PowerShell Web Access vs AD Cmdlet


First of all, I’m new with PowerShell and on this site.

I have a project to have PowerShell Web Access configure and be able to do a lot of my work with script when I’m out of the Office.
So I configure a Windows 2012 R2 (Core), installed the PSWA and the RSAT-AD-PowerShell.

When I do remote on my server, I can use the AC Cmdlet but not in the Web Access.
The Active Directory Web Services is installed on one of my DC.

The error :

PS C:\Users\adminlevel3\Documents> 
Get-ADUser -Identity xxxx -Server DCFQDN
Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have
 the Active Directory Web Services running.
    + CategoryInfo          : ResourceUnavailable: (xxxx:ADUser) [Get-ADUser], ADServerDownException 
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser 

If you have ideas, please help !
Thanks !

Step away from PowerShell Web Access (PSWA) for a moment. Come back to it (and create your authorization rule(s)) when everything below is working.

As you’ve witnessed, if you connect to a remote Domain Controller using PowerShell Remoting, you can run cmdlets in the ActiveDirectory module without any problem. As well, you’ve also seen the problem with PS Remoting to a member server with the AD tools installed, and that you can’t run the cmdlets. There’s two ways to get around this: one, CredSSP, and two, a PowerShell constrained endpoint. I’m not going to focus on CredSSP since it has security problems, and since we can get around this problem by creating an endpoint.

On the member server (that has your AD tools), you need to create an endpoint. Start by running New-PSSessionConfigurationFile with the -Path parameter and a valid path, such as New-PSSessionConfigurationFile -Path C:\PSendpoints\ADendpoint.pssc. There’s plenty of other parameters, but this will get your session configuration file created (note that the term endpoint, and session configuration are basically interchangeable). Now, use the Register-PSSessionConfiguration cmdlet with the -Name parameter (give your endpoint a name), the -Path parameter (the path to your .pssc file), and the -RunAsCredential (domain\username and it’ll prompt you for your password). This can be any AD account for Get-* cmdlets, but will need to be an elevated account if you plan to change group memberships, change accounts, etc. To remove an endpoint, use Unregister-PSSessionConfiguration -Name NameOfEndpoint.

Now you can connect to the new session configuration from your workstation: Enter-PSSession -ComputerName -ConfigurationName NameOfEndpoint. If you’ve done everything right, and I haven’t missed a step, you should be able to use those cmdlets with any problems. I’ve been able to at least.

Once this endpoint is done, you can return to your PSWA server and create a new authorization rule. Be sure to include the name of you endpoint as the value for the -ConfigurationName parameter, and when you use PSWA, to click ‘Optional connection settings’ and enter your endpoint name where it says Configuration name. Good luck and let me know if you have any follow up questions. It can be overwhelming since you’re new to PowerShell!


Thanks! That’s worked in PSWA.

Only one thing I saw.
If I used the command Get-ADUser username that’s worked fine.

But if I typed Get-ADUser -Filter username that’s not worked. I got this error :

Error parsing query: 'username' Error Message: 'syntax error' at position: '1'.
    + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException 
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Micro

Did you have a idea why ?
Thanks for your help.

Your error is based on incorrect usage, and has nothing to do with any session configuration or PSWA. Run Get-Help Get-ADUser -Examples and take a look at how the -Filter parameter is used. It’s different than the -Identity parameter, which is what you use when you enter Get-ADUser username.

Thanks I found out after I clicked on Submit. (My bad)
Again thanks for your fast help.

Have a good day.