Add user to local group on remote computer using different credentials - windows

I have credentials for the local "Administrator" user on every computer in my department. Sometimes, when I set the machines up for my colleagues, I forget to add my domain username in the administrators group (whoopsie!). It would be easy just setting up a remote desktop connection passing the Administrator user credential, but I'd like to do this "silently", so my question is: is there a way to pass those credentials by shell and then perform the usual operations for adding a user (mine, in this case) to the administrators group?
I work with Windows machines in an Active Directory environment.
Thanks.

Well, this is not from the shell, but you could from your PC/Server as admin run computer management, right click "Computer Management (local)" select "connect to another computer" and bring up the remote computers computer management console and add yourself to that computers local admin group in the background.
Hope that helps.

Related

Ansible: I'm unable to connect to a windows server using a non-local Administrator account

I have a requirement to collect windows facts via ansible. By passing the local Administrator account credentials with Ansible, this works with no issues. If I add my own windows account to the local Admin group, this also works.
The problems starts when I need to connect to a windows server with a non-local admin account (an AD account with Administrator privilege). win_ping fail no matter what I try to make it work.
The Ansible documentation seems to suggest you have to be a local admin or a member of the local admin group.
https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#http-401-credentials-rejected
This section:
Ensure that the user is a member of the local Administrators group or has been explicitly granted access (a connection test with the winrs command can be used to rule this out).
And they give us this workaround:
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#non-administrator-accounts
Non-Administrator Accounts WinRM is configured by default to only
allow connections from accounts in the local Administrators group.
This can be changed by running:
winrm configSDDL default This will display an ACL editor, where new
users or groups may be added. To run commands over WinRM, users and
groups must have at least the Read and Execute permissions enabled.
While non-administrative accounts can be used with WinRM, most typical
server administration tasks require some level of administrative
access, so the utility is usually limited
But even after adding the remote AD account in the ACL editor and giving access to everything, I still get the same error.
"msg": "ssl: the specified credentials were rejected by the server",
Has anyone got this working with an AD account? Any pointers would be very welcome.
Currently, it looks like I need to have a local account with administrator privilege on every Windows server I want to run ansible on. I'm hoping this is not the case.
Thanks

"Remote machine is AAD" but "The logon attempt failed"

I setup Remote Desktop Connection and the computer says: AzureAD\username already has access:
Very good, let's try to connect using AzureAD\username:
Unfortunately it says:
Your credential did not work. Remote machine is AAD joined. If you are
signing in to your work account, try using your work email address.
Of course it didn't work. Any idea?
To successfully connect to an AzureAD joined computer using Remote Desktop, you will need to first save your connection settings to a .rdp file.
To do this, open the Remote Desktop Connection program, enter the IP Address or computer name, then click the "Save As" button at the bottom of the screen. Save it someplace convenient, since we'll need to edit this file by hand.
Next, Right-Click the saved .rdp file and open with Notepad.
Go to the very bottom of the file, add the following lines:
enablecredsspsupport:i:0
authentication level:i:2
Save the file and close.
Now, try double clicking the modified .rdp file and login using the format:
AzureAD\YourFullUsername
Screenshots, original information and credit go to bradleyschacht.com
As an updated answer, the solution is to simply open up the options for the connection, go to the Advanced tab, and check "Use a web account to sign in to the remote computer".
As long as RDP is enabled on the remote machine and the user you are trying to logon is with authorized, it should work.
The Azure Active Directory username is not exactly clear though.
Joined computer via 'FirstName#domain.com', an Azure Active Directory domain account.
Computer shows 'AzureAD\FirstNameLastName' as authorized for RDP since it's an administrator account.
Must use 'AzureAD\FirstName#domain.com' for RDP username.
No other settings changes needed, no manual editing of RDP file just had to get the username right.
from your window, it doesn't seem like you logged in with an azuread account, try with francescomantovani#yourazureaddomain.com as a username?
as per here:https://learn.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc
When you connect to the remote PC, enter your account name in this
format: AzureAD UPN. The local PC must either be domain-joined or
Azure AD-joined. The local PC and remote PC must be in the same Azure
AD tenant.
For some reason the old remote desktop connection application was throwing the same error. I tried connecting through new remote desktop application( included in windows 10 ), it connected without any problem.
The issue is related to the password, which we have set at the time of the creation of VM.
That password doesn't meet the complexity criteria that we didn't get informed about while setting the username & password firstly. Therefore we need to reset the password.
1). click on created VM --> choose reset Password from the side menu.
2). This time they will tell us about constraints for setting the password.
3). Choose the appropriate password.
4). Now login via this format as below:
username : <publicIpOfVM>/<username>
password: newPassword

