Using native commands over remote connection

I just finished watching Don Jones video’s on CBT Nugget on how to run native commands, but I need to run these remotely I need to change the password on a domain that my laptop isn’t a member of. I have already changed the trusted host file so I can make the connection to one of the servers in the domain to run the comand from, but I can’t get the commands to work. All of the DC’s in that domain are 2003 DC’s.

[172.99.26.21]: PS C:\Users\admin\Documents> net user ‘testuser’ /DOMAIN | FIND /I “Account active”

[172.99.26.21]: PS C:\Users\admin\Documents>
See, no output
I think I have two problems, one is syntax, where to I put the quotes and the other passing credentials. HELP please!!!

I’m testing your scenario with 2008 R2 domain controllers and it works without issue even when I connect to a member server instead of a domain controller using:

Enter-PSSession -ComputerName 172.99.26.21 -Credential (Get-Credential)

Then I run the following:

net user ‘testuser’ /DOMAIN | FIND /I “Account active”

And it returns:

Account active No

Sorry for taking so long to respond, I guess I was expecting an email if someone responded. Just to verify, the workstation that you used, is not a member of the domain? I just tried it again, and I still get nothing.

$cred = Get-Credential -Credential ‘domain\domainadmin’
Enter-PSSession -ComputerName ‘10.199.25.121’ -Credential $cred
[10.199.25.121]: PS C:\Users\diverso\Documents> net user ‘DomainUser’ /DOMAIN | FIND /I “Account active”
NOTHING

I wasn’t sure if that’s how I tested it so I decided to re-test and I’m able to replicate the problem. If you run only the first part of the command:

$cred = Get-Credential -Credential ‘domain\domainadmin’
Enter-PSSession -ComputerName ‘10.199.25.121’ -Credential $cred
[10.199.25.121]: PS C:\Users\diverso\Documents> net user ‘DomainUser’ /DOMAIN

I bet you’ll receive an access denied error. Since you’re connected to a member server and running the command in a remote session, it’s trying to contact a domain controller and you’re experiencing the double-hop problem.

The reason you receive nothing when you pipe to the FIND command is because the first part of the command doesn’t produce any results.

Thanks Mike. So, because I am running it remotely, the first command doesn’t work because the credentials won’t carry to the DC? Will this work if I create an end point on this server and give it the command and credential and then make that only available to a certain group?

Can this be done if I enable wsmancredssp?

Anyone, do we think this can be done with credssp?

Ok, I got this working with WSMCredssp. I had to enable WSMancresssp on the server that the native commands would try and access:

Enable-WSManCredSSP -Role server -Force #run this on endpoint server

The last issue is how to add new line between the lines in the body of the email.

Thanks DON, great training, ready for feedback.

function Unlock-DOMUser {
[CmdletBinding()]
Param (
[parameter(Mandatory=$true,
Position=0,
ParameterSetName=“Status”)]
[parameter(Mandatory=$true,
Position=0,
ParameterSetName=“Unlock”)]
[parameter(Mandatory=$true,
Position=0,
ParameterSetName=“Reset”)]
[String]$DOMeid,
[parameter(Mandatory=$true,
ParameterSetName=“Status”)]
[Switch]$AccountStatus,
[parameter(Mandatory=$true,
ParameterSetName=“Unlock”)]
[Switch]$AccountUnlock,
[parameter(Mandatory=$true,
ParameterSetName=“Reset”)]
[Switch]$AccountReset,
[parameter(Position=2,
ParameterSetName=“Reset”)]
[String]$EmailAddress = “$DOMeid@domdom.com”
)

Begin{
        #Get-Item -Path WSMan:\localhost\Client\TrustedHosts
        Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value 'atl01osi357' -Confirm:$false -Force
        Enable-WSManCredSSP -DelegateComputer serv01oss333.DOM.DOM.com -Force -Role Client | Out-Null
        $User = "DOM\svc-custkkreset"
        $PWord = ConvertTo-SecureString –String 'password' -AsPlainText -Force
        $Credential = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $User, $PWord
        $credsp1 = New-PSSession -ComputerName 'serv01oss333.DOM.DOM.com' -Credential $Credential -Name credssp1 -Authentication Credssp    

}#end begin


Process{
        if ( $AccountStatus ) { 
            Invoke-Command -session $credsp1 -ScriptBlock { param($DOMeid) net user $DOMeid /DOMAIN | FIND /I "Account active"} -ArgumentList $DOMeid 
        }#end if

        if ( $AccountUnlock ) {
            Invoke-Command -session $credsp1 -ScriptBlock { param($DOMeid) Net user $DOMeid /DOMAIN /active:YES } -ArgumentList $DOMeid
        }#end if
        
        if ( $AccountReset ) {
            $randn = get-random -min 101 -max 999
            [string]$randl = (Get-Random -InputObject 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z' -Count 4)
            $randl = $randl.Replace(' ','')
            [string]$paswd = "!DOM"+$randl+$randn

            Invoke-Command -session $credsp1 -ScriptBlock { param($DOMeid,$paswd) Net user $DOMeid $paswd /DOMAIN /active:YES } -ArgumentList $DOMeid,$paswd

            Send-MailMessage -From "cs@domdom.com" `
                             -Cc me@DomDom.com `
                             -Subject "DOM Pasword Reset" `
                             -BodyAsHtml -Body "Your DOM password had been reset to $paswd, please reset at next logon. `
                             If you still need help, contact the Service Desk:`r`n `
                             For Field Associates: 777-llll For Corporate Campus: ext1111" `
                             -To "$EmailAddress" -SmtpServer email.DOM.com

        }#end if

}#end process       

End{
    Remove-PSSession -Session $credsp1
    Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value '' -Confirm:$false -Force
}#end end

}#end function

The `r and `n do nothing. Why is that?