):
21/11/2011 1:17:50 PM SUCCESS: Established connection to store
D:\Program Files\SUREfire Systems\Support\MG\QueryStores\QueryStores.vbs(244, 5) Microsoft VBScriptruntime error: Permission denied: 'GetObject'
Despite setting the objects ImpersonationLevel and AuthenticationLevel monikers as exepected, WMI also appears installed correctly on client and remote system. The initial connection to remote system is for the local administrator user also.
What else could be the cause the permission denied error that I'm not seeing? Any help would be appreciated.
I believe I've resolved my own query. A 'permission denied' error relates to the UAC so therefore you need to execute a script using the same level of access and permission as per the remote system. I simply ran a DOS command prompt running it as the admin user account on the client system and GetObject was successful.
Although an admin account would appear the same on two different systems, this proves you need to ensure the same level of access and security is adhered too ;)