Windows Server 2008 System Specific Remote

I have a server which runs Windows Server 2008 R2 Standard. I have admin rights and I can login through Remote Desktop Connection and access the server.
I wanted to create an account so that my office staff can access (restricted access) and only from office systems. I do not want access from any other location.
Is it possible ?
Thanks,
GR
There are several ways to lock down and secure the RDP services of a particular machine. As with most local services and GPO settings Windows is quite good at making it easy to tailor permissions based on user(s), computer(s) and by group(s).
First off I would personally add RDP permissions on a per user basis, rather than giving staff members one central login to use. There are several reasons for this, mostly down to ease of use and system security.
In the "System Properties" of the Windows Server, I assume you've ticked the box to allow a RDP connection to the server. - Just under that there's a checkbox you should tick in order to only allow connections with NLA (Network Level Authentication). Proceed to "Select Users" and choose the staff you wish to give RDP permissions too.
I'm going to assume that your RDP connection is working as you've stated that you're able to connect, we'll leave local RDP GPO settings and initial Windows Firewall configuration, please leave a comment if you'd like me to include it.
In the Windows Firewall for the server on the exceptions tab, edit the settings for Remote Desktop Connection. Click "Change Scope" and tick the box that says "My Nntwork (subnet) only".
This will only allow RDP connections from local machines within the servers subnet (office machines) and connections from the users you specified earlier on (Office staff).
As for the restricted access part, short of making a new local limited user on the server there's not much you can do to protect everything.
I hope this clears it up for you.

Default username and password for TFS2010 installed as localhost

Merry Christmas everyone !
I've installed Team Foundation Server 2010 with advanced configuration but I left the settings as default (like Service Account: NT AUTHORITY\LOCAL SERVICE and others)...
All good until when I typed http://localhost:8080/tfs and there it asks me to provide username and password.
What is the default username and password ? I didn't provide any username and/or password during configuration.
I typed as my Windows account name but it doesn't work.
Help me please...
Thank you
EDIT: Please watch my short video capture: http://youtu.be/i8C5mp7fUsA
TFS uses Window's accounts for its permissions. If you're logging in on a workstation setup, rather than one linked to AD then remember you need to specify your machine name as part of the username, for example MACHINE\michaels.
In order to setup new projects you will need to first start off using an administrator account - if your normal username isn't a Windows administrator, then login using your admin username and password (you can then grant permissions to your normal account. You can also use the Windows security groups on the machine to add yourself - there will be a local group called "Team Foundation Administrators". MSDN has a list of the Windows groups you can configure.
it is the windows login , password and u can set it in the administration panel also .
UPDATE - mine was ashutosh-pc\ashutosh and my windows password
You have set your service account to LOCAL SERVICE. Please change this to NETWORK SERVICE. The login box you are getting is not to login TFS, but to get access to your machine resources. The LOCAL SERVICE account does not have enough permissions to operate TFS.
If you don't have NETWORK SERVICE, then use a regular windows account.
See for more information the TFS 2010 Install Guide.
Yeah definitely it works using your windows account, but in my case I have my hotmail email account linked to my windows.. so, I just used my email address and the password for this, I am sharing an screenshot, this is the firs default page after logged in.

How to remote debug when user accounts do not match?

How can I configure Visual Studio remote debugging when:
My developer machine is a member of an AD domain, and my username is "DevelopersName".
The "remote" machine is on the same Ethernet segment, but is not part of the domain.
The "remote" machine must run software under "RemoteUserName".
Most documentation I can find suggests that you need have both machines in the same domain and with identical usernames. That's not possible here.
I could possibly add my username to "remote", but the software still needs to run under "RemoteUserName.
If it helps, I could add 2nd network card to my developer machine and directly connect the "remote" machine.
Using VS2008, but will be moving soon to VS2010.
Thank you.
Sorry, but I've just spent the last 10 hours trying to debug your exact problem. My findings are not good.
You need to get your accounts synced, especially if you are using your remote app to connect to other systems in your SOA environment, ie: Sharepoint, AD.
You can to some extent get remote debugging to work, if you create an account on your local machine with the same name as that of your remote machine (lets do it like this rather rather than working with the domain account).
You then need to make sure the remote service is running under this account, and its a member of the administrators group. And by this I mean hold down control, and right click run as - with the remote debugger, and select the user (not required if remote server is logged in as the required user).
Run the wizard it will open the required ports, use Authentication, because non authentication won't debug managed code. Breakpoints are never met, and there is nothing you can do about this.
On your local dev machine, log off your domain account, and log onto the local account with matching name as the account on server thats running the remote service.
Now you stand a change of remote debugging. If you can't do any of the above, sorry there is no workaround, its entirely dependent on the user account and having the right permissions.
If you don't want to create a local account, try starting our debugger via command prompt using the following command:
runas /user:[user#machinename] /netonly [debugger.exe]
E.g.:
runas /user:john#mypc123 /netonly devenv.exe
I assume it's managed debugging you're talking about (for native debugging there's a remote debugging solution with no authentication). In this case, I would suggest that you use a local user to launch the debugger on your machine. If this local user's name and password match "RemoteUserName"'s name and password, it should work.
(Note that this does not preclude you from using the AD account to log in to your workstation, you just need to set up another account and use runas to launch Visual Studio.)

Resources