Brian Clanton

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 71 total)
  • Author
    Posts
  • in reply to: Get-ADOrganizationalUnit Subtree #222687
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor
    • Hosted OU
      • Company1_OU
        • User1_1
        • User2_1
        • User3_1
      • Company2_OU
        • User1_2
        • User2_2
        • User3_2
        • Company2A_OU
          • User1_2A
          • User2_2A
          • User3_2a
      • Company3_Ou
        • User1_3
        • User2_3
        • User3_#

     

    Need to capture all of these users and their attributes and list the OU that each is attributed along with other attributes.

    Name OU
    User1_1 Company1_OU
    User2_1 Company1_OU
    User3_1 Company1_OU
    User1_2 Company2_OU
    User2_2 Company2_OU
    User3_2 Company2_OU
    User1_2A Company2A_OU
    User2_2A Company2A_OU
    User3_2A Company2A_OU
    User1_3 Company3_OU
    User2_3 Company3_OU
    User3_3 Company3_OU

     

    My original command was to first capture all of the OU’s within the HOsted OU..recursively to capture the subOUs (example Company_2A).

     

    My original command was to declare my ‘Hosted’ OU and then the subtree parameter to recursively grab the subou’s, however the root OU appears in the list.

     

    $OUs = Get-ADOrganizationalUnit -Filter * -Searchbase ‘OU=Hosted,DC=XXXX,DC=local’ -SearchScope Subtree

    in reply to: Get-ADOrganizationalUnit Subtree #222618
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    There are one or two OU’s that might go 2, maybe 3 deep.

    in reply to: Get-ADOrganizationalUnit Subtree #222576
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    It would be helpful if I had the OU the user was a part of.  Preferably just the ‘Name’ property and not the full “DinstinguishedName’ property.

     

    Basically, the report should have.

    Name SamAccountName OU
    Jon Smith jsmith Company 1
    Jon Doe jdoe Company 2
    in reply to: Ctrl Alt Delete #221601
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    It is just a shortcut that runs the following command.

    C:\Windows\explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

    in reply to: Password Expiration Notification Form #220230
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    I could do this as a task scheduler, but there are probably a total of 120 terminal servers.   I would have to create the task on all and then updates/edits would have to be done on EACH.   Ideally would want a centrally managed solution.

    in reply to: Password Expiration Notification Form #220224
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    This is a good idea, but there is a subset of clinics that do not have email for their staff.

    • This reply was modified 3 months, 2 weeks ago by Brian Clanton.
    in reply to: Password Expiration Notification Form #219939
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    The problem is that users are not seeing it and it results in a deluge of calls that their password has expired.   We apparently need something more in their field of view.

    in reply to: PowerShell inventory run as a service #219669
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    I am not married to the idea of a service.   I took that idea from nagios and it would seem that deployment and activation of a service might easier than installing and configuring a scheduled task on a large number of machines.

    We are talking about maybe 500 clients spread out through the US and the number of machines per client ranges from 2 to 50.   So installing as a service would seem ideal to me, but I am open to other options.

    The ‘data’ would just be basic computer specs, (hostname, CPU, memory, HD(make and model), bios, etc…

     

    • This reply was modified 3 months, 3 weeks ago by Brian Clanton.
    in reply to: INvoke-Command Get-ADPrincipalGroupMembership #210447
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    We actually have 4 DC’s…two of which are Win2008 we are eventually going to decommission. Just to Test, I remotely connected to the Win2008 box. It did not recognize ANY AD commandlets, so I imported the AD module and then I was able to run my command connected to the server via IP address.

    Not sure what that tells me about this server.

    PS C:\Users\administrator.TP> Enter-PSSession -ComputerName 10.221.21.5 -Credential XXXXX\brian.clanton
    [10.221.21.5]: PS C:\Users\brian.clanton\Documents> get-adprincipalgroupmembership tpemi
    The term 'get-adprincipalgroupmembership' is not recognized as the name of a cmdlet, function, script file, or op
    erable program. Check the spelling of the name, or if a path was included, verify that the path is correct and tr
    y again.
        + CategoryInfo          :
        + FullyQualifiedErrorId : CommandNotFoundException
    
    [10.221.21.5]: PS C:\Users\brian.clanton\Documents> Import-Module activedirectory
    [10.221.21.5]: PS C:\Users\brian.clanton\Documents> get-adprincipalgroupmembership tpemi | select name
    
    name
    ----
    Domain Users
    Group-EMI-AllUsers
    Group-EMI-Administration
    Group-EMI-Accounting
    Group-EMI-HR
    Group-EMI_BizHubColor
    Group-EMI-CloudUsers
    EMI-FaxNotifications
    Group-AcmeAccess
    Group-EMI-Management
    Group-HAR-Drive
    Group-UCI-Drive
    Group-EMI-AccountingSub
    
    
    [10.221.21.5]: PS C:\Users\brian.clanton\Documents>
    in reply to: INvoke-Command Get-ADPrincipalGroupMembership #210438
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    I checked Active directory and both of the servers I tested were marked as ‘Global Catalog’.

     

    • Went into the AD ‘Domain Controllers’ container
    • Right clicked EACH domain controller I tested and then went to ‘NTDS Settings’
    • Both had the ‘Global Catalog’ radio checked.
    in reply to: INvoke-Command Get-ADPrincipalGroupMembership #210432
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    I ran it with the ‘server’ parameter from a server on our network.  Same issue.

