I want to run a few scripts on a few servers but the issue is that all of them are on different domains.
If they are on the same domain then I am able to run it is Powershell but across domains how would I do that? Can anyone throw some light on this?
On the server side
Enable-PSRemoting
On Client Side, Execute the following commands:
cd wsman:localhost\Client
Set-Item AllowUnencrypted -Value $true -force
Set-Item TrustedHosts -Value * -force
Then to create session in the server machine from client machine use the following commands:
$cred=get-credential
$Session= New-PSSession -computername Server01 -credential $cred -Port 5985
Enter-PSSession $Session
(Valid Credential on Server machine should be given)
This might be a good application for PS constrained sessions with delegation.
You can designate the credentials that will be used to run the commnads in the session configuration, and limit what can be run in the session, so you can create a session you can connect to without having domain credentials, and within that session you can run just those scripts and they will be automatically run using credentials that are set in the session configuration.
http://ramblingcookiemonster.wordpress.com/2013/07/20/granular-access-via-powershell-remoting/
I don't know if you're talking 2, 20 or 200 servers here (or the number of admins), but what I would do (if I had administrative access to the domains) would be to implement some kind of "administrative execution account" on each domain. I would then build logic to save creds to file on the workstation/management server initiating the connection (if the password is the same across domains it would be very easy - maybe too easy)
It should be easy enough to build logic to pick up the correct credentials file based on the computer domain, construct a credential object, and connect with it -basically some proxy functions for the most common remoting CmdLets like new-pssession and the like.
This would ensure that each operator would have to type in the username/password to each domain manually before using the script (saving the creds to file), which should help prevent unauthorized access.
Related
I must add a domain user to the local group "Remote Desktop Users" via GPO.
And since I'm building Domain Controller images in an automated way, I want to create a policy to set a domain user as part of the Remote Desktop Users local group of each domain joined Windows client machine using PowerShell.
I've been trying to manage the Restricted Groups from a GPO via PowerShell, but without success.
I found the following code, but it returns only a .xml that I can check the groups located at the Restricted Groups from a GPO.
https://social.technet.microsoft.com/Forums/en-US/a956c361-3852-4ec2-a6e3-15475e67bdaa/listing-gpo-restricted-groups-with-powershell?forum=winserverpowershell
If there's a way to export the GPO as .XML or any other format and edit it and import that changes, it would be also fine.
Another forum that I found and it's a good solution but it's still manually, is the following one. I'd like to automate that steps via PowerShell, but it has been hard to do.
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-group-policy-preferences-to-manage-the-local-administrator/ba-p/259223
Please, does anyone know some automated way to create a GPO that includes a domain user to a local group?
Thanks all!
Try **Invoke-Command** and **Add-LocalGroupMember**
ForEach ($ServerName in $Servers)
{
Invoke-command -ComputerName $ServerName -ScriptBlock {Add-LocalGroupMember -Group "Remote Desktop User" -Member "Admin02", "MicrosoftAccount\username#Outlook.com", "AzureAD\DavidChew#contoso.com", "CONTOSO\Admins"}
}
https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
Create new GPO: Computer Configuration / Policies / Windows Settings / Security Settings / Restricted Groups
or if neecessary is done by powershell script create GPO
Configuring PowerShell Startup Scripts with Group Policy
and launch script:
Add-LocalGroupMember -Group "Remote Desktop User" -Member "Admin02", "MicrosoftAccount\username#Outlook.com", "AzureAD\DavidChew#contoso.com", "CONTOSO\Admins"
When logging on windows server to check uptime and services, I am being logged through gateway, both server and gateway are require different credentials.
I am working on powershell script that does this automatically, but I can not find way how to use multiple credentials when invoking command.
I am not sure if there is solution on this in powershell
When doing that manually, I am logging directly on server and gateway automatically pops up, asking for credentials, when I enter them, another prompt to server credentials pops up, then I logon on server.
