Working on grabbing windows 7 event logs remotely using powershell. My powershell script works locally.
Get-WinEvent -ComputerName localhost -LogName Security -MaxEvents 10
to access it remotely I modified it for
Get-WinEvent -ComputerName remotecomputer -LogName Security -MaxEvents 10
To access it remotely I modified the windows firewall to allow Remote Event Log Management (RPC) to allow it but I still get -
"Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.."
Saw some blogs about adding customsd to registry but that looked like it was for windows servers. Also tried using -Credentials and no luck, also, remote registy and rpc services are both running.
Any suggestions?
I wanted to put my answer on here that with admin rights it seems like you can query powershell logs using xml over the network. If you use xml it seems to use the windows credentials and winrm isn't necessary. We didn't even have to enable "remote event log management" in the windows firewall. If you have the right windows credentials it just works. Powershell is incredible.
Related
I must add a domain user to the local group "Remote Desktop Users" via GPO.
And since I'm building Domain Controller images in an automated way, I want to create a policy to set a domain user as part of the Remote Desktop Users local group of each domain joined Windows client machine using PowerShell.
I've been trying to manage the Restricted Groups from a GPO via PowerShell, but without success.
I found the following code, but it returns only a .xml that I can check the groups located at the Restricted Groups from a GPO.
https://social.technet.microsoft.com/Forums/en-US/a956c361-3852-4ec2-a6e3-15475e67bdaa/listing-gpo-restricted-groups-with-powershell?forum=winserverpowershell
If there's a way to export the GPO as .XML or any other format and edit it and import that changes, it would be also fine.
Another forum that I found and it's a good solution but it's still manually, is the following one. I'd like to automate that steps via PowerShell, but it has been hard to do.
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-group-policy-preferences-to-manage-the-local-administrator/ba-p/259223
Please, does anyone know some automated way to create a GPO that includes a domain user to a local group?
Thanks all!
Try **Invoke-Command** and **Add-LocalGroupMember**
ForEach ($ServerName in $Servers)
{
Invoke-command -ComputerName $ServerName -ScriptBlock {Add-LocalGroupMember -Group "Remote Desktop User" -Member "Admin02", "MicrosoftAccount\username#Outlook.com", "AzureAD\DavidChew#contoso.com", "CONTOSO\Admins"}
}
https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
Create new GPO: Computer Configuration / Policies / Windows Settings / Security Settings / Restricted Groups
or if neecessary is done by powershell script create GPO
Configuring PowerShell Startup Scripts with Group Policy
and launch script:
Add-LocalGroupMember -Group "Remote Desktop User" -Member "Admin02", "MicrosoftAccount\username#Outlook.com", "AzureAD\DavidChew#contoso.com", "CONTOSO\Admins"
When logging on windows server to check uptime and services, I am being logged through gateway, both server and gateway are require different credentials.
I am working on powershell script that does this automatically, but I can not find way how to use multiple credentials when invoking command.
I am not sure if there is solution on this in powershell
When doing that manually, I am logging directly on server and gateway automatically pops up, asking for credentials, when I enter them, another prompt to server credentials pops up, then I logon on server.
Thanks for advice :-)
$Cred1 = [pscredential]::new($User1,$Password1) #service account to target server
$Cred2 = [pscredential]::new($User2,$Password2) #gateway credentials
Invoke-Command -ComputerName xxx-ScriptBlock { xxx } -credential $Cred1
...is not working with $Cred1, cause gateway requires $cred2.
I have RDP access to the windows server. I used to do manually check the disk space and RAM usage on all my windows server. I can't install or enable any service on the remote servers. Is there any way, to automate the task to check the disk space and RAM/CPU usage on remote windows server with RDP access only.
No, not with RDP - as its name entails, the Remote Desktop Protocol is an interactive system for users to access their desktop - hardly an automation system.
But you don't need to install anything, Windows comes with full remote management possibilities out of the box. For example, Inside a PowerShell session (on your PC) just use:
Get-WmiObject -class Win32_LogicalDisk -ComputerName SERVER1,SERVER2,SERVER3 | select DeviceID,VolumeName,Size,FreeSpace
You can add as many servers as you want to the list. If your local login account does not have permissions to access the remote servers, simply add the -Credential DOMAIN\LOGIN parameter to the command above.
Finally, if you encounter a login error even with an account that is an administrator of the remote servers, you must check that firewall rules do not prevent remote administration from working on the server side. You may want to use (inside an RDP session) the PowerShell command Enable-PSRemoting.
