locked
Invoke scriptblock function RRS feed

  • Question

  • it should retrive users in user in a group. The return value should be YES but coming as NO. If I run the ONLY

    function on a domain controller return value comes as YES. what is the mistake am I making?

    $global:DCServerGlobal= "DC07DCW6.mydomain.local" $Global:usernameGlobal = "mydomain\svc" # User account with permissions to the server $Global:passwordGlobal = "mypassword!" | ConvertTo-SecureString -asPlainText -Force $Global:credentialGlobal = New-Object System.Management.Automation.PSCredential($usernameGlobal, $passwordGlobal) function WhoAmI { $tempUserId = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $idx = $tempUserId.IndexOf("\") $LogInUser = $tempUserId.Substring($idx + 1) Import-Module activedirectory $group = "InventoryDBUsers" $members = (Get-ADGroupMember $group -Recursive | select-object saMAccountName).saMAccountName If ($members -contains $LogInUser) { $UserInGroup="Yes" } Else { $UserInGroup="No" } Return $UserInGroup } $sessionDC = New-PSSession -credential $credentialGlobal -ComputerName $DCServerGlobal $UserIn = (Invoke-Command -session $sessionDC -ScriptBlock ${function:WhoAmI} ) Write-Host $UserIn Get-PSSession | Remove-PSSession


    Thursday, July 27, 2017 11:30 PM

Answers

  • Add a "Write-Host $myuser" to the scriptblock.

    You do not need to declare everything "global".  You also do not need to create a session.  Just use my code.

    $sb = { Param($username) Write-Host USERNAME = $username -fore green
    Import-Module activedirectory $members = Get-ADGroupMember InventoryDBUsers -Recursive | select-object -ExpandProperty saMAccountName If ($members -contains $username) { 'Yes' } else { 'No' } } $pwd = 'mypassword!' | ConvertTo-SecureString -asPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('mydomain\svc', $pwd) Invoke-Command -ScriptBlock $sb -ComputerName DC07DCW6 -Credential $cred -ArgumentList $env:USERNAME



    \_(ツ)_/



    • Marked as answer by asif300 Friday, July 28, 2017 3:28 PM
    • Edited by jrv Friday, July 28, 2017 3:29 PM
    Friday, July 28, 2017 3:10 PM

All replies

  • You are way overcomplicating this.  Start simple and make it work as needed.

    $sb = {
    	Import-Module activedirectory
    	$members = Get-ADGroupMember InventoryDBUsers -Recursive | select-object -Expand saMAccountName
    	If ($members -contains $env:USERNAME){'Yes'}else{'No'}
    }
    
    $pwd = 'mypassword!' | ConvertTo-SecureString -asPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential('mydomain\svc', $pwd)
    Invoke-Command -ScriptBlock $sb -ComputerName DC07DCW6 -Credential $cred
    

    I can see no reason why you would do this.


    \_(ツ)_/


    • Edited by jrv Thursday, July 27, 2017 11:58 PM
    Thursday, July 27, 2017 11:58 PM
  • if I run your script block I get NO but if run only the script gets Yes. Any idea?

     


    • Edited by asif300 Friday, July 28, 2017 12:31 AM
    Friday, July 28, 2017 12:24 AM
  • Two different account.  You are running the remote under a different account and that is what it  is reporting.


    \_(ツ)_/

    • Marked as answer by asif300 Friday, July 28, 2017 12:46 AM
    • Unmarked as answer by asif300 Friday, July 28, 2017 2:39 PM
    Friday, July 28, 2017 12:27 AM
  • $sb = { Import-Module activedirectory $members = Get-ADGroupMember InventoryDBUsers -Recursive | select-object -Expand saMAccountName If ($members -contains $env:USERNAME){'Yes'}else{'No'} } $pwd = 'mypassword!' | ConvertTo-SecureString -asPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('mydomain\svc', $pwd) Invoke-Command -ScriptBlock $sb -ComputerName DC07DCW6

    This works if you are part of domain admin but I am wrting a GUI tool that helpdesk will use. DC07DCW6 is domain controller. When

    helpdesk user execute the code access denied error comes. if you see my first code I opened a seession on domain

    controller using a service account. Any idea how to do that?

