Author Posts

September 4, 2014 at 11:05 am

I'm trying to use remoting to use 2012 ActiveDirectory module from a windows 7 machine with WMF 4.0 installed. I have enabled CredSSP on the member server that has ActiveDirectory module and set it up on the workstation I'm testing from.
On the server:

Enable-WSManCredSSP –Role server

On the test workstation:

Enable-WSManCredSSP –Role client –DelegateComputer ps-script01.domain.com

And then I try to import the module.

PS H:\> $cred = Get-Credential domain/user
PS H:\> $session = New-PSSession -ComputerName ps-script01.domain.com -Authentication Credssp -Credential $cred

PS H:\> import-module -PSSession $session -Name ActiveDirectory
import-module : Failed to generate proxies for remote module 'ActiveDirectory'.  The specified path, file name, or
both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less
than 248 characters.
At line:1 char:1
+ import-module -PSSession $session -Name ActiveDirectory
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-Module], InvalidOperationException
    + FullyQualifiedErrorId : CmdletProviderInvocationException,Microsoft.PowerShell.Commands.ImportModuleCommand

I"m at a loss on this one.

The reason I'm doing this with a member server is we don't have the user that will eventual run the script to have access to the DC.

September 4, 2014 at 11:31 pm

David,

I think we need to understand what you're actually trying to achieve in the end. Which tasks do you want to perform against Active Directory from the workstations? Please provide a full list to give us a better picture of your scenario.

Thanks
Daniel

September 5, 2014 at 1:50 am

There is a JumpStart webcast about this topic @ http://www.microsoftvirtualacademy.com/training-courses/getting-started-with-powershell-3-0-jump-start

Getting Started with PowerShell 3.0 Jump Start
Module 09 | Introducing scripting and toolmaking

Starting: [13:33] | PowerShell remote CMDLETs

Maybe this gives you a more deeper insight.

Regards

Christian

September 5, 2014 at 4:36 am

Basically We have a scheduled script that sets logon hours based on a CSV file provided by HR. However the names provided are not always the same as what is in AD. So I need the HR person to be able to run

get-aduser -filter {GivenName -like $FirstName -and SN -like $LastName}

as part of a script to validate the CSV data.
they are on windows 7 with WMF 4.0 installed.

September 5, 2014 at 12:38 pm

@christian Francke

That video was a life saver. I have it working via credssp.

using Import-PSSession i was able to import the module and use it from the member server.

Now I would like to be able to do it withe Kerberos Constrained deligation. Any takers on how to do that?

I tried to setup WSMAN to the DC on the member server's AD object. but I still get this error

Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not
have the Active Directory Web Services running.
    + CategoryInfo          : ResourceUnavailable: (pds-admin75:ADComputer) [Get-ADComputer], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
    + PSComputerName        : ps-script01.pinnaclebancorp.com

September 6, 2014 at 2:53 pm

David,

Have you considered to install the Remote Server Administration Tools (RSAT) and enable the AD PowerShell module on the HR Windows 7 machines?

September 8, 2014 at 12:39 pm

It's my understanding that Microsoft does not recommend using the down version RSAT with a newer Domain. I know this function in question is a read but i'm trying to stick to the tools that match the DC.

September 8, 2014 at 1:29 pm

Strange It looks like it's working now.

PS C:\WINDOWS> $s = New-PSSession -ComputerName ps-script01
PS C:\WINDOWS> import-pssession -Session $s -Module ActiveDirectory -Prefix Remote

ModuleType Version    Name                                ExportedCommands
--------- ------    -----                               ----------------
Script     1.0        tmp_4jss0rk1.4sz                    {Add-RemoteADCentralAccessPolicyMember, Add-RemoteADComput.

I'm betting the changes in AD did not take effect last week due to the life time of the Kerberose tickets.

Does any one know how / where to clear Kerberos tickets?

September 8, 2014 at 1:39 pm

You can run the command line utility "klist" which comes bundled with Windows. Since Windows 7 if I'm correct.

klist purge

To show your tickets just run

klist

September 8, 2014 at 1:42 pm

I came across that, and last Friday I tried to purge on the member server. Am I supposed to run that on the workstation to? I cant imagine wanting to run it on the DC with a flat purge.

September 8, 2014 at 1:45 pm

klist only affects the session of the current user as far as I know. You need to purge on the workstation or from where you're connecting to the PowerShell remoting endpoint.