There is many ways to check servers. But I recommanded to install tools (open source) like nagios or zabbix.
Nagios is a good open source for monitoring with web access and email alerting. You need to install NSclient on the windows server which allows nagios the access to resources.
About the email alerting, you need to install an smtp server, that will send mail each time there's a critical situation. (postfix or sendmail)
this is a tutorial link to install nagios:
http://itgration.blogspot.com/2014/09/installation-nagios-306.html
I am trying to prepare our environment consisting of Windows XP / 7, Windows 2003 / 2008 for PowerShell remoting. I have configured the WinRM service and listeners as well as a firewall inbound rule through Group Policy following Microsoft Procedures. However, I used the GP Editor on my admin station (RSAT) rather than the one on the DC and it offered one additional configuration option which should have never been configured. Namely the credentials under which the service would run. Untouched it automatically picked up my domain admin account. Now the WinRM service is configured under the wrong account and it won't start up on any of the machines. Server or client. When I try to manually start the service on any machine, I get the following error message:
Windows could not start the Windows Remote Management (WS-Management) service on Local Computer.
Error 1079: The account specified for this service is different from the account specified for other services running in the same process"
After some research and tinkering I learned that the service is supposed to run under the Network Service account with a blank password by default. When I manually change the credentials on any machine to Network Service and clear the password boxes, I get a confirmation popup:
The account NT AUTHORITY\Network Service has been granted the Log On As A Service right.
After that the WinRM service starts up just fine. I need to find a way to remotely change the credentials for this service on multiple machines. Obviously I cannot use PowerShell as the service is a prerequisite for PSRemoting. I did try sc.exe in a startup script through GPO on a test OU with one machine like so:
sc.exe config "WinRM" obj= "Network Service" password= ""
net stop WinRM
net start WinRM
Unfortunately however, it did absolutely nothing. I have UAC enabled on all win7/win2008 machines I also have WinXP and Win2003 boxes.
Does anyone out there have any idea for a solution? Maybe a script that might work? I am not much of a cripting guy, so if you are kind enough to help me out with a script can you also tell me how to use it?
All responses will be appreciated.
To add to this post. the following command will work for accomplishing the above.
sc.exe config "WinRM" obj= "NetworkService"
In testing I found that the NetworkService account actually has no space between the two words, but in GUI it does show space.
I'm a few months late, but hopefully this can help someone. I just resolved this issue in both my test and production environments by configuring the Group Policy preference for the WinRM service and manually entering:
User: NT AUTHORITY\NetworkService
Password: <space>
Exactly. You have to manually enter the account name as I wrote it, and the password is a single space. Other combinations of username and password have not worked for me. If other combinations work, I'd love to know.
I want to run a few scripts on a few servers but the issue is that all of them are on different domains.
If they are on the same domain then I am able to run it is Powershell but across domains how would I do that? Can anyone throw some light on this?
On the server side
Enable-PSRemoting
On Client Side, Execute the following commands:
cd wsman:localhost\Client
Set-Item AllowUnencrypted -Value $true -force
Set-Item TrustedHosts -Value * -force
Then to create session in the server machine from client machine use the following commands:
$cred=get-credential
$Session= New-PSSession -computername Server01 -credential $cred -Port 5985
Enter-PSSession $Session
(Valid Credential on Server machine should be given)
This might be a good application for PS constrained sessions with delegation.
You can designate the credentials that will be used to run the commnads in the session configuration, and limit what can be run in the session, so you can create a session you can connect to without having domain credentials, and within that session you can run just those scripts and they will be automatically run using credentials that are set in the session configuration.
http://ramblingcookiemonster.wordpress.com/2013/07/20/granular-access-via-powershell-remoting/
I don't know if you're talking 2, 20 or 200 servers here (or the number of admins), but what I would do (if I had administrative access to the domains) would be to implement some kind of "administrative execution account" on each domain. I would then build logic to save creds to file on the workstation/management server initiating the connection (if the password is the same across domains it would be very easy - maybe too easy)
It should be easy enough to build logic to pick up the correct credentials file based on the computer domain, construct a credential object, and connect with it -basically some proxy functions for the most common remoting CmdLets like new-pssession and the like.
This would ensure that each operator would have to type in the username/password to each domain manually before using the script (saving the creds to file), which should help prevent unauthorized access.