    Friday, July 28, 2017 2:53 PM
  • No idea what you are trying to ask.

    The code is just a fixed version of the code you posted.

    Only Domain Admins can remote unless you redesign your remoting setup.

    You can install RSAT in the helpdesk and they can use this locally without being Admins and without needing to remote.


    \_(ツ)_/

    Friday, July 28, 2017 2:58 PM
  • I need to open a session on a remote computer using setvice account. I even tried like below but still comes NO

    $Global:usernameGlobal = "mydomain\svc" # User account with permissions to the server $Global:passwordGlobal = "MyPassword" | ConvertTo-SecureString -asPlainText -Force $Global:credentialGlobal = New-Object System.Management.Automation.PSCredential($usernameGlobal, $passwordGlobal) function WhoAmI { Param ([string]$myUser) Import-Module activedirectory $group = "InventoryDBUsers" $members = (Get-ADGroupMember $group -Recursive | select-object saMAccountName).saMAccountName Write-Host $members If ($members -contains $myUser) { "Yes" } Else { "No" } } $LogInUser = $env:USERNAME $session = New-PSSession -credential $credentialGlobal -ComputerName DC07DCW6 Invoke-Command -session $session -ScriptBlock ${function:WhoAmI} -ArgumentList $LogInUser


    Friday, July 28, 2017 3:06 PM
  • Add a "Write-Host $myuser" to the scriptblock.

    You do not need to declare everything "global".  You also do not need to create a session.  Just use my code.

    $sb = { Param($username) Write-Host USERNAME = $username -fore green
    Import-Module activedirectory $members = Get-ADGroupMember InventoryDBUsers -Recursive | select-object -ExpandProperty saMAccountName If ($members -contains $username) { 'Yes' } else { 'No' } } $pwd = 'mypassword!' | ConvertTo-SecureString -asPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('mydomain\svc', $pwd) Invoke-Command -ScriptBlock $sb -ComputerName DC07DCW6 -Credential $cred -ArgumentList $env:USERNAME



    \_(ツ)_/



    • Marked as answer by asif300 Friday, July 28, 2017 3:28 PM
    • Edited by jrv Friday, July 28, 2017 3:29 PM
    Friday, July 28, 2017 3:10 PM
  • My code try to check logged in used belonged to AD group InventoryDBUsers so the code has to run on a server which is DC. Help desk user will not have

    access to DC. I don't want to install RSAT because there are some none help desk users will

    use this GUI tool

    Friday, July 28, 2017 3:20 PM
  • RSAT install the PowerShell Active Directory commands local and anyone can use them to read AD.  This would be the normal configuration for a help desk setup.  It is what RSAT is designed for.

    You can also just use ADSI classes directly.

    $group = [adsi]'LDAP://cn=groupname,ou=someou,dc=domain,dc=com'
    $group.members


    \_(ツ)_/

    Friday, July 28, 2017 3:24 PM
  • This check the current user against a groups SID:

    $id = [Security.Principal.WindowsIdentity]::GetCurrent()
    [bool]($id.Groups|?{$_.Value  -match 'S-1-5-32-554'})


    \_(ツ)_/

    Friday, July 28, 2017 3:28 PM
  • Here is a good way to get a users groups without remoting:

    function Get-UserGroups{
    	$id = [Security.Principal.WindowsIdentity]::GetCurrent()
    	$id.Groups | %{
    		$grpPath = ([adsisearcher]"objectsid=$($_.Value)").FindOne().Path
    		[adsi]$grpPath
    	}
    }
    Get-UserGroups | select name

    It is very fast.


    \_(ツ)_/

    Friday, July 28, 2017 4:23 PM
  • And yet another way to test group membership.

    if(whoami /groups|select-string 'BUILTIN\Hyper-V Administrators' -SimpleMatch){'YES'}else{'No'}


    \_(ツ)_/

    Friday, July 28, 2017 4:25 PM