Creating Windows Cluster with Powershell - windows

I have a Windows cluster provisioning script. I am not able to execute the New-Cluster command as Administrator. It says that the user should be a domain user to be able to execute the command.
I m trying to use PSExec to login as a domain user and try if the command is working, but still with no success.
C:\Users\Administrator\Desktop\PSTools\PsExec.exe -s -u name -p "pass" -accepteula cmd /c "powershell -noprofile & { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File"C:\scripts\cluster-config.ps1" " -Verb RunAs; exit }"
(I have passed the params correctly while executing)
The cluster-config.ps1
param(
[Parameter(Mandatory=$true)][string]$clusterName,
[Parameter(Mandatory=$true)][string]$srv1,
[Parameter(Mandatory=$true)][string]$srv2,
[Parameter(Mandatory=$true)][string]$clusterIP
)
#Create and configure the WinCluster
New-Cluster -Name $clusterName -Node $srv1,$srv2 -StaticAddress $clusterIP -AdministrativeAccessPoint ActiveDirectoryAndDns
How can I create a Windows Cluster as ad Administrator? Unfortunately direct login with domain user credentials is not possible.

In order to create the new Cluster, you need to have the rights to be able to create a new Cluster computer account in Active Directory. A normal Domain User does not have rights to create a new computer account in Active Directory unless they have the rights delegated to them.
Your statement "direct login with domain user credentials is not possible" is not possible at all. A cluster in an Active Directory creates a physical Computer Account in Active Directory. If you do not have access/don't login to Active Directory you cannot create a cluster.
Usually for a cluster, a Domain Administrator has to first create the cluster (and thereby creating the appropriate Computer account). Then using that newly created account, delegate access. Once the cluster has the appropriate rights delegated to it, if can create the Computer Accounts needed to create the roles needed for the cluster.
Create the cluster with a Domain Administrator login. This will create the initial Active Directory Computer account.
In Active Directory we need to then delegate control for the computer account and Configured Cluster name CLUSTERNAME with rights to add computers to the domain (so that it has rights to add the resources to AD):
Active Directory Users and Computers -> right-click domain -> Delegate Control
Enter Computer Name – CLUSTERNAME
Delegate the following common tasks -> Join a Computer to the domain

Related

cmd command "runas" equivalent in MacOS

i am facing an issue while using the mac. I need to use that PowerShell command on my mac to run application as domain user
runas /netonly /user:user_name "C:\Users\fwa\AppData\Local\Programs\Azure Data Studio\azuredatastudio.exe"
I have tried
sudo -u user_name /Applications/AzureDataStudio.app
it asks password for local user. but in my case user is on External domain
To run Azure Data Studio (ADS) on your mac and login to SQL Server using Windows authentication instead of a username/password, you use the kinit command. I've had best luck using the kinit command through the built-in command window in ADS (you'll be prompted to do so if/when your login fails). Note that your computer needs network access to a kerberos server.
There's some further information about setting this up HERE and HERE.

How to include domain user in Jenkins Job execution

I am automating a build process. The process requires deployment of application to a server, after deployment a few scripts have to be executed to share and provide permissions on the server. The scripts run when I login via domain user through powershell.I am using Jenkins for the CI/CD process. I want to include my domain credentials to run the scripts on the server. I have also used the active directory plugin, and can login with my domain credentials but still I am not able to establish a remote connection with the server.
My script is
Enter-PSSession -ComputerName ATKT-WS-20
Invoke-Expression -Command .\FolderSharingScript.ps1
Enter-PSSession : Connecting to remote server ATKT-WS-20 failed with the following error message : WinRM cannot
process the request. The following error with errorcode 0x8009030e occurred while using Kerberos authentication: A
specified logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.<
I have also added the machine name in the trustedhosts. How can I include the domain credential in Jenkins jobs?
The solution turned out to be not to use PowerShell's remoting at all, but instead rely on the remoting built into Jenkins:
Connect the remote machine as a Jenkins agent to the Jenkins server, running the agent executable as the desired domain user.
On the Jenkins server, ensure that your job is configured to run on the remote machine, using a label expression.
Assuming the PowerShell plugin is installed, you can then send PowerShell code as-is to the remote machine - no need for PowerShell sessions, credentials, ...

inconsistent administrator permissions in windows

I'm a mac user making my first foray into windows development and I've run into some confusing admin privilege errors. I'm running a Windows 10 install via Bootcamp on my macbook pro that I just set up yesterday (I haven't "activated windows" ie not paid for it, not sure if that would make a difference with my issue). I'm an administrator and also the only user on the system, which I confirmed by first checking through the Settings app, and then by running these commands:
C:\Users\will\code\chrome-native-messaging>net user "%username%"
User name will
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/26/2016 1:38:13 PM
Password expires Never
Password changeable 9/26/2016 1:38:13 PM
Password required No
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/28/2016 1:03:42 PM
Logon hours allowed All
Local Group Memberships *Administrators *Ssh Users
Global Group memberships *None
The command completed successfully.
C:\Users\will\code\chrome-native-messaging>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
will
The command completed successfully.
However, when I run another command suggested in an SO thread to verify my admin status, I get an access denied error:
C:\Users\will\code\chrome-native-messaging>fsutil dirty query %systemdrive%
Error: Access is denied.
Any pointers on how to successfully run this command are much appreciated. thanks!
Did you launch the command prompt with Run as Administrator?
fsutil requires the command prompt to be elevated. You can check this by seeing if "Administrator: C:...\cmd.exe" is in the command prompt's title bar.

How to connect as NT AUTHORITY\SYSTEM to svn?

I have a service running at local system account (NT AUTHORITY\SYSTEM). This service shall connect to local subversion repository. Is this possible?
I tried this
svn export --non-interactive http://localhost/svn/MyRepository TargetFolder
but it does not work. As far as I know I cannot set any password for "NT AUTHORITY\SYSTEM". I don't like to use my personal account and put my password there as clear text.
My SVN runs on VisualSVN-Server
You should never use SYSTEM account for such tasks for numerous security reasons. Create and use a dedicated local Windows or Active Directory account with limited permissions.
Setting up the cached authentication credentials for the System user requires running an svn.exe command as the System user. Windows Vista+/Server 2008+ doesn't make that easy.
​Install psexec from https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
Start an elevated cmd.exe as Administrator.
Run "psexec -i -s cmd.exe".
A new cmd.exe should appear which is running as the System user.
Type whoami. Verify the output reads something like "nt authority\system".
Perform a subversion command like "svn --username your-svn-user list your-https-repo-url".​
When prompted by svn.exe, enter the password for your-svn-user.
​The "svn auth" command allows you to examine the cached credentials.
Note if a new SSL certificate is installed on the Subversion server, you'll have to repeat this process.
For more responses on this topic: How do you run CMD.exe under the Local System Account?

Execution of postgresql by a user with administrative permissions is not permitted

Win7. Postgres 9.3.
Every time I type "postgres" in cmd I get this error.
Created a new account without any admin rights and with "Log on as" rights and with correct directory access rights to postgres/data, then I set this account as the "Log on as" in the services menu, but I still get the same error.
update2017: I never found a solution to this.
For windows do this:
Start cmd.exe (administrator as you are)
Add postgres user:
net user postgres your_password /add
Start a cmd.exe using your new postgres account:
runas /user:postgres cmd.exe
You can validate you are login correctly using" whoami
Run postgres normally.
It is not clear from your question whether you are trying to start the Postgres service or "manually" start Postgres without having a Windows service registered.
Since 9.x Postgres does not require it's own Windows user account to run the service. It defaults to use the built-in "Network" account.
To start the Postgres service (if it has been correctly installed), simply use use
net start postgresql-9.3
(the actual name might be different)
If you did not register a Windows service you should start Postgres through pg_ctl.exe not through postgres.exe. pg_ctl.exe will drop any administrative privileges from the process when starting the server.
To start Postgres manually from the commandline use:
pg_ctl -w -D c:\Path\To\The\DataDirectory
assuming that the access rights to the data directory are setup correctly so that the current user has full access to the directory.
If you want to install/create the Windows service manually, you can also do this through the pg_ctl program:
pg_ctl register -N "postgresql-9.3" -D c:\Path\To\The\DataDirectory
Again the access rights to the data directory must be setup correctly.

Resources