Hi!

I've configured PowerShell Remoting on the server using Enable-PSRemoting commandlet.

But when I'm trying to connect to the server I'm constantly getting the following error:

PS C:\Users\sergeyp> Enter-PSSession SERVERNAME.DOMAINNAME.com
Enter-PSSession : Connecting to remote server SERVERNAME.DOMAINNAME.com failed with the following error message : WinRM cannot process the request. The following error
with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1+ Enter-PSSession SERVERNAME.DOMAINNAME.com+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidArgument: (SERVERNAME.DOMAINNAME.com:String) [Enter-PSSession], PSRemotingTransportException+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Also, in the System event log on a client computer I see the Security-Kerberos error described here:
http://technet.microsoft.com/en-us/library/52ddf7d9-a0e7-4c9d-be3c-3c35219f2d69.aspx

Error details:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          2/22/2013 1:42:39 PM
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ...
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
SERVERNAME$. The target name used was HTTP/SERVERNAME.DOMAINNAME.com.
This indicates that the target server failed to decrypt the ticket
provided by the client. This can occur when the target server principal
name (SPN) is registered on an account other than the account the target
service is using. Please ensure that the target SPN is registered on,
and only registered on, the account used by the server. This error can
also happen when the target service is using a different password for
the target service account than what the Kerberos Key Distribution
Center (KDC) has for the target service account. Please ensure that the
service on the server and the KDC are both updated to use the current
password. If the server name is not fully qualified, and the target
domain (DOMAINNAME.COM) is different from the client domain
(DOMAINNAME.COM), check if there are identically named server accounts
in these two domains, or use the fully-qualified name to identify the
server.
...

And... I have identical WinRM configuration on the other server, and it works fine.

I'm using Windows Server 2008 Standard SP2 and PowerShell 3.0.

I'm logging in as a domain user.

Both client and server are in the same domain.

The SPN HTTP/SERVERNAME.DOMAINNAME.com doesn't exist, but the corresponding SPN also doesn't exist for the computer on which PS Remoting works fine!

Could somebody help me with identification of this error source, please?

Hi guys!

I run a script of mine on a fileserver 2008 R2; the script return a report in html but it's huge (50000 KB) so it takes a lot of time to load and i can't order it.

The function that create the html report is this:

Function Get-Report{
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory=$True,Position=0)]$Drives,
        [Parameter(Mandatory=$True,Position=1)][string]$Kind,
        [Parameter(Mandatory=$True,Position=2)]$Source
    )

    $Today = Get-Date -Format "dd-MMM"

    $Head = @"<Title>$Kind Report</Title><style>
        body {
            background-color:#FFFFFF;
            font-family:Verdana;
            font-size:12pt;
        }
        td, th {
            border:1px solid blue;
            border-collapse:collapse;
        }
        th {
            color:white;
            background-color:green;
        }
        table, tr, td, th { padding: 5px; margin: 0px }
        table { margin-left:50px; }</style>"@

    [xml]$html = $Drives | ConvertTo-Html -fragment

    for ($i=1;$i -le $html.table.tr.count-1;$i++) {
        $class = $html.CreateAttribute("class")
    }

    $Body = @"<H1>$Kind File Report for $Source</H1>
$($html.innerxml)"@

    $Log = $Kind + "Report" + $Today

    if(!(Test-Path -Path "C:\Powershell Reports")){
        New-Item -Path "C:\Powershell Reports" -ItemType directory
    }

    ConvertTo-HTML -head $head  -PostContent "<br><i>$(Get-date)</i>" -body $body |
    Out-File "C:\Powershell Reports\$Log.html" -Encoding ascii
}

Does anyone knows some easy function to convert and save the html output to an excel file keeping this structure?

Thanks!

A

Hi,

I am looking for way to find out how many of our computers in our company are using for example:

Windows OS, like 7,8,8.1

Office 2007/2010/2013 suites

Visio/Project suites

Visual Studio

SQL Servers

I would need a query which asks all of the computers in AD do they have a licenses, is it valid (not that important), and most important number of machines using specified products.

Ofcourse query can be only for one product and then I adjust it to my likinings.

Get-ADComputer -filter * | get-wmiobject -class softwarelicensingproduct - i got only this but this is begineers stuf so please help.

Thanks,

Hi All,

How can I set the the  "include inherit permissions from this objects parent" propertiy in Active Directory user object to a list of users using powershell.

This option is not checked for some of my users and I'll like to set it using a powershell script.

