Constrained Delegation For Remote Powershell Sessions

Similar Messages

• Running a command in a remote Powershell session

  Hi,
  I have used the Enter-PSSession to get a remote session on a domain controller... all is ok with that.
  when i run the following command it fails, however if i run this locally on the domain controller it succeeds. this command is correct, it just fails with the remote powershell session
  dsacls.exe "OU=MYTestOU,OU=Servers,DC=MyDomain,DC=Local" /G "mydomain\MyComputer$":GRGWCC
  I have tried placing c:\windows\system32 before the exe, and i have also tried cmd /c dsacls.exe .........
  i cant figure out why this doesnt work, can anyone help?
  thanks
  Steve

  strange, if i run the command for a user account instead of a computer account and remove the "" around it, it works.
  dsacls.exe "OU=MYTestOU,OU=Servers,DC=MyDomain,DC=Local" /G mydomain\steve:GRGWCC
  it must be that $ sign that is causing the problems....?

• [Exchange 2013/Online][PS] How to retrieve existing remote PowerShell sessions

  I'm trying to figure out how to retrieve all existing remote PowerShell sessions (user-managed) between a client and an Exchange 2013 server.
  Running Get-PSSession only returns remote sessions created within the current PowerShell session (system-managed). I need to do this from within a
  different PowerShell session, possibly even from a different computer from where those remote sessions were established.
  Documentation for Get-PSSession states that this should be possible starting with PS 3.0 since user-managed sessions are now stored locally on the remote server (in my case, the Exchange 2013 server) and can later be retrieved from any system-managed session
  by using Get-PSSession with either the ComputerName or ConnectionUri parameter sets.
  Here's how those remote sessions are created:
  PS $> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<exchange_server>/powershell/ -Credential $credential -Authentication Basic -AllowRedirection
  PS $> Import-PSSession $Session
  And how I try to retrieve those session afterward:
  PS $> Get-PSSession -ComputerName <exchange_server> -ApplicationName powershell -Authentication Basic -Credential $credential -UseSSL -Port 443
  PS $> Get-PSSession -ConnectionUri https://<exchange_server>/powershell/ -AllowRedirection -Authentication Basic -Credential $credential
  Both methods yield no results (nor errors), while running Get-PSSession (without any parameters) within the same user-managed session would successfully return the session. 
  The only explanation I could think of right now is that somehow, WinRM on the Exchange server is not running PS 3.0 even though:
  $PSVersionTable.PSVersion returns 3 0 -1 -1
  winrm id returns ProductVersion = OS: 6.2.9200 SP: 0.0
  Stack: 3.0
  But when I attempt to disconnect a remote session with this Exchange server using Disconnect-PSSession, I get the
  following error message: 
  Disconnect-PSSession : Disconnect-PSSession operation failed for runspace Id = XXXXX
  for the following reason: The disconnection operation is not supported on the remote computer. To support
  disconnecting, the remote computer must be running Windows PowerShell 3.0 or a later version of Windows PowerShell.
  So I guess I have a couple questions:
  Are remote PSSession even supposed to be maintained on
  an Exchange 2013 server? 
  If so, is it possible to retrieve them from a different session using GET-PSSession?
  Which version of PS 3.0 is used by WinRM on an Exchange 2013 server?
  thanks

  Thanks for your help. 
  1. I know that remote PS sessions are supported, I have no issue connecting to the Exchange server. The issue is with
  reconnecting to an existing PS session.
  2. As mentioned in my original post, PS & WinRM 3.0 are installed on the client:
  $PSVersionTable.PSVersion returns 3
  0 -1 -1
  winrm
  id returns ProductVersion = OS: 6.2.9200 SP: 0.0 Stack:
  3.0

