Pass credentials with AD cmdlets?

This topic contains 12 replies, has 6 voices, and was last updated by Profile photo of Venu Venu 6 months ago.

  • Author
    Posts
  • #31336
    Profile photo of Jason Beckett
    Jason Beckett
    Participant

    I have a script that connects to exchange online ps, exchange on-prem ps and AD. I store the credentials for exchange online and exchange on-prem via password encrypted in an xml file.

    What I would like to be able to do is connect to AD in a similar fashion (i.e. import-pssesson $exchonprem) in the script rather than relying on the credentials the scheduled task is running as.

    Any input on how I might accomplish this would be appreciated.
    Here's a sample of my script:

  • #31339
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    most, if not all, AD cmdlets support the -credential parameter, you would just load your credential in a variable and then pass it to the cmdlet.

  • #31341
    Profile photo of Jason Beckett
    Jason Beckett
    Participant

    Thank you Curtis. Is it necessary to then specify the credential parameter each time I call an AD cmdlet? I was hoping to do it similar to my exchange ps sessions where I only have to send the credentials once.

  • #31343
    Profile photo of Peter Jurgens
    Peter Jurgens
    Participant

    Another option is to use the $PSDefaultParameterValues automatic variable to force every *-AD* cmdlet to use credentials where the credential parameter is available.

    $creds = Get-Credential
    $PSDefaultParameterValues = @{"*-AD*:Credential"=$creds}

    You could stick that into the beginning of your scripts, or in your powershell profile if you like. This will ensure that every AD cmdlet is run with the correct credentials.

  • #31344
    Profile photo of Jason Beckett
    Jason Beckett
    Participant

    That's a brilliant solution. Thank you Peter.

  • #31345
    Profile photo of Peter Jurgens
    Peter Jurgens
    Participant

    You can absolutely use a technique called Implicit Remoting to connect to your domain controller by PSSession with alternate credentials and import your cmdlets. Something like that would be:

    $cred = Get-Credential "domain\username"
    $DC = New-PSSession -ComputerName DC01 -Credential $creds
    #Invoke-Command here in case the DC is running earlier than PSv3
    Invoke-Command -Session $DC -ScriptBlock {Import-Module ActiveDirectory}
    Import-PSSession $DC -Module ActiveDirectory

    This will import the AD cmdlets into your current session. The only caveat with implicit remoting is that your commands and data returned are serialized and deserialized when they are sent/retrieved, which causes issues with usability of the commands. For instance:

    Get-ADGroup 'Group' | Get-ADGroupMember

    This works fine with locally installed RSAT and AD cmdlets, however you will get an error if you try to run this with cmdlets that were imported through implicit remoting. To work around this, you will have to use a lot of ForEach-Object:

    Get-ADGroup 'Group' | ForEach{Get-ADGroupMember -Identity $_.distinguishedname}

    In some cases as well I've found that this can cause odd issues where not "every" item is processed in the foreach loop. I've not encountered this for a while personally so I can't say for sure but previously when I was using implicit remoting over installing RSAT I certainly encountered this issue numerous times.

  • #31350
    Profile photo of Jason Beckett
    Jason Beckett
    Participant

    Thanks for the suggestion. I'm familiar with the implicit remoting but option but for precisely the reasons you listed I was looking for an alternative.

    I think your suggestion to use PSDefaultParameterValues is the ticket for me 🙂

  • #62115
    Profile photo of Venu
    Venu
    Participant

    Hi All,

    I need same information from Active directory via remote. Please find below query which i have used. But its not working. Kindly help to solve this.

    ps = """ $cred = Get-Credential "my credential"
    $DC = New-PSSession -ComputerName mycomputername -Credential $cred
    Invoke-Command -Session $DC -ScriptBlock {Import-Module ActiveDirectory}
    Import-PSSession $DC -Module ActiveDirectory
    Get-ADDomain """

    Thanks,
    venu

  • #62140
    Profile photo of Vandrey Trindade
    Vandrey Trindade
    Participant

    Peter Jurgens,

    Hi! I was using this to avoid using the "-Credential" parameter in every command or to workaround commands that don't have that option:

    Start PowerShell -Credential $ADcred -ArgumentList "-File .\script.ps1" -Wait
  • #62143
    Profile photo of Ron
    Ron
    Participant

    You can also use PSDrives to access AD. It's particularly helpful if you need to connect to different domains.

    new-psdrive -name AD1 -psprovider activedirectory -server ad1.com -root "" -Cred $a1
    new-psdrive -name AD2 -psprovider activedirectory -server ad2.com -root "" -Cred $a2

    Now just "cd" to the domain you want to work with.

    cd AD1:
    get-aduser blah...

  • #62202
    Profile photo of Venu
    Venu
    Participant

    Hi Vandrey and Ron,

    Thanks for your update. I have used your opinion. But its not working. I need to remote login to process this task using python. Script is ok but powershell command is not working. I am not expert in powershell. so i need help from you. Please find my below scripts for your reference. Kindly provide exact powershell command to retrieve data from AD.

    Python Script:

    #!/opt/bin/python2.7
    import winrm
    import requests
    import settings

    serv_ip = "My IP"
    serv_user = "My UserName"
    pwd = "My Password"

    ps = """ $cred = Get-Credential "my credential"
    $DC = New-PSSession -ComputerName "mycomputername" -Cred $cred
    Invoke-Command -Session $DC -ScriptBlock {Import-Module ActiveDirectory}
    Import-PSSession $DC -Module ActiveDirectory
    Get-ADDomain """

    def ad_info():

    try:
    winrmsession = winrm.Session('%s'%settings.serv_ip,auth=('%s'%settings.serv_user,'%s'%settings.pwd),transport = 'ntlm',server_cert_validation='ignore')
    output = winrmsession.run_ps(ps)
    print output.std_out
    except (requests.exceptions.ConnectionError,winrm.exceptions.InvalidCredentialsError),e:
    print e

    if __name__ == "__main__":

    ad_info()

    Thanks,
    Gopal.

  • #62217
    Profile photo of Vandrey Trindade
    Vandrey Trindade
    Participant

    Venu,

    Sorry, I don't know anything about Python... =/

    • #62218
      Profile photo of Venu
      Venu
      Participant

      Hi Vandrey,

      ok fine. But i need only powershell command using via remote.

      Thanks,
      Venu.

You must be logged in to reply to this topic.