Active Directory Cmdlets in Windows PowerShell

valentinabombel · ‎07-11-2014

hi, i have add to my vCO a powershell host, now i need to launch a command into this host machine (in my case the AD host) i need to make move a computer from original folder CN=Computers,DC=domain,DC=xxx to another organization unit ..

i use this command

Import-Module ActiveDirectory

get-adcomputer computername | Move-ADObject -TargetPath 'OU=Computers,OU=xxxxx,DC=xxxx,DC=xxx'

but i need the "computername" is a dinamic variable because the "computername" change every virtual machine i create..

i user the workflow "Invoke a powershell scripts" but i don't know if is the correct way because i have some error, but if i launch the command directly from PS in the host machine this work...

can anyonw help me to untherstand to use powershell

thanks :smileygrin:

Spas_Kaloferov · ‎07-21-2014

Hi I have posted it here earlier, but her it is again:
Using CredSSP with the vCO PowerShell Plugin

Best Regards / Поздрави Spas Kaloferov

View solution in original post

igaydajiev · ‎07-11-2014

Could you provide the error that you receive?

You can check also for more details server.log

valentinabombel · ‎07-13-2014

[2014-07-14 08:49:38.875] [D] Invoke command in session 110ebdc0-4c71-413c-ab06-2f5e847a17a7

[2014-07-14 08:49:39.596] [I] PowerShellInvocationError: Errors found while executing script

System.Management.Automation.CommandNotFoundException: Termine 'Move-ADObject' non riconosciuto come nome di cmdlet, funzione, programma eseguibile o file script. Controllare l'ortografia del nome o verificare che il percorso sia incluso e corretto, quindi riprovare.

in System.Management.Automation.CommandDiscovery.LookupCommandInfo(String commandName, CommandOrigin commandOrigin)

in System.Management.Automation.CommandDiscovery.LookupCommandProcessor(String commandName, CommandOrigin commandOrigin, Nullable`1 useLocalScope)

in System.Management.Automation.ExecutionContext.CreateCommand(String command)

in System.Management.Automation.CommandNode.CreateCommandProcessor(Int32& index, ExecutionContext context)

in System.Management.Automation.CommandNode.AddToPipeline(PipelineProcessor pipeline, ExecutionContext context)

in System.Management.Automation.PipelineNode.Execute(Array input, Pipe outputPipe, ArrayList& resultList, ExecutionContext context)

in System.Management.Automation.StatementListNode.ExecuteStatement(ParseTreeNode statement, Array input, Pipe outputPipe, ArrayList& resultList, ExecutionContext context)

(Dynamic Script Module name : invokeScript#14)

the log of run workflow is this.

first i use the workflow "create computer in a organization unit" and after "invoke a powershell script", in the field Value of workflow invoke powershell i put the PS command is right?

i use to connect to vCO client administrator@vpshere.local and i have configured SSO authentication, is correct? or i need to configure LDAP authentication and use the domain admin to launch the powershell script on the host?

thanks :smileygrin:

igaydajiev · ‎07-14-2014

Could you try invoking following script from vCO itself and from the PowerShelll console and then post the results.

-----------

$env:PSModulePath

get-module -listavailable

--------------------

Spas_Kaloferov · ‎07-14-2014

In order to use the AD* cmdlets into a powershell session, you must first import the AD powershell module into that session.

Active Directory Cmdlets in Windows PowerShell

Best Regards / Поздрави Spas Kaloferov

valentinabombel · ‎07-15-2014

i have create a workflow with "invoke powershell script" with your command :

$env:PSModulePath

get-module -listavailable

this is result:

WindowsPowerShell\v1.0\Modules\

ModuleType Name ExportedCommands

---------- ---- ----------------

Manifest ActiveDirectory {}

Manifest ADRMS {}

Manifest AppLocker {}

Manifest BestPractices {}

Manifest BitsTransfer {}

Manifest GroupPolicy {}

Manifest PSDiagnostics {}

Manifest ServerManager {}

Manifest TroubleshootingPack {}

Manifest WebAdministration {}

but i don't understand how i can move a specific computer from an active directory folder to another OU.. because i have to pass to the PS command the computer name, but i need to be dinamically with new virtual machine created (every new vm have a different computer name)

thanks for help :smileygrin:

Spas_Kaloferov · ‎07-15-2014

HI,

Commands seems correct . I've just tested it. Note that i'm on a PSv4 Host. What you can try is importing the module with all parameters: Alias, Cmdlet, Function, and Variable . Something like this:

import-module activedirectory -Alias:@() -Cmdlet:* -Function:* -Variable:*
get-adcomputer computername | Move-ADObject -TargetPath 'OU=Computers,OU=xxxxx,DC=xxxx,DC=xxx'

Ref: https://connect.microsoft.com/PowerShell/feedback/details/716857/module-partially-loads-with-import-...