Thanks for advice :-)
$Cred1 = [pscredential]::new($User1,$Password1) #service account to target server
$Cred2 = [pscredential]::new($User2,$Password2) #gateway credentials
Invoke-Command -ComputerName xxx-ScriptBlock { xxx } -credential $Cred1
...is not working with $Cred1, cause gateway requires $cred2.
I’m trying to copy some files from a domain-joined computer, to a non-domain-joined server (it is not on a domain at all). Using PowerShell 5.1.
I want to do this with a script run from a scheduled task, so prompting for the password won’t work. To deal with this I have created a PSCredential object with the Username and Password fields populated. For the username I am using ‘servername\username’ as it is an account local to the remote system. The password is being retrieved dynamically from a PIM solution and is already in PSCredential format. The credential object is created using:
New-Object System.Management.Automation.PSCredential -ArgumentList (“servername\username”, <System.Security.SecureString value>).
I am trying to do this as simply as possible. I looked at just using Copy-Item, as well as New-PSSession and New-PSDrive. I landed on using:
New-PSDrive -Name “DriveName” -PSProvider Filesystem -Root “\\server\path” -Credential <PSCredential object>
Once that completes, I can use Copy-Item to copy files to the remote system without having to authenticate again. (Note that I don't directly reference the PSDrive here, it was just a way for me to create a transient, authenticated session to the remote computer.)
Copy-Item -Path <local source path> -Destination "\\server\path" -Recurse -Force
All of this actually does work – however the issue is that before logging in using the user/pass stored in the PSCredential object, the system first tries an NTLM login using my local domain account (the one running the script). After that tries about 3x and fails (the remote server has no way of validating my domain account), only then does it use the creds in the object.
Not necessarily the end of the world, but it does waste some time, and on top of that it also fires all kinds of alerting within our SOC team as it generates a bunch of failed logins to the off-domain computer, all coming from my domain account.
Is there a way to avoid that initial NTLM auth attempt with the domain account, and just jump straight into using the ‘servername\username’ account that is local to the remote system? Or, am I doing this completely wrong and there’s a better way? :)
Thanks!
(P.S. Also posted here: https://forums.powershell.org/t/copy-item-to-non-domain-computer/16721/4)
To elaborate, I am creating a remote power shell session to localhost. Essentially, I am running the below command from my first power shell session(1).
$s = New-PSSession;
Now, I opened another power shell session(2) and I want to connect to the remote session created in the power session(1).
Is this possible?
I see that the remote power shell sessions created in (1) are not visible in (2). Is there a way to access those remote sessions across different power shell sessions.
Fortunately this feature has been added to PowerShell 3 for the first time. By using the parameter -ComputerName in Get-PSSession and opening the PS sessions with the same credentials, you can get all the sessions that have been created on this remote machine by your credentials. Try to type this line in the 1st session
New-PSSession -ComputerName LocalHost
Then this line in the 2nd session
Get-PSSession -ComputerName LocalHost
I have found the following link is very useful for this topic:
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_pssession_details?view=powershell-6
I fell into a double-hop issue while trying to deploy BizTalk apps(msi) to remote machines via powershell. The only way out of this(double-hop) is to use CredSSP authentication for remote session. The deployment needs to be unattended, but if I try to use CredSSP authentication it asks for credentials in a prompt. Is there any way to bypass this manual input of credentials when using CredSSP? If not, is there any other way delegation of credentials can be done without keeping the credentials in the script file?
You can get around the second-hop issue by using remote delegated sessions.
here is a link to an MSDN article describing how to create these.
Basically, it is the same mechanism that Exchange uses for their remote management sessions. A remote session configuration is created on the target machine, and whatever runs in that session executes under a set of credentials specified in the RunAs parameter of the configuration. When you run something in one of those sessions, you can make one more hop from that machine to another machine without CredSSP because the credential that's actually executing the commands hasn't made a hop yet.
You can get very granular about what scripts, functions, and cmdlets can be run in that session so you can limit it to only being used for a specific purpose. Once you have it set up, you then limit who has permission to use the session by granting the Execute permission for the session to specific groups or users.