• Inconsistent behavior of "where" filter command in remote powershell session

  I've got a simple powershell script I've written to do a gpo backup (backup-gpo) to a remote file share, and then I launch a remote powershell session with "invoke-command" where I zip up the results of the gpo backup, then delete the gpo
  backups once the files are safely zipped.
  What I'm seeing, and I've never seen before, is very inconsistent results in the file filtering statements.  I use the following line twice in my code to find the files written by the GPO backup:
   Get-ChildItem -Force | ? {($_.lastwritetime.date -eq (Get-Date).date) -and ($_.name -notlike "*.zip")}
  The first time it finds the files to zip, the second time it finds the files to delete.  It's a copy/paste, so it's the exact same code.
  The weirdness that happens is some nights, it works fine, and both filters match what they should.  The GPO backup results are found, zipped, and then deleted.  Other nights, the first filter will match all old *.zip files (the exact
  opposite of the filter), and zip them up - then the "delete" filter, which is the exact same code, will match correctly and delete the GPO backup results that should have been zipped but weren't.
  Last night the first filter matched correctly, and then the second filter matched the date portion of the filter, ignored the *.zip portion, and deleted everything in the target folder from that day. 
  Anyone seen anything like this?

  Hi Nbhms,
  Any updates about this issue?
  If you need further help, please feel free to reply this post directly
  so we will be notified to follow it up.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna
  TechNet Community Support

• Constrained Delegation for MBAM Web User with 2003 Domain Level?

  Hi,
  i installed MBAM 2.5 in our environment and now stopped at the point where i should configure constrained delegation for the mbam web application pool account. I cannot find the delegation Tab in the user properties within Active Directory. Our domain is
  (unfortunately) still running Windows Server 2003 Domain Level. Is it maybe related to this? Within my test environment (Domain Level 2012 R2) it is working fine.
  Is there any other chance to configure constrained delegation in my situation?
  Thanks
  Stefan

  I found an older MSDN blog post that may help in this situation. It states that the delegation tab does not show up until there is at least one value set in the servicePrincipaName attribute.
  Delegation tab in ADUC not available until a SPN is set
  Hope this helps,
  David
  MDOP on the Springboard Series on TechNet

• SharePoint Remote Powershell Session - Can't find the local farm

  Hi,
  I've been trying to configure a remote PS session to connect to a SharePoint Farm to create site objects.  I can get connected and load the SharePoint PS snap in successfully but when I try commands like Get-SPWeb all I get is an error "Cannot
  access the local farm".
  If I launch PS on the SharePoint server and add the snap in I can use the CMDLETs fine.  I've ensured PS remoting is enabled and granted access so that the client computer is authorised to connect to the SharePoint server.
  Here is the connection code I've used:
  $RunAsAccount = "domain\user"
  $RunAsPass = "password"
  $pass = $RunAsPass | ConvertTo-SecureString -AsPlainText -Force
  $credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $RunAsAccount, $pass
  enter-pssession -computername spserver.domain.local -credential $credentials
  Add-PSSnapin Microsoft.SharePoint.Powershell
  The connection user is a local administrator on the sharepoint server and is a dbowner of the sharepoint config and content databases (for testing) and also has shell access on the sharepoint config DB.
  Any ideas?
  Thanks,
  Tim

  Remoting isn't quite that nice.
  I believe you need to use an invoke-command to run the snapin on the destination server, or import the commandlets locally to slightly different names.
  To borrow the important section for your needs first you'd need to put the session into a variable for later use, then use the invoke-command cmdlet
  "$session = New-PSSession -computername "SPServer" -Authentication CredSSP -Credential $crd
  Start Remoting on you Client Computer
  Now your client computer is ready to actually create the session and import the SharePoint commands from the Server.
  The next command adds the SharePoint PowerShell commands to your session.
  Invoke-Command -Session $session -ScriptBlock{Add-PsSnapin Microsoft.SharePoint.PowerShell}
  Note, that at this point, you can run whatever administrative PowerShell commands you need to run by using the Invoke-Command -Session $session -ScriptBlock{} syntax."
  http://blogs.msdn.com/b/varun_malhotra/archive/2010/06/10/configure-power-shell-for-remote-use-of-sp-2010.aspx

