PowerShell Web Access vs AD Cmdlet

This topic contains 4 replies, has 2 voices, and was last updated by Profile photo of Jeremie Lauzier Jeremie Lauzier 1 year, 4 months ago.

  • Author
  • #25624
    Profile photo of Jeremie Lauzier
    Jeremie Lauzier


    First of all, I'm new with PowerShell and on this site.

    I have a project to have PowerShell Web Access configure and be able to do a lot of my work with script when I'm out of the Office.
    So I configure a Windows 2012 R2 (Core), installed the PSWA and the RSAT-AD-PowerShell.

    When I do remote on my server, I can use the AC Cmdlet but not in the Web Access.
    The Active Directory Web Services is installed on one of my DC.

    The error :

    PS C:\Users\adminlevel3\Documents> 
    Get-ADUser -Identity xxxx -Server DCFQDN
    Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have
     the Active Directory Web Services running.
        + CategoryInfo          : ResourceUnavailable: (xxxx:ADUser) [Get-ADUser], ADServerDownException 
        + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser 

    If you have ideas, please help !
    Thanks !

  • #25625
    Profile photo of tommymaynard

    Step away from PowerShell Web Access (PSWA) for a moment. Come back to it (and create your authorization rule(s)) when everything below is working.

    As you've witnessed, if you connect to a remote Domain Controller using PowerShell Remoting, you can run cmdlets in the ActiveDirectory module without any problem. As well, you've also seen the problem with PS Remoting to a member server with the AD tools installed, and that you can't run the cmdlets. There's two ways to get around this: one, CredSSP, and two, a PowerShell constrained endpoint. I'm not going to focus on CredSSP since it has security problems, and since we can get around this problem by creating an endpoint.

    On the member server (that has your AD tools), you need to create an endpoint. Start by running New-PSSessionConfigurationFile with the -Path parameter and a valid path, such as New-PSSessionConfigurationFile -Path C:\PSendpoints\ADendpoint.pssc. There's plenty of other parameters, but this will get your session configuration file created (note that the term endpoint, and session configuration are basically interchangeable). Now, use the Register-PSSessionConfiguration cmdlet with the -Name parameter (give your endpoint a name), the -Path parameter (the path to your .pssc file), and the -RunAsCredential (domain\username and it'll prompt you for your password). This can be any AD account for Get-* cmdlets, but will need to be an elevated account if you plan to change group memberships, change accounts, etc. To remove an endpoint, use Unregister-PSSessionConfiguration -Name [i]NameOfEndpoint[/i].

    Now you can connect to the new session configuration from your workstation: Enter-PSSession -ComputerName -ConfigurationName [i]NameOfEndpoint[/i]. If you've done everything right, and I haven't missed a step, you should be able to use those cmdlets with any problems. I've been able to at least.

    Once this endpoint is done, you can return to your PSWA server and create a new authorization rule. Be sure to include the name of you endpoint as the value for the -ConfigurationName parameter, and when you use PSWA, to click 'Optional connection settings' and enter your endpoint name where it says Configuration name. Good luck and let me know if you have any follow up questions. It can be overwhelming since you're new to PowerShell!

  • #25632
    Profile photo of Jeremie Lauzier
    Jeremie Lauzier


    Thanks! That's worked in PSWA.

    Only one thing I saw.
    If I used the command [b]Get-ADUser username[/b] that's worked fine.

    But if I typed [b]Get-ADUser -Filter username[/b] that's not worked. I got this error :

    Error parsing query: 'username' Error Message: 'syntax error' at position: '1'.
        + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException 
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Micro

    Did you have a idea why ?
    Thanks for your help.

  • #25633
    Profile photo of tommymaynard

    Your error is based on incorrect usage, and has nothing to do with any session configuration or PSWA. Run Get-Help Get-ADUser -Examples and take a look at how the -Filter parameter is used. It's different than the -Identity parameter, which is what you use when you enter Get-ADUser [i]username[/i].

  • #25634
    Profile photo of Jeremie Lauzier
    Jeremie Lauzier

    Thanks I found out after I clicked on Submit. (My bad)
    Again thanks for your fast help.

    Have a good day.

You must be logged in to reply to this topic.