As for passing parameters to a PS script you can use this WF as starting point.
http://kaloferov.com/blog/?attachment_id=90

Best Regards / Поздрави Spas Kaloferov

valentinabombel · ‎07-15-2014

i have manage my script and now work

i have use for my scope this command:

Import-Module ActiveDirectory

Get-ADComputer -Filter 'Name -like "machinename*"' | Move-ADObject -TargetPath 'OU=Computers,OU=xxxx,DC=xxx,DC=xxx'

in machinename* field you put the machine name start with... so i use as machine prefix in vCAC clone, i put clone* so all vm clone migrato to another OU

valentinabombel · ‎07-17-2014

if i try to invoke an external ps1 script on a server, and it call an active directory object the orchestrator return me an error, but if i try to call a simple script for exemple only print a word it work..

to better understand:

if i invoke this script "write-host testword" this work and in ochestrator log i can see the result

but if i invoke a script that it use the Import-Module ActiveDirectory and the Get-ADComputer i have an error:

PowerShellInvocationError: Errors found while executing script

Microsoft.ActiveDirectory.Management.ADServerDownException: Impossibile contattare il server. E possibile che il server non esista, sia attualmente inattivo o che i servizi Web Active Directory non siano in esecuzione nel server. ---> System.ServiceModel.CommunicationException: Connessione socket interrotta. Ci� potrebbe essere causato da un errore nell'elaborazione del messaggio, un timeout di ricezione superato dall'host remoto o problemi con le risorse di rete sottostanti. Timeout socket locale: '00:02:00'. ---> System.IO.IOException: Operazione di scrittura non riuscita. Vedere l'eccezione interna. ---> System.ServiceModel.CommunicationException: Connessione socket interrotta. Ci� potrebbe essere causato da un errore nell'elaborazione del messaggio, un timeout di ricezione superato dall'host remoto o problemi con le risorse di rete sottostanti. Timeout socket locale: '00:02:00'. ---> System.Net.Sockets.SocketException: Connessione in corso interrotta forzatamente dall'host remoto

in System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)

in System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)

--- Fine dell'analisi dello stack dell'eccezione interna ---

in System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)

in System.ServiceModel.Channels.BufferedConnection.WriteNow(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, BufferManager bufferManager)

in System.ServiceModel.Channels.BufferedConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)

in System.ServiceModel.Channels.ConnectionStream.Write(Byte[] buffer, Int32 offset, Int32 count)

in System.Net.Security.NegotiateStream.StartWriting(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)

in System.Net.Security.NegotiateStream.ProcessWrite(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)

--- Fine dell'analisi dello stack dell'eccezione interna ---

in System.Net.Security.NegotiateStream.ProcessWrite(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)

in System.Net.Security.NegotiateStream.Write(Byte[] buffer, Int32 offset, Int32 count)

in System.ServiceModel.Channels.StreamConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)

--- Fine dell'analisi dello stack dell'eccezione interna ---

Server stack trace:

in System.ServiceModel.Channels.StreamConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)

in System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)

in System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)

in System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)

in System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)

in System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

in System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)

in System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

in System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)

in System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)

in System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

in System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

in System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

in System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

in System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

in Microsoft.ActiveDirectory.WebServices.Proxy.Resource.Get(Message request)

in Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequest request)

--- Fine dell'analisi dello stack dell'eccezione interna ---

in Microsoft.ActiveDirectory.Management.AdwsConnection.InitializeForAutoReconnect[TChannel](Boolean& isAutoReconnecting, TChannel& channel, ChannelFactory`1& chFactory, String endpointName, CommunicationException& commException)

in Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequest request)

in Microsoft.ActiveDirectory.Management.AdwsConnection.Search(ADSearchRequest request)

in Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Search(ADSessionHandle handle, ADSearchRequest request)

in Microsoft.ActiveDirectory.Management.ADObjectSearcher.GetRootDSE()

in Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase.GetRootDSE()

in Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase.GetConnectedStore()

in Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase.GetCmdletSessionInfo()

in Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase`3.BeginProcessingOverride()

in Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase.BeginProcessing()

(Dynamic Script Module name : invokeScript#14)

Spas_Kaloferov · ‎07-17-2014

If you go to the powershell host which is being used by vCO and you run the command import-Module ActiveDirectory and the Get-ADComputer , does it work ? From the message i would suggest the powershell host cannot contact the AD server to query the objects.