• Powershell generic session and import this session in Exchange remote management session c#

  The situation :
  I am trying to make an application (c#-asp.net) to manipulate user's on an exchange server. The application will be on a different server than the exchange's one. So, to manipulate the data, I am using an "Exchange remote management session" created
  with c#. Exchange remote management session give access to simple powershell command like "New-Mailbox" and "Set-User" - This is good for simple task, but in my case, I have to do more complexe operations that will need some specific command
  that is not included in the default command. To access this command, I have to use some specific module like "ActiveDirectory". It is simple ? Only use "Import-Module" ! Not really, like I said, the "Exchange remote management session"
  is very limited with the command, and "Import-Module" is not allowed...
  So what we can do ?
  I read a lot about my problem, and the most "simple" (That I understand the theory) solution is something like :
  Start with a generic PS session, import the AD module, then connect to an Exchange management session and do an Import-PSSession and use implicit remoting for the
  Exchange management stuff.
  Given that I am pretty new to manipulate the Powershell with c#, I have no idea how to use this awesome solution in my code. So I am asking your help.
  Here's my current code :
  // Prepare the credentials.
  string runasUsername = @"MarioKart 8";
  string runasPassword = "MarioKart";
  SecureString ssRunasPassword = new SecureString();
  foreach (char x in runasPassword)
  ssRunasPassword.AppendChar(x);
  PSCredential credentials =
  new PSCredential(runasUsername, ssRunasPassword);
  // Prepare the connection
  var connInfo = new WSManConnectionInfo(
  new Uri("MarioKart8Server"),
  "http://schemas.microsoft.com/powershell/Microsoft.Exchange",
  credentials);
  connInfo.AuthenticationMechanism =
  AuthenticationMechanism.Basic;
  connInfo.SkipCACheck = true;
  connInfo.SkipCNCheck = true;
  // Create the runspace where the command will be executed
  var runspace = RunspaceFactory.CreateRunspace(connInfo);
  // create the PowerShell command
  var command = new Command("New-Mailbox");
  // Add the command to the runspace's pipeline
  runspace.Open();
  var pipeline = runspace.CreatePipeline();
  pipeline.Commands.Add(command);
  // Execute the command
  var results = pipeline.Invoke();
  if (results.Count > 0)
  System.Diagnostics.Debug.WriteLine("SUCCESS");
  else
  System.Diagnostics.Debug.WriteLine("FAIL");
  This code work great for simple task (like "New-Mailbox") ! But how can I create a "generic PS session" and then use this session in the "Exchange remote management session" ?

  Hi Vincent,
  Generally we can use the cmdlet "import-module" to import the AD module on DC (Domain Controller), and we can also create a exchange remote powershell session with the cmdlet new-pssession, for more detailed information to create exchange remote session,
  please refer to this article:
  Managing Exchange 2010 with Remote PowerShell
  In addition, to invoke powershell cmdlet in C#, please also try to save all the cmdlets to a powershell script (.ps1 file), then we can add the powershell script to C# like:
  Pipeline pipeline = runspace.CreatePipeline();
  pipeline.Commands.AddScript(scriptText);
  If I have any misunderstanding, please let me know.
  Best Regards,
  Anna Wang

• Loadbalancing powershell session to Exchange Server 2013

  Hi all!
  I try to configure remote powershell session to Exchange server through hardware load balancer. For create session i use command like this:
  $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<load balancer virtual ip>/PowerShell/ -Authentication Kerberos
  And i receive error, because not exist SPN record for load
  balancer virtual ip.
  That username and service i should use for create SPN-record?
  And also i try connect via
  $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<load balancer virtual ip>/PowerShell/ -Authentication Negotiate
  and i receive HTTP 400 Bad request. I ask google about it, but not found something usefull. Have someone any ideas?

