Im trying to create a script where a domain user would be able to run IIS service on windows as a local admin using stored credentials.
$adminerpath = 'c:\programdata\adminer'
Function StoreCreds(){
$credential = Get-Credential
$credential | Export-CliXml -Path $adminerpath\data.dat
}
if (Test-Path $adminerpath){
$credential = Import-CliXml -Path $adminerpath\data.dat
Start-Process C:\windows\System32\inetsrv\InetMgr.exe -Credential ($credentials)
}
else {
New-Item -Path $adminerpath -ItemType "directory"
attrib +h c:\programdata\adminer | Out-Null
StoreCreds
}
very simple, should see if the credential is stored and then run process with -credential.
it works with anything else (like note.exe or pwoershell.exe), but when i try running this with InetMgr.exe im getting:
start-process : This command cannot be run due to the error: The requested operation requires elevation.
any help would be much appriciated
Related
I'm automating the process of creating LocalUsers on Windows systems. So far I used the Microsoft docs on New-LocalUser which has worked fine to create the account, this is my code so far:
function New-AdminUser {
param(
[Parameter(Position=0)]
[string] $UNameLocal,
[Parameter(Position=1)]
[string] $UDescription,
[Parameter(Position=2)]
[System.Security.SecureString] $Password
)
New-LocalUser -Name $UNameLocal -Description $UDescription -Password $Password -AccountNeverExpires -Confirm
Add-LocalGroupMember -Group "Administrators" -Member $UNameLocal
}
But this command does not actually generate the homedirectory in C:\Users\username.
I can create this by manually logging into the created user, but I want to automate this in Powershell. I couldn't find anything in the LocalAccounts module.
Is there any way to automate local account setup in Windows 10 using Powershell, without having to manually log in to a new account?
If you start a process (cmd /c) as the created user, it will create his profile. Add this to your function:
$Cred = New-Object System.Management.Automation.PSCredential ("$UNameLocal", $Password)
Start-Process "cmd.exe" -Credential $Cred -ArgumentList "/C" -LoadUserProfile
Here is the code:
param([Parameter(Mandatory=$true)][String]$samAccountName)
$fullPath = "\\srv2012r2\Users\{0}" -f $samAccountName
$driveLetter = "Z:"
$User = Get-ADUser -Identity $samAccountName
if($User -ne $Null) {
Set-ADUser $User -HomeDrive $driveLetter -HomeDirectory $fullPath -ea Stop
$homeShare = New-Item -path $fullPath -ItemType Directory -force -ea Stop
$acl = Get-Acl $homeShare
$FileSystemRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow
$InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlags = [System.Security.AccessControl.PropagationFlags]"InheritOnly"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule ($User.SID, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType)
$acl.AddAccessRule($AccessRule)
Set-Acl -Path $homeShare -AclObject $acl -ea Stop
Write-Host ("HomeDirectory created at {0}" -f $fullPath)
}
and here is the reference:
https://activedirectoryfaq.com/2017/09/powershell-create-home-directory-grant-permissions/
I am trying to upgrade Powershell on a bunch of Windows 7 boxes so I can do other remote installs and such. I am using Invoke-Expression but I swear this worked once before without it. There doesn't appear to be a Wait option for any of this. It does work when I run the Invoke-Expression locally. I also tried Start-Process. Is there a better way to get feedback on why it didn't run? The debugging is painfully slow because it has been a lot of just guessing, both due to lack of feedback and due to its hard to tell on the remote machine when its actually installing the background. The script is getting copied. I've tried without the Remove-item in case I was deleting it too fast. The $cred is admin. I'm not sure Execution Policy is necessary.
