New PS user here. ? about AD interaction


New PS user here (Learn Windows PS3 in a month of lunches in the mail!) and still pretty new to windows business solutions. I am new to a growing company. I work directly under the IT manager/integrator for the east coast, of a west coast based company. He has rights within the organizations Active Directory for specific locations (certain OUs or organizational units). We have been tinkering with his PC in PS3 and when we try a very basic command - get-wmiObject -class win32_bios -computerName XXX, XXX, XXX we receive a error message -> (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). We are running as admin and he should have the right to access the specified computers. Any suggestions?

Also, a concern of his is corporate seeing us performing ADComputer -flter * operations. If we control certain OUs, would the filter * only “grab” information from the respective OUs we have permission to access, or would the cmdlets in fact try to interact with the greater hierarchy of AD that we dont have rights to? Make sense?

I am a young enthusiast and I am very eager to learn. Thanks for the help and sorry for being a noob!

By default, you must be in the local Administrators group on a machine in order to query it remotely.

-Filter does not control the OU queried. -SearchBase does that. And “-Filter *” is indeed something to watch for, as if the domain has a large number of objects it can be incredibly impactful on domain controller performance. By default, it will attempt to query from the root of the domain. You should look at the other parameters to see ways of limiting the command’s scope.

Thanks for the info, Don. My Boss found a .vbs that will give us some basic computer info - current user logged in, computer name, and teamviewer id. He suggested remoting in via powershell, but to my knowledge we have to enable-psremoting on each machine to do so (or at least with the script he has). Until i am ready to go to each machine and turn it on, is there an alternative? I don’t think i am quite ready to run a command that captures all machines at the same time in one fell swoop.

Yes, you need to enable Remoting. No, you don’t have to go to each machine - it can also be enabled via Group Policy. See, “Secrets of PowerShell Remoting.” Otherwise, I suppose a logon script would be the only alternative. But I don’t know that I’d invest any effort in a VBScript - I mean, you’re talking a technology that’s already eight years out of date. Cut the cord. Microsoft is increasingly relying on WinRM (Remoting) being enabled, so you might as well climb that mountain and get it done.