When I run the command dcdiag /test:RIDManager in PowerShell in my Domain Controller, I get the test as passed.
But when I run it from another server in a different domain using Remote Session in PowerShell I get the test as failed.
$testSession= New-PSSession -ComputerName <hostname> -Credential Get-Credential
Invoke-Command -Session $testSession -ScriptBlock {dcdiag /test:RIDManager}
This command gives passed when I use the hostname of the Primary Domain Controller but failed for the Secondary Domain Controller. This comes as failed only when I run the command from as Computer in another domain.
I get the below error when failed:
DsBindWithSpnEx() failed with error 5,
Access is denied..
This issue is because of the double hop problem. So if you create a remote PS Session using Creedssp then the result is as it is in the target server.
Related
I have a list of servers, and then another list of services on each of those servers. I am trying to remove it, change a few values in the .bat and then install the services again. Right now I have started a remote Powershell Session using
$PSsession = New-PSSession -ComputerName $server -Credential $Credential
Enter-PSSession -Session $PSsession
I have been mainly using the Invoke-Command -ScriptBlock {//somecodehere} -Session $PSsession in order to run each of the commands that I have used so far. My initial approach was to use sc.exe config $serviceName obj=$username password=$passwd, but each time I make the change on the remote server, it tells me that there is a NativeCommandError and that there is a logon issue with the service.
Is there a way that I can use the credentials provided by the user in order to change the username/password of a service in a secure way? Or does anyone have any recommendations on a better approach I could research?
So my solution to my own problem was to create a script and copy it over to the server. Then it ran the sc.exe command inside of the machine itself. Since it is another machine, you can't send the credentials through as variables if they are a SecureString. So my solution is just to create those variables normally and then make sure to delete them afterwards.
If you are working with confidential data, don't forget that you usually need to overwrite the variable 3 times before deleting it.
I want to automate robocopy through Azure powershell runbook and I am taking below steps but Its failing with access denied error for Source location. Service account used to create remote connection is admin user on both servers
Create remote session on destination server (using Azure Automation account runbook which is running on Hybrid worker )
run Invoke-command for ROBOCopy to pull data from source server to destination D drive.
Below code is not doing anything but runbooks status shows as complete
$serviceAccountPassword = (Get-AzureKeyVaultSecret -VaultName 'kvname' -Name 'secname').SecretValue
$credential = New-Object System.Management.Automation.PSCredential('serviceaccountname',
$serviceAccountPassword)
$session = New-PSSession -ComputerName 'destination_server' -Credential $credential
$scriptblock = {c:\Windows\System32\robocopy.exe \\source_server\Backups\ \\destination_server\d$\data\}
invoke-command -session $session -scriptblock $scriptblock
I have also enbled-Psremoting and also added service account as admin to both servers
Edit : If I don't run as JOB I get access denied error
I am trying to run a powershell script from a TeamCity Windows Slave to another server for deploying my application.
This is BuildConfig:
username = "<username>"
$password = "<password>"
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr;
Invoke-Command -ComputerName "<computer_name>" -Credential $cred -FilePath "deploy.ps1"
I am getting the following error.
following error message : Logon failure: unknown user name or bad password.
[13:57:52] [Step 1/1] For more information, see the about_Remote_Troubleshooting Help topic.
I have used the correct User name and password only.
I have also checked the Local User security policies. Am I missing something?
Is it just a paste error that missed the $ from username ?
Does the user name and password work fine outside the script ?
Are the variables being substituted in properly. Do the logs show ?
I’ve never used that construct to make a pscredential before. Is this one mentioned here not working.
https://pscustomobject.github.io/powershell/howto/PowerShell-Create-Credential-Object/
I need to execute some code on remote machine, I use powershell's Invoke-Command to do that.
Invoke-Command -ComputerName TESTPC -ScriptBlock { Get-WMIObject Win32_ComputerSystem | Select-Object -ExpandProperty name };
It works on my local but fails in TeamCity server. It says: Connecting to remote server TESTPC failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.. I tried to solve it this way https://stackoverflow.com/a/27872686/3561198 but the condition is always true and it looks like the script is run with admin rights. How to fix the issue? Otherwise suggest another way to execute some code on remote Windows machine.
Start an interactive session with the destination machine first and then use Invoke-Command to run the script block.
Enter-PSSession Server01
Invoke-Command -ComputerName Server01, Server02 -ScriptBlock { your code here }
Exit-PSSession
When running an Ansible script against a Windows server, I get the following error message.
credssp: The server did not respond with pubKeyAuth info auth was rejected
What is the cause of this.
I'm answering this question for myself because the solution was trivial to implement, but took some time to work out.
I was creating new EC2 instances with the following userdata which prepared the system as per the docs at http://docs.ansible.com/ansible/latest/intro_windows.html, and set the Administrator password.
<powershell>
Enable-WSManCredSSP -Role Server -Force
Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $true
Invoke-Expression ((New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))
$user=[adsi]"WinNT://localhost/Administrator,user"
$user.SetPassword("{{win_initial_password}}")
$user.SetInfo()
</powershell>
My Ansible script was waiting for a response on port 5986 (WinRM) before continuing, under the assumption that once this port responds the instance would be accessible.
What I believe was happening was that the Administrator password was not being set by the time port 5986 was responding.
To fix this I set the Administrator credentials as the first step in the userdata script, and added a pause for good measure.
<powershell>
$user=[adsi]"WinNT://localhost/Administrator,user"
$user.SetPassword("{{win_initial_password}}")
$user.SetInfo()
Enable-WSManCredSSP -Role Server -Force
Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $true
Invoke-Expression ((New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))
</powershell>
After these two changes, my script worked as expected. So if you get that error message, check the username and password are valid.