Author Posts

September 17, 2014 at 12:24 pm

I just finished watching Don Jones video's on CBT Nugget on how to run native commands, but I need to run these remotely I need to change the password on a domain that my laptop isn't a member of. I have already changed the trusted host file so I can make the connection to one of the servers in the domain to run the comand from, but I can't get the commands to work. All of the DC's in that domain are 2003 DC's.

[172.99.26.21]: PS C:\Users\admin\Documents> net user 'testuser' /DOMAIN | FIND /I "Account active"

[172.99.26.21]: PS C:\Users\admin\Documents>
See, no output 😉
I think I have two problems, one is syntax, where to I put the quotes and the other passing credentials. HELP please!!!

September 18, 2014 at 6:52 am

I'm testing your scenario with 2008 R2 domain controllers and it works without issue even when I connect to a member server instead of a domain controller using:

Enter-PSSession -ComputerName 172.99.26.21 -Credential (Get-Credential)

Then I run the following:

net user 'testuser' /DOMAIN | FIND /I "Account active"

And it returns:

Account active No

September 22, 2014 at 3:19 pm

Sorry for taking so long to respond, I guess I was expecting an email if someone responded. Just to verify, the workstation that you used, is not a member of the domain? I just tried it again, and I still get nothing.

$cred = Get-Credential -Credential 'domain\domainadmin'
Enter-PSSession -ComputerName '10.199.25.121' -Credential $cred
[10.199.25.121]: PS C:\Users\diverso\Documents> net user 'DomainUser' /DOMAIN | FIND /I "Account active"
NOTHING

September 22, 2014 at 4:59 pm

I wasn't sure if that's how I tested it so I decided to re-test and I'm able to replicate the problem. If you run only the first part of the command:

$cred = Get-Credential -Credential 'domain\domainadmin'
Enter-PSSession -ComputerName '10.199.25.121' -Credential $cred
[10.199.25.121]: PS C:\Users\diverso\Documents> net user 'DomainUser' /DOMAIN

I bet you'll receive an access denied error. Since you're connected to a member server and running the command in a remote session, it's trying to contact a domain controller and you're experiencing the double-hop problem.

The reason you receive nothing when you pipe to the FIND command is because the first part of the command doesn't produce any results.

October 7, 2014 at 12:51 pm

Thanks Mike. So, because I am running it remotely, the first command doesn't work because the credentials won't carry to the DC? Will this work if I create an end point on this server and give it the command and credential and then make that only available to a certain group?

October 18, 2014 at 5:49 am

Can this be done if I enable wsmancredssp?

October 29, 2014 at 7:04 am

Anyone, do we think this can be done with credssp?

November 10, 2014 at 12:21 pm

Ok, I got this working with WSMCredssp. I had to enable WSMancresssp on the server that the native commands would try and access:

Enable-WSManCredSSP -Role server -Force #run this on endpoint server

The last issue is how to add new line between the lines in the body of the email.

Thanks DON, great training, ready for feedback.

function Unlock-DOMUser {
[CmdletBinding()]
Param (
[parameter(Mandatory=$true,
Position=0,
ParameterSetName="Status")]
[parameter(Mandatory=$true,
Position=0,
ParameterSetName="Unlock")]
[parameter(Mandatory=$true,
Position=0,
ParameterSetName="Reset")]
[String]$DOMeid,
[parameter(Mandatory=$true,
ParameterSetName="Status")]
[Switch]$AccountStatus,
[parameter(Mandatory=$true,
ParameterSetName="Unlock")]
[Switch]$AccountUnlock,
[parameter(Mandatory=$true,
ParameterSetName="Reset")]
[Switch]$AccountReset,
[parameter(Position=2,
ParameterSetName="Reset")]
[String]$EmailAddress = "$DOMeid@domdom.com"
)

Begin{
#Get-Item -Path WSMan:\localhost\Client\TrustedHosts
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value 'atl01osi357' -Confirm:$false -Force
Enable-WSManCredSSP -DelegateComputer serv01oss333.DOM.DOM.com -Force -Role Client | Out-Null
$User = "DOM\svc-custkkreset"
$PWord = ConvertTo-SecureString –String 'password' -AsPlainText -Force
$Credential = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $User, $PWord
$credsp1 = New-PSSession -ComputerName 'serv01oss333.DOM.DOM.com' -Credential $Credential -Name credssp1 -Authentication Credssp

}#end begin

Process{
if ( $AccountStatus ) {
Invoke-Command -session $credsp1 -ScriptBlock { param($DOMeid) net user $DOMeid /DOMAIN | FIND /I "Account active"} -ArgumentList $DOMeid
}#end if

if ( $AccountUnlock ) {
Invoke-Command -session $credsp1 -ScriptBlock { param($DOMeid) Net user $DOMeid /DOMAIN /active:YES } -ArgumentList $DOMeid
}#end if

if ( $AccountReset ) {
$randn = get-random -min 101 -max 999
[string]$randl = (Get-Random -InputObject 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z' -Count 4)
$randl = $randl.Replace(' ',")
[string]$paswd = "!DOM"+$randl+$randn

Invoke-Command -session $credsp1 -ScriptBlock { param($DOMeid,$paswd) Net user $DOMeid $paswd /DOMAIN /active:YES } -ArgumentList $DOMeid,$paswd

Send-MailMessage -From "cs@domdom.com" `
-Cc me@DomDom.com `
-Subject "DOM Pasword Reset" `
-BodyAsHtml -Body "Your DOM password had been reset to $paswd, please reset at next logon. `
If you still need help, contact the Service Desk:`r`n `
For Field Associates: 777-llll For Corporate Campus: ext1111" `
-To "$EmailAddress" -SmtpServer email.DOM.com

}#end if

}#end process

End{
Remove-PSSession -Session $credsp1
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value " -Confirm:$false -Force
}#end end

}#end function

November 11, 2014 at 2:43 pm

The `r and `n do nothing. Why is that?