Thanks

Simon

Hi all,

I am using powershell 3.0 and trying to implement this updatable feature for our custom powershell module. But I getting the below error:

PS C:\Users\scorchsvc> update-help -Module <modulename> -Force
update-help : Failed to update Help for the module(s) 'modulename' : HelpInfoURI
 https://10.65.182.141/dev_releases/modulename/onlinehelp does not start with http.
At line:1 char:1
+ update-help -Module modulename-Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (HelpInfoUri:Uri) [Update-Help], Exception
    + FullyQualifiedErrorId : InvalidHelpInfoUriFormat,Microsoft.PowerShell.Commands.UpdateHelpCommand

I am able to get this work if I use "http". Error message clearly says that it only expects http. But in the Microsoft help topic for Update-Help cmdlet, it is mentioned that cmdlet works for both http and https both.

Here are my enteries:

• HelpInforURI entry in module manifest file is:

                    HelpInfoURI = "https://10.65.182.141/dev_releases/modulename/onlinehelp"

• HelpContentURI in HelpInfo.xml file is:

                   <HelpContentURI> https://10.65.182.141/dev_releases/modulename/onlinehelp</HelpContentURI>

I am running powershell as an administrator.

I am not behind any proxy.

Windows firewall is off.

I am mentioning it again that I am able to update help for our custom module if I use http in HelpInfoURI.

Can any one please help?

Thanks,

Vinay Ravish.

Hello,

i'm trying to export all users from active directory with all their properties but i only get a few of them;

code used:

Get-ADUser -Filter * Properties *  | Export-Csv all_adusers.csv 

what can i do to get all their properties ?

thanks,
Marius

Hi , all

difficult situation below :

i have another script that get me all pst name + Their path  that connected to my outlook :

$usr=[Environment]::UserName $dmn=[Environment]::UserDomainName $comp=[Environment]::MachineName $outlook = New-Object -comObject Outlook.Application $final=$outlook.Session.Stores | where { ($_.FilePath -like '*.pst')} | select FilePath$final >> c:\3.txt$new = import-csv c:\3.txtdel c:\3.txtforeach($line in $new){$line = $line.trim()'"'+$line+'"'>>c:\3.txt}

Result :

"FilePath"
"C:\Users\mtest\Desktop\My Outlook Data File(1).pst"
"C:\Users\mtest\Documents\My Outlook Data File(2).pst"
"C:\Users\mtest\Pictures\My Outlook Data File(3).pst"
"C:\Owo.pst"

as you see all pst files exists in different location , i would like to special script that know read the paths of pst and move them to specific location like X: or whatever

I have a script that "move " all my pst files to new location , see below the script :

Get-ChildItem -Path "C:\Users\mtest\Documents\Outlook Files\" -Filter *.pst -Recurse | Move-Item -Destination "x:\"

my problem is that my script knows to move them from specific location to specific destination , maybe there are another options that can read several path and perform move ? 

Thank you very much for the effort

My Website:www.Pelegit.co.il Mcitp /Mcsa 2012

PowerShell Documentation states that I only need to double-click PowerShell script (extension “ps1”) in order to run it.
This does not happen; instead Notepad opens ps1 script for editing. Set ExecutionPolicy to “RemoteSigned” to no avail.

Is documentation not specific or is there another problem on my PC (Vista Ultimate x86)?

Thank you.

I'm trying to queue a TFS Build from Powershell passing custom process parameters.  I'm getting the following error:

I'm getting quite frustrated and I know it's something really simple!  Any ideas?

function Get-BuildServer
    {
    param($serverName = $(throw 'please specify a TFS server name'))
    [void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.TeamFoundation.Client")
    [void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.TeamFoundation.Build.Client")
    $tfs = [Microsoft.TeamFoundation.Client.TeamFoundationServerFactory]::GetServer($serverName)

    return $tfs.GetService([Microsoft.TeamFoundation.Build.Client.IBuildServer])
    }

# SAS: Get the Build Server
$buildserver = Get-BuildServer "http://tfsserver:8080/tfs/My%20Project%20Collection"

# SAS: Set the parameters (Team Project and Build Definition)
$teamProject = "MyProject"
$buildDefinition = "MyDefinition"

# SAS: Get the build definition
$definition = $buildserver.GetBuildDefinition($teamProject, $buildDefinition)

# SAS: Create the build request
$request = $definition.CreateBuildRequest()

# SAS: Deserialise the Process Parameter for the Build Definition
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.TeamFoundation.Build.Workflow")
$paramValues = [Microsoft.TeamFoundation.Build.Workflow.WorkflowHelpers]::DeserializeProcessParameters($request.ProcessParameters)

# SAS: Set the parameter(s)
$paramValues.Item("asdf") = "new value"

# SAS: Serialise the Process Parameter for the Build Definition
$request.ProcessParameters = [Microsoft.TeamFoundation.Build.Workflow.WorkflowHelpers]::SerializeProcessParameters($paramValues)

# SAS: Queue the build
$buildserver.QueueBuild($request, "None") 

Simon Sutherill

Hi everybody,

So I setup a logon script to map some network drives depending on the group membership of a user:

$user = $env:username

# Get-ADUser $user -Properties *

(Get-ADUser $user -Properties *).MemberOf | foreach {
    if ($_ -match "instream - Shares Users") {
        New-PSDrive –Name “N” –PSProvider FileSystem –Root “\\instream.local\GlobalShares\instream” –Persist
    }

    if ($_ -match "CSI - Shares Users") {
         New-PSDrive –Name “M” –PSProvider FileSystem –Root “\\instream.local\GlobalShares\csi” –Persist
    }
}

They are setup as persistent so they are available after the session ends. If I run it manually it works. But with the GPO it does not.

I have added it to a logon policy and it is running last.

Now here is some additional information, from what I know, Machine Policy pre-empts all others:

Get-ExecutionPolicy -List

                                 Scope                                             ExecutionPolicy
                                 -----                                             ---------------
                         MachinePolicy                                                Unrestricted
                            UserPolicy                                                   Undefined
                               Process                                                   Undefined
                           CurrentUser                                                   Undefined
                          LocalMachine                                                RemoteSigned

But when I try to run the script manually:

Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by
a policy defined at a more specific scope.  Due to the override, your shell will retain its current effective
execution policy of Unrestricted. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more
information please see "Get-Help Set-ExecutionPolicy".
At line:1 char:46+ if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process  ...+                                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException+ FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run
\\instream.local\SysVol\instream.local\Policies\{47F0D016-3BF4-440C-ADE4-84F5A3403605}\User\Scripts\Logon\Map Network
Drives.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"):

Any idea why it is not working ?

Best regards,

I am looking to use Powershell in order to export users and their group memberships from a specific OU.  The OU contains about 300 members with various group memberships for each.  I would like to export this information into Excel.

Is anyone familiar with a Powershell script that would be capable of this?  I understand using the Get-ADUser and Get-ADUserGroups will be used, but I am unsure of how to break down to users only in a specific OU and export to Excel.

Any help is appreciated.

Thank you.

I was wondering if anyone knew how to or if it is even possible to get a web application user session count?

I can get that session count at the Web Site level by doing

Get-Counter "\\$ServerName\web service($website)\current connections"

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Don't Retire Technet

Hello, I am trying to import a csv to do some clean up on some AD account’s.

My question is similar to this post https://social.technet.microsoft.com/Forums/windowsserver/en-US/031f084b-b9b3-4d17-9783-75796db16fab/importcsv-to-update-setaduser-but-skip-fields-that-are-null But I can’t seem to use that example it to work for my needs.

I have exported the user properties to csv and used excel to make the updates.

Now I just need to import the updated csv to write the new attribute values. Here is the script I am starting with

$cv = Import-Csv .\test.csv
foreach ($User in $cv){
Set-ADUser $User.sAMAccountName -Replace @{Description = $User.description; Customattribute1 = $User. Customattribute1; Customattribute2 = $User. Customattribute2}
}

And this works as long as there are no blanks. But I get an error when a field is intentionally blank in effort to clear out all contents of an attribute from some users.

Here is the CSV. For this test I am wanting to clear out the value of Customattribute1 for the second user.

givenName,Surname,sAMAccountName,description,Customattribute1, Customattribute2

John,Smith,John.Smith,descrip1,catt1,catt2

Bill,Smith,Bill.Smith,descrip2,,catt2

I have tried  this but I get an error missing ‘=’ operator after key in hash literal.

Set-ADUser $user.sAMAccountName -Replace @{

                                if(($user. Customattribute1-eq $null)){ Customattribute1= $null;}

if(!($user. Customattribute1-eq $null)){ Customattribute1= $User. Customattribute1;}

if(($user. Customattribute2-eq $null)){ Customattribute2= $null;}

if(!($user. Customattribute2-eq $null)){ Customattribute2= $User. Customattribute2;}

Any help in fixing this and maybe telling me what I was doing wrong would be appreciated.