foreach ($comp in $computers) {
$comp.Name
if(test-connection -ComputerName $comp.Name -quiet ){
$Destination = "\\$($comp.Name)\c$\Temp\"
copy-item -path "\\10.1.32.161\New Client Setups\WMF_5.1_PowerShell\*" -Destination $Destination -recurse -force
"`t Copied"
$session = Enter-PSSession $comp.Name -Credential $cred
$results = Invoke-Command -ComputerName $comp.Name -ScriptBlock {
Set-ExecutionPolicy RemoteSigned
$ver = $PSVersionTable.PSVersion.Major
"`t Powershell Version : $ver"
if ($ver -lt "5"){
"`tNeeds upgrade"
$argumentList = #()
$argumentList += , "-AcceptEULA"
$argumentList += , "-AllowRestart"
#Invoke-Expression "& 'C:\Temp\Windows7_Server2008r2\Install-WMF5.1.ps1' + $argumentList"
Invoke-Expression 'C:\Temp\Windows7_Server2008r2\Install-WMF5.1.ps1 -AllowRestart -AcceptEULA'
}
}
$results
Remove-item -Path "$Destination*" -recurse
Exit-PSSession
Remove-PSSession -session $session
I'm trying to run a powershell script from rundeck(linux), If I run the script locally[Deletes some files from multiple terminal servers](Windows server) it is working as expected however if I call it from rundeck server(winrm configured) it seems that the script cant access the remote folders I'm trying to access.
I tried running the script using the same user but still shows different result.
Script bellow:
$userAD = "someuser"
$servers = Get-Content C:\TSList.csv
$Folder = "c$\Users\$userAD\"
$TSFolderShare = "\\sharepath"
Write-Output "#####Start of script#####"
Write-output `n
Write-output "Checking if $userAD user profile exist in Terminal servers..."
sleep -seconds 1
foreach ($server in $servers) {
Test-Path "\\$server\$Folder" -PathType Any
Get-ChildItem "\\$server\$Folder"
if (Test-Path "\\$server\$Folder" -PathType Any) {
Write-output "Resetting user profile in $server.."
Get-ChildItem "\\$server\$Folder" -Recurse -Force -ErrorAction SilentlyContinue | Remove-Item -Recurse -Force -ErrorAction SilentlyContinue
sleep -seconds 1
Write-output "Done."
if( (Get-ChildItem "\\$server\$Folder" | Measure-Object).Count -eq 0)
{
Write-output "Done."
}
}
else
{
Write-output "Resetting user profile in $server.."
sleep -seconds 1
Write-output "User profile does not exist in $server."
#Write-output "\\$server\$Folder does not exist in $server!" -ForegroundColor Red
}
}
EDIT: It seems my problem is when running my script from another script with RunAS.
Below I'm trying to access a folder from another server using ps script, but since I want to integrate this to Rundeck I need to call my ps script from my linux server using python. I did a test running the ps script directly and calling the test path script using another script with RunUs using the same user I used to run the script manually
Scenario 1
Running PS script via separate PS script with RunAS(my_account)
$username = "my_account"
$password = "my_password"
$secstr = New-Object -TypeName System.Security.SecureString
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr
Invoke-Command -FilePath "C:\testpath.ps1" -Credential $cred -Computer localhost
(C:\testpath.ps1) Content below:
Test-Path "\\server\c$\Users\myaccount\"
result:
Access is denied
+ CategoryInfo : PermissionDenied: (\server\c$\Users\myaccount:String) [Test-Path], UnauthorizedAccessException
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.TestPathCommand
+ PSComputerName : localhost
False
Scenario 2
Running C:\testpath.ps1 directly as my_account
Test-Path "\\server\c$\Users\myaccount\"
result:
True
I used session configuration in powershell to solve the issue. This way allows you to tie a credential to a PowerShell session configuration and reuse this configuration for all future connections.
https://4sysops.com/archives/solve-the-powershell-multi-hop-problem-without-using-credssp/
Thanks a lot!
You're facing a double-hop issue with Rundeck and Powershell, here the explanation. That's asked before, take a look a this, and here a good workaround. Also this to solve it.
I'm trying to return exit code from a powershell script that is executed on a remote machine. But, when I check ExitCode it has some random number.