Best Regards / Поздрави Spas Kaloferov

valentinabombel · ‎07-17-2014

yes, if i run the command from the powershell in the host it work correctly, only from orchestrator this doesn't work... it's possible a problem of authorization? who is the user run powershell in the host ?

Spas_Kaloferov · ‎07-17-2014

Well you need Domain Credentials to query the info from AD. the user ID under which the command is being run when running from vCO is the user ID you have used when you have added the powershell host in vCO. If you have used local admin credentials when adding the powershell host you might not have enough permissions to perform this operation.What you can do is :

- add the -Credential switch to the get-adComputer command and supply domain credentials. Use domain credentials that have enough permissions to query AD (Lesss complex to achieve / Not so recommended as you have to hard code credentials in the script. )

- Add again the powershell host and use Kerberos as authentication. Use domain credentials that have enough permissions to query AD. (more complex but no credential hard codding needed)

You might try the 1st approach just ot be sure this is your problem and might consider implementing the second for more long term / production solutions.

Some guidance as also examples of credential passing in a script can be found here:

Using CredSSP with the vCO PowerShell Plugin

Best Regards / Поздрави Spas Kaloferov

valentinabombel · ‎07-17-2014

i have made some test, and i have understand the problem, i'm sure is a credential problem, the powershell is invoked with local administrative privileges,,and this user doesn't have the privilege to call the import-module activedirectory from another host

now how i can elevate with a command -Credential all my PS script?

thanks :smileygrin:

valentinabombel · ‎07-18-2014

but i need to use some other command in powershell, for exemple citrix powershell command and this doesent have the -Credential field...

so i think the only way is to add powershell with kerberos authentication..i have try but i receive some error..

this is my winrm get winrm/config

Config

MaxEnvelopeSizekb = 150

MaxTimeoutms = 60000

MaxBatchItems = 32000

MaxProviderRequests = 4294967295

Client

NetworkDelayms = 5000

URLPrefix = wsman

AllowUnencrypted = true

Auth

Basic = true

Digest = true

Kerberos = true

Negotiate = true

Certificate = true

CredSSP = true

DefaultPorts

HTTP = 5985

HTTPS = 5986

TrustedHosts = vcac

Service

RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)

MaxConcurrentOperations = 4294967295

MaxConcurrentOperationsPerUser = 15

EnumerationTimeoutms = 60000

MaxConnections = 25

MaxPacketRetrievalTimeSeconds = 120

AllowUnencrypted = true

Auth

Basic = true

Kerberos = true

Negotiate = true

Certificate = false

CredSSP = true

CbtHardeningLevel = Relaxed

DefaultPorts

HTTP = 5985

HTTPS = 5986

IPv4Filter = *

IPv6Filter = *

EnableCompatibilityHttpListener = false

EnableCompatibilityHttpsListener = false

CertificateThumbprint

Winrs

AllowRemoteShellAccess = true

IdleTimeout = 180000

MaxConcurrentUsers = 5

MaxShellRunTime = 2147483647

MaxProcessesPerShell = 15

MaxMemoryPerShellMB = 150

MaxShellsPerUser = 5

igaydajiev · ‎07-18-2014

What error do you receive.

Spas_Kaloferov · ‎07-21-2014

Just to clarify. if i'm not mistaken you cannot import a module form HostB into HostA. Regarding the credentials i do not see the problem of using Citrix cmdlets. You use the credential switch when using the Invoke-Command. Afterwards in the ScriptBlock part you can invoke any PS command regardless if it supports the -Credential switch or not. For Example:

... (taken from the blog above)
Invoke-Command -ComputerName <PowerShellHost> -ScriptBlock { <MyCitrixCmdletCommand> } -Authentication CredSSP -credential $cred
...

Best Regards / Поздрави Spas Kaloferov

valentinabombel · ‎07-21-2014

now i have reinstalle a new virtual machine ad now i can add without problem the Powershell host with kerberos authentication. when i launch my script from the host work correctly, but when i use orchestrator receive some error.. and now i'm sure the user launches the powershell is domain\administrator and no localmachine\administrator

the error: