Using native commands over remote connection

Welcome Forums General PowerShell Q&A Using native commands over remote connection

This topic contains 8 replies, has 2 voices, and was last updated by

 
Participant
4 years, 1 month ago.

  • Author
    Posts
  • #18895

    Participant
    Points: 2
    Rank: Member

    I just finished watching Don Jones video's on CBT Nugget on how to run native commands, but I need to run these remotely I need to change the password on a domain that my laptop isn't a member of. I have already changed the trusted host file so I can make the connection to one of the servers in the domain to run the comand from, but I can't get the commands to work. All of the DC's in that domain are 2003 DC's.

    [172.99.26.21]: PS C:\Users\admin\Documents> net user 'testuser' /DOMAIN | FIND /I "Account active"

    [172.99.26.21]: PS C:\Users\admin\Documents>
    See, no output 😉
    I think I have two problems, one is syntax, where to I put the quotes and the other passing credentials. HELP please!!!

  • #18917

    Participant
    Points: 53
    Rank: Member

    I'm testing your scenario with 2008 R2 domain controllers and it works without issue even when I connect to a member server instead of a domain controller using:

    Enter-PSSession -ComputerName 172.99.26.21 -Credential (Get-Credential)

    Then I run the following:

    net user 'testuser' /DOMAIN | FIND /I "Account active"

    And it returns:

    Account active No

  • #19001

    Participant
    Points: 2
    Rank: Member

    Sorry for taking so long to respond, I guess I was expecting an email if someone responded. Just to verify, the workstation that you used, is not a member of the domain? I just tried it again, and I still get nothing.

    $cred = Get-Credential -Credential 'domain\domainadmin'
    Enter-PSSession -ComputerName '10.199.25.121' -Credential $cred
    [10.199.25.121]: PS C:\Users\diverso\Documents> net user 'DomainUser' /DOMAIN | FIND /I "Account active"
    NOTHING

  • #19002

    Participant
    Points: 53
    Rank: Member

    I wasn't sure if that's how I tested it so I decided to re-test and I'm able to replicate the problem. If you run only the first part of the command:

    $cred = Get-Credential -Credential 'domain\domainadmin'
    Enter-PSSession -ComputerName '10.199.25.121' -Credential $cred
    [10.199.25.121]: PS C:\Users\diverso\Documents> net user 'DomainUser' /DOMAIN

    I bet you'll receive an access denied error. Since you're connected to a member server and running the command in a remote session, it's trying to contact a domain controller and you're experiencing the double-hop problem.

    The reason you receive nothing when you pipe to the FIND command is because the first part of the command doesn't produce any results.

  • #19490

    Participant
    Points: 2
    Rank: Member

    Thanks Mike. So, because I am running it remotely, the first command doesn't work because the credentials won't carry to the DC? Will this work if I create an end point on this server and give it the command and credential and then make that only available to a certain group?

  • #19836

    Participant
    Points: 2
    Rank: Member

    Can this be done if I enable wsmancredssp?

    • #20137

      Participant
      Points: 2
      Rank: Member

      Anyone, do we think this can be done with credssp?

  • #20486

    Participant
    Points: 2
    Rank: Member

    Ok, I got this working with WSMCredssp. I had to enable WSMancresssp on the server that the native commands would try and access:

    Enable-WSManCredSSP -Role server -Force #run this on endpoint server

    The last issue is how to add new line between the lines in the body of the email.

    Thanks DON, great training, ready for feedback.

    function Unlock-DOMUser {
    [CmdletBinding()]
    Param (
    [parameter(Mandatory=$true,
    Position=0,
    ParameterSetName="Status")]
    [parameter(Mandatory=$true,
    Position=0,
    ParameterSetName="Unlock")]
    [parameter(Mandatory=$true,
    Position=0,
    ParameterSetName="Reset")]
    [String]$DOMeid,
    [parameter(Mandatory=$true,
    ParameterSetName="Status")]
    [Switch]$AccountStatus,
    [parameter(Mandatory=$true,
    ParameterSetName="Unlock")]
    [Switch]$AccountUnlock,
    [parameter(Mandatory=$true,
    ParameterSetName="Reset")]
    [Switch]$AccountReset,
    [parameter(Position=2,
    ParameterSetName="Reset")]
    [String]$EmailAddress = "$DOMeid@domdom.com"
    )

    Begin{
    #Get-Item -Path WSMan:\localhost\Client\TrustedHosts
    Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value 'atl01osi357' -Confirm:$false -Force
    Enable-WSManCredSSP -DelegateComputer serv01oss333.DOM.DOM.com -Force -Role Client | Out-Null
    $User = "DOM\svc-custkkreset"
    $PWord = ConvertTo-SecureString –String 'password' -AsPlainText -Force
    $Credential = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $User, $PWord
    $credsp1 = New-PSSession -ComputerName 'serv01oss333.DOM.DOM.com' -Credential $Credential -Name credssp1 -Authentication Credssp

    }#end begin

    Process{
    if ( $AccountStatus ) {
    Invoke-Command -session $credsp1 -ScriptBlock { param($DOMeid) net user $DOMeid /DOMAIN | FIND /I "Account active"} -ArgumentList $DOMeid
    }#end if

    if ( $AccountUnlock ) {
    Invoke-Command -session $credsp1 -ScriptBlock { param($DOMeid) Net user $DOMeid /DOMAIN /active:YES } -ArgumentList $DOMeid
    }#end if

    if ( $AccountReset ) {
    $randn = get-random -min 101 -max 999
    [string]$randl = (Get-Random -InputObject 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z' -Count 4)
    $randl = $randl.Replace(' ',")
    [string]$paswd = "!DOM"+$randl+$randn

    Invoke-Command -session $credsp1 -ScriptBlock { param($DOMeid,$paswd) Net user $DOMeid $paswd /DOMAIN /active:YES } -ArgumentList $DOMeid,$paswd

    Send-MailMessage -From "cs@domdom.com" `
    -Cc me@DomDom.com `
    -Subject "DOM Pasword Reset" `
    -BodyAsHtml -Body "Your DOM password had been reset to $paswd, please reset at next logon. `
    If you still need help, contact the Service Desk:`r`n `
    For Field Associates: 777-llll For Corporate Campus: ext1111" `
    -To "$EmailAddress" -SmtpServer email.DOM.com

    }#end if

    }#end process

    End{
    Remove-PSSession -Session $credsp1
    Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value " -Confirm:$false -Force
    }#end end

    }#end function

  • #20519

    Participant
    Points: 2
    Rank: Member

    The `r and `n do nothing. Why is that?

The topic ‘Using native commands over remote connection’ is closed to new replies.