What I'm doing wrong? In addition, is it possible to return the whole text?
my script
$proc = Start-Process -Filepath "$PSExec" -ArgumentList "\\$server -h -u $user -p $pass -d PowerShell $command" -PassThru -Wait
$proc.ExitCode
remote script
New-Item "c:\temp\1.txt" -type file -force
exit 123
UPDATE
$secureString = ConvertTo-SecureString $password -Force -AsPlainText #$password includes password in clear text
$cred = New-Object System.Management.Automation.PSCredential($usrName, $secureString)
$sess = New-PSSession -ComputerName $serverName -Credential $cred
$command = "`"C:\temp\1.ps1`""
$result = Invoke-Command -Session $sess -ScriptBlock {
Start-Process -Filepath "$PSExec" -ArgumentList "\\$server -h -u $usrName -p $password -d PowerShell $command" -PassThru -Wait
}
Can you use Invoke-Command as an alternative?
Example:
$session = New-PSSesson -ComputerName $serverName -Credential (Get-Credential)
$result = Invoke-Command -Session $session -ScriptBlock {
Start-Process ...
}
As an alternative to Get-Credential you can created a credential object and pass it via the -Credential paramter to Invoke-Command. Example:
$secureString = ConvertTo-SecureString $password -Force -AsPlainText #$password includes password in clear text
$cred = [System.Management.Automation.PSCredential]::new($usrName, $secureString)
$sess = New-PSSession -ComputerName $ComputerName -Credential $cred
Invoke-Command -Session $sess -ScriptBlock { ... }
$result should also include the ExitCode property, since Powershell Remoting serializes the remote object. I always suggest Powershell Remoting compared to the cmdlet specific ComputerName implementations. It uses a more standardized way (WsMan -> HTTP(S)). See this link for further details.
Hope that helps.
For your first approach, your issue is that when running psexec with the -d (don't wait) flag it returns the pid of the command that launched it, rather than waiting and returning the exitcode.
Altogether your process also could be optimized. First if you wanted to use psexec.exe, I don't see a reason for Start-Process since you are waiting and passing through. Just & $psexec ... would suffice.
However Moerwald's suggestion for using Invoke-Command is a great one. In your updated code, you are still running Start-Process and Psexec which are unnecessary. When you are invoking the command, you are already remotely running code, so just run the code:
$secureString = ConvertTo-SecureString $password -Force -AsPlainText
$cred = New-Object System.Management.Automation.PSCredential($usrName, $secureString)
$result = Invoke-Command -ComputerName $serverName -Credential $cred -ScriptBlock {
New-Item "c:\temp\1.txt" -type file -force
exit 123
}
Also, since it doesn't look like you are reusing the session, I dropped the saving the session to a variable. And it would also be better to replace all of the credential setup with a Get-Credential rather than passing plaintext passwords around (avoid the password ending up in a saved transcript). That would look like this:
$result = Invoke-Command -ComputerName $serverName -Credential (Get-Credential) -ScriptBlock {
New-Item "c:\temp\1.txt" -type file -force
exit 123
}
I am attempting to write progress on a large file copy in powershell. I have the progress bar working quite well with small file copies, but when I transfer over a gig of data the progress bar does not update in real time. I can check the folder I am copying to and see that everything is transferring as it should, however, my progress bar just sits on the same file and the bar itself doesn't seem to move at all. I am using CredSSP to invoke the command on a server at our data center, so I'm not sure if that is making a difference in the write-progress cmdlet or not. Here is an excerpt of my script:
$credential = Get-Credential -Credential domain\user
$session = New-PSSession -ComputerName server.domain.edu -Credential $credential -authentication CredSSP
Invoke-Command -session $session -ScriptBlock {
$path = "\\domain\shares\dfsdatacenter" + "-DC" + "\HomeDir\ttest1"
$dest = "\\server\Archive$\Terminated"
$counter = 0
$files = gci $path -recurse | ? { -not $_.PSIsContainer; }
Foreach($file in $files)
{
Copy-Item $path $dest -recurse -force
Write-Progress -Activity "Backing Up Terminated User HomeDir:" -status $file.FullName -PercentComplete ($counter / $files.count*100)
$counter++
}
}
Thanks in advance for any help anyone can offer!