Thanks,

Robert

Hello, 

I have used the following code to store an encrypted string. Note, UserA is not the user logged on but rather the user that was used to run PowerShell (i.e. RunAs). 

PS C:\Users\Administrator> whoami
testdomain\userA
PS C:\Users\Administrator> $string = Read-Host -Prompt ‘Enter String’ -AsSecureString | ConvertFrom-SecureString | Set-Content ‘c:\encString.txt’

After having read up on the DPAPI it's my understanding that the key used for encryption is UserA’s “logon credential”.  When I then run PowerShell under UserB's context (i.e. RunAs) and try pull in the encrypted string I receive the expected error seen below.

PS C:\Users\Administrator> whoami
testdomain\userB
PS C:\Users\Administrator> $UserAEncString = Get-Content ‘c:\encString.txt’ | ConvertTo-SecureString
ConvertTo-SecureString : Key not valid for use in specified state.
At line:1 char:47
+ $UserAEncString = Get-Content c:\encString.txt | ConvertTo-SecureString+                                               ~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException+ FullyQualifiedErrorId : ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

This is obviously normal because UserB's logon credential is different than UserA's. I'm looking for clarification / confirmation that the only user that will be able to leverage the encrypted string in a credential is UserA. An example of what I mean by leverage a credential is listed below. 

PS C:\Users\Administrator> whoami
testdomain\userA
PS C:\Users\Administrator> $UserAEncString = Get-Content ‘c:\encString.txt’ | ConvertTo-SecureString
PS C:\Users\Administrator> $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList 'MyUser',$encString

I am seeing a strange behavior with Autodesk AutoCAD Architecture, which creates two seemingly identically named 'Autodesk' folders in My Documents. If you click on them they each contain very different things.

However, Get-ChildItem 'C:\Users\USERNAME\Documents' | ?{ $_.PSIsContainer } | Select-Object FullName returns just a single folder name. Properties of both claim they are folders, and with very different content. Remove-Item 'C:\Users\Px_User\Documents\Autodesk' -recurse will delete one of them, but the second attempt fails, claiming the folder is not there. 

My guess is that there is something jacked up in the permissions. Autodesk is well know for screwing this kind of thing up. But I am trying to figure out, what, if anything, can I even do? If the user doesn't have admin rights, then nothing scripted can be used to delete this junk folder, that of course gets left behind when ACAD is uninstalled because Windows/Autodesk uninstallers are total junk. So very frustrating how much crap gets left behind.

I'm trying to figure out how to obtain the Name and department fields from all the members of an AD group named "TS Users"

I have obtained the a list of users Names and SamAccountName and placed it within a Users.txt file on the root of my C:\

Get-ADGroupMember -Identity "TS Users" | select SamAccountName, Name | Ft -auto | out-file c:\users.txt

I'm having trouble figuring out how to writing the Foreach-object within the C:\users.tst { Get-ADUser -Identity -Property Department}

Thanks you.. 

I have an excel file that holds some information on several computers.  I was hoping to figure out a way to get some needed information and create some calculations that I've been able to create with the use of this forum.

I'm not sure who to get the data so I can work with the Disk_Drive column.  Every time I use:

import-csv c:\computers.csv, I start getting a bunch of errors.  My guess it's due to the "^" but know sure how to parse those out.

Secondly, I need to break out the C/D/E etc drives so I can calculate SizeGB/UsedGB/FreeGB from the Disk_Drive column.

Please let me know if more data is needed.

Thanks

Jr. Admin

hi friends

in my Active Directory, in default "Users" container, have created a group named "helpdesks".

i have also some OUs and SubOus which each contains some users.

i need to get all users in my entire domain which are not member of helpdesks group.

Get-ADUser -SearchBase -Filter {memberof -notlike  'cn=helpdesks,cn=users,dc=mydomain,dc=lab' } | select name

Get-ADUser -SearchBase 'dc=mydomain,dc=lab' -searchscope subtree -Filter {memberof -notlike  'cn=helpdesks,cn=users,dc=mydomain,dc=lab' } | select name

but all commands get only these 3 accounts : administrator , Guest , krbtgt

( and not those accounts which are in ou-users , users-marketing subou & any other locations )

strange !

any idea

thanks in advanced