  Hi Cemeh,
  Thank you for your question.
  We could make sure the SPN has been registered by run “ADsiedit.msc” in the RUN, then we could connect to “Default naming context”, then we could check load balandce name properties if it has SPN. We could refer to the following link:
  https://msdn.microsoft.com/en-us/library/ms676922(v=vs.85).aspx
  Then if the issue persist, we could run the following command:
  $Session = New-PSSession -ConfigurationName Microsoft.PowerShell -ConnectionUri http://<load balancer virtual ip>/PowerShell -Authentication Kerberos
  There are some links we could refer to by the following link:
  Service Principal Names
  http://msdn.microsoft.com/en-us/library/ms677949(VS.85).aspx
  Kerberos authentication and troubleshooting delegation issues
  http://support.microsoft.com/kb/907272
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• Hyper-V: Kerberos Constrained Delegation not working - unable to create VHD on SMB 3.0 share

  I have created a simple, three server Hyper-V environment with two Hyper-V servers and a file server.  The file server is providing shared storage over SMB.  I have configured Constrained Delegation as per the instructions found on a TechNet blog.
  However, I cannot create VMs from my Windows 8.1 workstation running the Windows 8.1 RSAT.  I get the following error:
  New-VM : Failed to create the virtual hard disk.
  The system failed to create '\\SERVER\VHDStore\Hyper-V\VH02\Virtual Hard Disks\Disk1.vhdx': General access denied error (0x80070005).
  You do not have permission to perform the operation. Contact your administrator if you believe you should have
  permission to perform this operation.
  + CategoryInfo : PermissionDenied: (Microsoft.Hyper...l.VMStorageTask:VMStorageTask) [New-VM], Virtualiza
  tionOperationFailedException
  + FullyQualifiedErrorId : AccessDenied,Microsoft.HyperV.PowerShell.Commands.NewVMCommand
  I have configured delegation on each of the Hyper-V servers to allow the service CIFS on the file server.  The permissions on the shared folder allow full control to both the Hyper-V servers and the end-user account.  I see not specific errors
  in the event logs on any of the servers involved.  
  Where else can I look too determine what is failing and why?
  Thanks.
  Ash

  Hi Ash,
  >> The permissions on the shared folder allow full control to both the Hyper-V servers and the end-user account.  I see not specific errors in the event logs on any of the servers involved.
  >> I cannot create VMs from my Windows 8.1 workstation running the Windows 8.1 RSAT.
  They are all joined domain right ?
  As you mentioned two hyper-v host computer name and the user which logging on to the Win8.1 have the full control on that shared folder , that user is still in hyper-v administrators/administrators group of hyper-v hosts.
  Please try to log on hyper-v host locally use that user account then try to create a file into the shared folder first .
  Also please refer to following link:
  http://blogs.technet.com/b/matthts/archive/2012/06/10/configuring-kerberos-constrained-delegation-for-hyper-v-management.aspx
  Any further information please feel free to let us know.
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Lync 2013 Remote Powershell

  Hi everyone,
  I have problem to run start-csclslogging through remote powershell. Here is the step that I have done
  First: install Lync debug tool (that includes snooper, ocslogger, etc..) and install Lync administrative tool (which includes Lync management powershell). I also copied the clsagent folder inside "C:\Program Files\Common Files\Microsoft Lync Server
  2013" from Lync Frontend server to my own laptop
  Next, I run this script to remotely connect to my frontend server:
  # get creds for remote environment
  $credential = get-credential "my username"
  # set session options to bypass the PKI checks - I trust the far side
  $sessionoption = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
  #create new session
  $session = New-PSSession -ConnectionUri https://myfrontendserver/ocspowershell -Credential  $credential -SessionOption $sessionOption
  # assuming the above line worked, import the cmdlets needed for Lync
  import-pssession $session
  Everything works fine, i can run several Lync commands remotely (e.g. provision user account). However when I started to run the troubleshooting command like start-csclslogging -screnario IMandPresence, I faced below error message
  Start-CsClsLogging : Cannot validate argument on parameter 'Scenario'. Method not found: 'Void Microsoft.Rtc.ClsCommon.Settings.Initialize(Boolean)'.
  At line:1 char:30
  + Start-CsClsLogging -Scenario IMandPresence
  +                              ~~~~~~~~~~~~~
      + CategoryInfo          : InvalidData: (:) [Start-CsClsLogging], Parameter BindingValidationException
      + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Rtc.Management.Cls.StartOcsLoggingCmdlet
  Your advise is much appreciated. Thank you

  Hi tdth,
  To better understand the issue, I would like to collect the following information for troubleshooting:
  1. Can you run the command on the Lync Server ?
  2. Do you have created any custom scenario ?
  3. Can you run the following command to capture the log?
  (Note: By default ClsController.exe is installed under "C:\Program Files\Common Files\Microsoft Lync Server 2013\ClsAgent". You need to start Lync Management Shell
  and access the location "C:\Program Files\Common Files\Microsoft Lync Server 2013\ClsAgent".)
  ClsController.exe -start -scenario IMAndPresence -Pools <Pool FQDN>
  Best regards,
  Eric
  1. Yes, I can run the command locally on FrontEnd server
  2. No. I know what problem you're talking about, but it's not because of Site-level scenario
  3. Same as question 1, if I run this command locally on Frontend server, it works. But I cannot run it from remote powershell session.

• Script to report constrained delegation

  Has anyone already created a script that reports constrained delegations for all user accounts in Active Directory?
  This topic first appeared in the Spiceworks Community

  Hello
  You can do something like this.
  ./quickcheck.sh PRIMARY
  You need an env file and then just call your sql ( quickaudit.sql) from the shell script. You can spool from the SQL and mail the spool file if you prefer.
  #!/bin/bash
  if [ "$1" ]
  then DBNAME=$1
  else
  echo "basename $0 : Syntax error : use . quickcheck <DBNAME> "
  exit 1
  fi
  # Set the Environmental variable for the instance
  . /u01/app/oracle/dba_tool/env/${DBNAME}.env
  $ORACLE_HOME/bin/sqlplus /nolog <<EOF
     connect / as sysdba
  @/u01/app/oracle/dba_tool/bin/quickaudit
  EOFThe env file needs an ORACLE_SID, path all the thing in your profile.
  Example from mine :
  ORACLE_BASE=/u01/app/oracle
  ULIMIT=unlimited
  ORACLE_SID=PRIMARY
  ORACLE_HOME=$ORACLE_BASE/product/11.2.0.2
  ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
  LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib
  LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
  LIBPATH=$LD_LIBRARY_PATH:/usr/lib
  TNS_ADMIN=$ORACLE_HOME/network/admin
  PATH=$ORACLE_HOME/bin:$ORACLE_BASE/dba_tool/bin:/bin:/usr/bin:/usr/ccs/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:/usr/lbin:/GNU/bin/make:/u01/app/oracle/dba_tool/bin:/home/oracle/utils/SCRIPTS:/usr/local/bin:.
  export TERM=vt100
  export ORACLE_BASE ORACLE_SID ORACLE_TERM ULIMIT
  export ORACLE_HOME
  export LIBPATH LD_LIBRARY_PATH ORA_NLS33
  export TNS_ADMIN
  export PATHBest Regards
  mseberg

• How can I Deny permissions to logon to Remote Desktop Session Host server in powershell script?

  I am need of some assistance please. I am a system admin and I am trying to create a script that will assist with the tedious tasks I have to do with disabling a user that no longer works for the company.
  I have created a script so far that will reset the users passwords and remove them from all groups (minus domain users).
  I am trying to make it where it will deny permissions to logon to Remote Desktop Session Host server as well as give full mailbox permission to the manager in Exchange Server 2010.
  I know with Exchange 2010, I will need to add the Powershell snapin. Is there a way for this to be added into the script? I am thinking to add the code:
  add-pssnapin Microsoft.exchange.management.powershell.e2010
  Is there another way to do this? Any help or recommendations would be much appreciated.
  $ou = Get-ADUser -SearchBase "<*OU info here*>" -Filter * |
  Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "<*Password here*>" -Force)
  foreach ($user in $ou) {
  $UserDN = $user.DistinguishedName
  Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
  if ($_.name -ne "Domain Users") {remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }

  Why not just disable the account?Why are you searching an OU foro users when you just want to terminate one user?
  You can remotely connect an exchange session and manipulate the mailbox permissions.  You do not load a snap-in except on the Exchange server.
  $Session=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2013 Client Access server>/PowerShell/
  Import-PSSession $Session
  # exchange commands here
  \_(ツ)_/
  We have a checklist we have to go through with the tasks listed. We have to keep to the account enabled until HR changes
  the status which is usually 30-90 days depending. Managers sometimes need to access the accounts to retrieve information, etc. We put the users in an OU; once we are given permission from the manager we move forward in the removal. 

• The grace period for the Remote Desktop Session Host server has expired

  <p>I'm running Windows Server 2012, we only have 1 server and it's a DC.  I'm trying to RD to the server from my Windows 7 laptop. It was working fine on Friday but when I came in on Monday I got message saying that 'The remote session was disconnnected
  because there are no Remote Desktop License Servers available to provide a license'
  So after a bit of digging I found out my 'grace period' had expired, so ordered a new license which I got today, installed this all ok but still i cannot connect via RD I get the same message....went into the RD License Diagnoser and it said the problem
  was as follows
  'The grace period for the Remote Desktop Session Host server has expired, but the RD Session Host server has not been configured with any license servers. Connections to the RD Session Host server will be denied unless a license server is configured for
  the RD Session Host server.'
  Suggested Resolution as follows
  Configure a license server for the Remote Desktop Session Host server. If you have an existing license server, specify that license server for the RD Session Host Server. Otherwise, install RD Licensing on a computer on your network and Configure RD Session
  Host Server to use it.'
  I cannot figure out how to do this as I cannot find the RD Session Host Server tool. 
  Can any of you lovely people help me please

  Hello,
  Best option would be to assign the license server by using AD GPO. Youl will need to configure the following:
  Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing
  and define the settings for:
  Use the specified Remote Desktop License Server
  Set the Remote Desktop Licensing mode
  Then assign the policy tho your server.
  regards Robert Maijen

• How to generate the trace files for remote db link session's?

  User are complaining, the db link queries are performing slowness..
  how to enable the sql trace session for db link's in remote database...
  Is there any way to enable sqltrace for the dblink session ?
  if not how to enable the sql trace for entire database level, rather than session based...

  An explain plan of the SQL being ran on the local database will review the SQL being passed to the remote db. You can then explain that SQL on the remote db.
  I have had to tune a few distribued queries so more than likely the explain plan alone will be enough to allow you to tune the query to improve performance. If not then you can go to the trouble of trying to set up dual traces.
  HTH -- Mark D Powell --

• Windows Server 2012 The licensing mode for the Remote Desktop Session Host server is not configured

  Hi
  I have a standard Windows Server 2012 that is hosted in the cloud by a hosting provider -
  This server has been up and running fir 6 months - recently we have been getting a warning
  "The licensing mode for the Remote Desktop Session Host server is not configured" - The Remote Desktop Session Host server is within its grace period, but the RD Session Host server has not been configured with any license server.
  Yet, we only use this with 2 connections as part of the standard licence agreement and this server is not used as a user's desktop only an ftp and web server- do therefore we do not need to purchase any cal licences (we have another server with the same
  hosting company that does not have this issue and has been up for 18months)
  Please can someone advise how I resolve this issue, the hosting company states that I must resolve it as they only host and resell the server licence
  Thank-you
  Richard Steele

  Hi Richard,
  You need to uninstall Remote desktop session host feature. After removing it, you will default two connections which does not need to purchase RD CALs'.
  Thanks,
  Umesh.S.K