Forum Replies Created
- Hosted OU
Need to capture all of these users and their attributes and list the OU that each is attributed along with other attributes.
Name OU User1_1 Company1_OU User2_1 Company1_OU User3_1 Company1_OU User1_2 Company2_OU User2_2 Company2_OU User3_2 Company2_OU User1_2A Company2A_OU User2_2A Company2A_OU User3_2A Company2A_OU User1_3 Company3_OU User2_3 Company3_OU User3_3 Company3_OU
My original command was to first capture all of the OU’s within the HOsted OU..recursively to capture the subOUs (example Company_2A).
My original command was to declare my ‘Hosted’ OU and then the subtree parameter to recursively grab the subou’s, however the root OU appears in the list.
$OUs = Get-ADOrganizationalUnit -Filter * -Searchbase ‘OU=Hosted,DC=XXXX,DC=local’ -SearchScope Subtree
There are one or two OU’s that might go 2, maybe 3 deep.
It would be helpful if I had the OU the user was a part of. Preferably just the ‘Name’ property and not the full “DinstinguishedName’ property.
Basically, the report should have.
Name SamAccountName OU Jon Smith jsmith Company 1 Jon Doe jdoe Company 2
It is just a shortcut that runs the following command.
I could do this as a task scheduler, but there are probably a total of 120 terminal servers. I would have to create the task on all and then updates/edits would have to be done on EACH. Ideally would want a centrally managed solution.
This is a good idea, but there is a subset of clinics that do not have email for their staff.
- This reply was modified 3 months, 2 weeks ago by Brian Clanton.
The problem is that users are not seeing it and it results in a deluge of calls that their password has expired. We apparently need something more in their field of view.
I am not married to the idea of a service. I took that idea from nagios and it would seem that deployment and activation of a service might easier than installing and configuring a scheduled task on a large number of machines.
We are talking about maybe 500 clients spread out through the US and the number of machines per client ranges from 2 to 50. So installing as a service would seem ideal to me, but I am open to other options.
The ‘data’ would just be basic computer specs, (hostname, CPU, memory, HD(make and model), bios, etc…
- This reply was modified 3 months, 3 weeks ago by Brian Clanton.
We actually have 4 DC’s…two of which are Win2008 we are eventually going to decommission. Just to Test, I remotely connected to the Win2008 box. It did not recognize ANY AD commandlets, so I imported the AD module and then I was able to run my command connected to the server via IP address.
Not sure what that tells me about this server.
PS C:\Users\administrator.TP> Enter-PSSession -ComputerName 10.221.21.5 -Credential XXXXX\brian.clanton [10.221.21.5]: PS C:\Users\brian.clanton\Documents> get-adprincipalgroupmembership tpemi The term 'get-adprincipalgroupmembership' is not recognized as the name of a cmdlet, function, script file, or op erable program. Check the spelling of the name, or if a path was included, verify that the path is correct and tr y again. + CategoryInfo : + FullyQualifiedErrorId : CommandNotFoundException [10.221.21.5]: PS C:\Users\brian.clanton\Documents> Import-Module activedirectory [10.221.21.5]: PS C:\Users\brian.clanton\Documents> get-adprincipalgroupmembership tpemi | select name name ---- Domain Users Group-EMI-AllUsers Group-EMI-Administration Group-EMI-Accounting Group-EMI-HR Group-EMI_BizHubColor Group-EMI-CloudUsers EMI-FaxNotifications Group-AcmeAccess Group-EMI-Management Group-HAR-Drive Group-UCI-Drive Group-EMI-AccountingSub [10.221.21.5]: PS C:\Users\brian.clanton\Documents>
I checked Active directory and both of the servers I tested were marked as ‘Global Catalog’.
- Went into the AD ‘Domain Controllers’ container
- Right clicked EACH domain controller I tested and then went to ‘NTDS Settings’
- Both had the ‘Global Catalog’ radio checked.
I ran it with the ‘server’ parameter from a server on our network. Same issue.
PS C:\Users\administrator.TP> Get-ADPrincipalGroupMembership tpemi -server 10.221.21.3 -Credential XXXXX\adminis trator Get-ADPrincipalGroupMembership : The operation being requested was not performed because the user has not been authenticated At line:1 char:1 + Get-ADPrincipalGroupMembership tpemi -server 10.221.21.3 -Credential xxxxx\adm ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (tpemi:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADPrin cipalGroupMembership
Even after generating an SSL cert for the domain controller and then trying to run ‘Get-ADPrincipalGroupMembership’ on the server while authenticated via SSL, I am still having the same issue. My objective is to be able to use Invoke-command from a domain that has a VPN to our datacenter domain controller to run Get commands, namely ‘Get-ADPrincipalGroupMembership’.
I am referencing the steps outlined here:
- I generated a SSL Cert on the domain controller
- From the domain controller (w16-dc1), I exported the cert to a file and then copied the file to a share that is accessible to my workstation (at the office on another domain than the server). I also set the https listener, adding the Cert thumbprint.
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "w16-dc1" Export-Certificate -Cert $Cert -FilePath C:\utility\w16-DC1cert New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint –Force New-PSDrive -Name "X" -PSProvider "FileSystem" -Root "\\CFS06\XXXX$\TPModules\Cert" copy-item C:\Utility\w16-DC1cert X:
3. I verified that the cert file was located on the domain controller within MMC (Certificates[local computer] – Personal – Certificates
4. I also verified all firewall settings on the Server.
5. From my machine at the office (VPN to the domain controller), I added w16-dc1 in my hosts file which maps to the internal IP adderss of the domain controller. I did this since my workstation cannot resolve w16-dc1 due to it being an another domain.
6. I then imported the cert file on my local workstation.
Import-Certificate -Filepath "\\w12-tp\TPModules$\Cert\w16-DC1cert" -CertStoreLocation "Cert:\LocalMachine\Root"
7. I then initiated a remote session to the domain controller via hostname.
Enter-PSSession -ComputerName w16-dc1 -UseSSL -Credential (Get-Credential XXXX\administrator)
8. I was able to successfully enter a interactive session, however the problem with the Get-ADPrinciplalGroupMembership cmdlet still exists where it doesn’t like my mode of authentication.
[w16-dc1]: PS C:\Users\Administrator.XXXX\Documents> Get-ADPrincipalGroupMembership tpemi The operation being requested was not performed because the user has not been authenticated + CategoryInfo : NotSpecified: (tpemi:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership
9. Other AD cmdlets work without issue.
[w16-dc1]: PS C:\Users\Administrator.XXXXX\Documents> get-aduser tpemi DistinguishedName : CN=tpemi,OU=EMI,OU=Hosted,DC=XXXX,DC=local Enabled : True GivenName : tpemi Name : tpemi ObjectClass : user ObjectGUID : db584e87-f1f2-4c5c-bce8-ce3bfa20ecba SamAccountName : tpemi SID : S-1-5-21-1752468135-3490779455-4126847218-13041 Surname : UserPrincipalName :
So not sure where to go from here. End game is for our technicians to generate lists without having to remote to resources within the hosted network that is on the same subnet as our DC.
Like to amend what I said. It is not Kerberos that is the problem, it is the fact that NTLM is used instead of Kerberos when you authenticate using an IP address.
“The ComputerName parameters of the New-PSSession, Enter-PSSession and
Invoke-Command cmdlets accept an IP address as a valid value. However,
because Kerberos authentication does not support IP addresses, NTLM
authentication is used by default whenever you specify an IP address.
No double hop. As illustrated here, I have a direct session from one server to the domain controller. Same command with one session authenticating via IP address and the other using hostname.
The issue appears to be what OLaf indicated. Using Kerberos authentication along with an IPAddress doesn’t work specifically for this command. Other cmdlets work find using the IP address, but not this one.
[w16-dc2]: PS C:\Users\brian.clanton\Documents> Get-ADPrincipalGroupMembership tpemi | Select-Object Name Name ---- Domain Users Group-EMI-AllUsers Group-EMI-Administration Group-EMI-Accounting Group-EMI-HR Group-EMI_BizHubColor Group-EMI-CloudUsers EMI-FaxNotifications Group-AcmeAccess Group-EMI-Management Group-HAR-Drive Group-UCI-Drive Group-EMI-AccountingSub [10.221.21.3]: PS C:\Users\brian.clanton\Documents> Get-ADPrincipalGroupMembership tpemi | Select-Object Name The operation being requested was not performed because the user has not been authenticated + CategoryInfo : NotSpecified: (tpemi:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership
Yes, that seemed to work. Wish I knew the ‘why’ of it.
S H:\> Set-TPADpassword tptest3 Provide New Password: **** Confirm Password: **** Some Shit happened with the password. The password does not meet the length, complexity, or history requirement of the domain. PS H:\>
- Hosted OU