    PS C:\Users\administrator.TP> Get-ADPrincipalGroupMembership tpemi -server 10.221.21.3 -Credential XXXXX\adminis
    trator
    Get-ADPrincipalGroupMembership : The operation being requested was not performed because the user has not been
    authenticated
    At line:1 char:1
    + Get-ADPrincipalGroupMembership tpemi -server 10.221.21.3 -Credential xxxxx\adm ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (tpemi:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADPrin
    cipalGroupMembership
    
    
    in reply to: INvoke-Command Get-ADPrincipalGroupMembership #210396
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    Even after generating an SSL cert for the domain controller and then trying to run ‘Get-ADPrincipalGroupMembership’ on the server while authenticated via SSL, I am still having the same issue.   My objective is to be able to use Invoke-command from a domain that has a VPN to our datacenter domain controller to run Get commands, namely ‘Get-ADPrincipalGroupMembership’.

    I am referencing the steps outlined here:

    https://4sysops.com/archives/powershell-remoting-over-https-with-a-self-signed-ssl-certificate/

    1. I generated a SSL Cert on the domain controller
    2. From the domain controller (w16-dc1), I exported the cert to a file and then copied the file to a share that is accessible to my workstation (at the office on another domain than the server).   I also set the https listener, adding the Cert thumbprint.
    $Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "w16-dc1"
    
    Export-Certificate -Cert $Cert -FilePath C:\utility\w16-DC1cert
    
    New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint –Force
    
    New-PSDrive -Name "X" -PSProvider "FileSystem" -Root "\\CFS06\XXXX$\TPModules\Cert"
    
    copy-item C:\Utility\w16-DC1cert X:

    3. I verified that the cert file was located on the domain controller within MMC (Certificates[local computer] – Personal – Certificates

    4. I also verified all firewall settings on the Server.

    5. From my machine at the office (VPN to the domain controller), I added w16-dc1 in my hosts file which maps to the internal IP adderss of the domain controller.  I did this since my workstation cannot resolve w16-dc1 due to it being an another domain.

    6. I then imported the cert file on my local workstation.

    Import-Certificate -Filepath "\\w12-tp\TPModules$\Cert\w16-DC1cert" -CertStoreLocation "Cert:\LocalMachine\Root"

    7. I then initiated a remote session to the domain controller via hostname.

    Enter-PSSession -ComputerName w16-dc1 -UseSSL -Credential (Get-Credential XXXX\administrator)

    8. I was able to successfully enter a interactive session, however the problem with the Get-ADPrinciplalGroupMembership cmdlet still exists where it doesn’t like my mode of authentication.

    [w16-dc1]: PS C:\Users\Administrator.XXXX\Documents> Get-ADPrincipalGroupMembership tpemi
    The operation being requested was not performed because the user has not been authenticated
    + CategoryInfo : NotSpecified: (tpemi:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership

    9. Other AD cmdlets work without issue.

    [w16-dc1]: PS C:\Users\Administrator.XXXXX\Documents> get-aduser tpemi
    
    DistinguishedName : CN=tpemi,OU=EMI,OU=Hosted,DC=XXXX,DC=local
    Enabled : True
    GivenName : tpemi
    Name : tpemi
    ObjectClass : user
    ObjectGUID : db584e87-f1f2-4c5c-bce8-ce3bfa20ecba
    SamAccountName : tpemi
    SID : S-1-5-21-1752468135-3490779455-4126847218-13041
    Surname :
    UserPrincipalName :

    So not sure where to go from here.   End game is for our technicians to generate lists without having to remote to resources within the hosted network that is on the same subnet as our DC.

     

    in reply to: INvoke-Command Get-ADPrincipalGroupMembership #210321
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    Like to amend what I said. It is not Kerberos that is the problem, it is the fact that NTLM is used instead of Kerberos when you authenticate using an IP address.

    “The ComputerName parameters of the New-PSSession, Enter-PSSession and
    Invoke-Command cmdlets accept an IP address as a valid value. However,
    because Kerberos authentication does not support IP addresses, NTLM
    authentication is used by default whenever you specify an IP address.

    in reply to: INvoke-Command Get-ADPrincipalGroupMembership #210306
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    No double hop.   As illustrated here, I have a direct session from one server to the domain controller.   Same command with one session authenticating via IP address and the other using hostname.

    The issue appears to be what OLaf indicated.  Using Kerberos authentication along with an IPAddress doesn’t work specifically for this command.  Other cmdlets work find using the IP address, but not this one.

    [w16-dc2]: PS C:\Users\brian.clanton\Documents> Get-ADPrincipalGroupMembership tpemi | Select-Object Name
    
    Name
    ----
    Domain Users
    Group-EMI-AllUsers
    Group-EMI-Administration
    Group-EMI-Accounting
    Group-EMI-HR
    Group-EMI_BizHubColor
    Group-EMI-CloudUsers
    EMI-FaxNotifications
    Group-AcmeAccess
    Group-EMI-Management
    Group-HAR-Drive
    Group-UCI-Drive
    Group-EMI-AccountingSub
    
    [10.221.21.3]: PS C:\Users\brian.clanton\Documents> Get-ADPrincipalGroupMembership tpemi | Select-Object Name
    The operation being requested was not performed because the user has not been authenticated
    + CategoryInfo : NotSpecified: (tpemi:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership
    
     
    
     
    in reply to: Try Catch on Changing AD Password #207516
    Participant
    Topics: 67
    Replies: 71
    Points: 527
    Rank: Major Contributor

    Yes, that seemed to work.  Wish I knew the ‘why’ of it.

    S H:\> Set-TPADpassword tptest3
    Provide New Password: ****
    Confirm Password: ****
    Some Shit happened with the password.
    The password does not meet the length, complexity, or history requirement of the domain.
    PS H:\>
Viewing 15 posts - 1 through 15 (of 71 total)