none
Cannot promote server to DC from powershell using impersonation (alternate credentials) RRS feed

  • Question

  • Hi Guys,

    I'm trying to promote a server to DC from powershell executing powershell script impersonating a domain admin user, the script is executed from regular domain user session in the server.

    The script is:

    #Get Credentials for the user (LocalInstall) that has access to Shared Folder
    $localInstall = Get-Credential -UserName domain\localinstall -Message "Enter LocalInstall credentials"
    #Clear all shared folder connections
    net use * /delete /y
    #Map a PSDrive so We can access the shared Folder, it runas LocalInstall user
    New-PSDrive -Name Software -PSProvider FileSystem -Root \\ADDS01\Software -Credential $localInstall
    #Get the username of domain admin and store it in $adminuser variable
    $adminuser = Get-Content Software:\RootUN.txt
    #Get the encrypted (AES 32Bit) domain admin password and store it in $adminpwd variable
    $adminpwd = Get-Content Software:\RootCrd.txt
    #Here we hardcoded the key to decrypt the domain admin password
    [Byte[]] $key = (200,4,85,12,54,56,87,54,52,45,85,45,89,52,56,87,87,85,74,20,32,65,98,71,73,91,64,82,79,41,10,30)
    #Create the domain admin credentials and store it in $admin variable
    $admin = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminuser, ($adminpwd | ConvertTo-SecureString -Key $key)
    #Launch a powershell session with domain admin user credentials and execute cmdlet to promote server to DC, execute the process to get domain admin credential inside the powershell process to pass that in -ADPrepCredential parameter and -Credential parameter of the cmdlet Install-ADDSDomainController
    Start-Process "powershell.exe" -ArgumentList '-noexit -command &{
    Install-ADDSDomainController -DomainName "domain.local" -SkipPreChecks -SafeModeAdministratorPassword (ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force) -ADPrepCredential $admin -Credential $admin -InstallDns:$true -Confirm:$false}' -Credential $admin
    when the script is executed I'm getting the following error:
    Install-ADDSDomainController : Verification of user credential permissions failed. You have not supplied user credentials that belong to the Domain Admins group or the Enterprise Admins group. The installation may fail with an Access Denied error.
    
    Context : Test.VerifyUserCredentialPermissions.DCPromo.General.12
    
    RebootRequired : False
    
    Status: Error
    Note: To prove that the right credentials are launched with the Start-Process cmdlet, I executed

    Start-Process "powershell.exe" -ArgumentList "-command &{whoami}" -Credential $admincredential

    , and I'm getting the right domain admin user account in the powershell session.

    Please Guys Could you help me, why I can't do this work.

    Thank you.










    • Edited by JRLOPS Sunday, December 18, 2016 3:01 AM
    Saturday, December 17, 2016 3:34 AM

Answers

  • Hi jrv, thanks for your time helping me, I really appreciated that.

    Finally I could make the Script work. I solved this eliminating the extra Credentials passed to the parameters of Install-ADDSDomainController cmdlet, the only credentials that is needed is the credentials passed to the Start-Process cmdlet:

    #Get Credentials for the user (LocalInstall) that has access to Shared Folder
    $localInstall = Get-Credential -UserName domain\localinstall -Message "Enter LocalInstall credentials"
    #Clear all shared folder connections
    net use * /delete /y
    #Map a PSDrive so We can access the shared Folder, it runas LocalInstall user
    New-PSDrive -Name Software -PSProvider FileSystem -Root \\ADDS01\Software -Credential $localInstall
    #Get the username of domain admin and store it in $adminuser variable
    $adminuser = Get-Content Software:\RootUN.txt
    #Get the encrypted (AES 32Bit) domain admin password and store it in $adminpwd variable
    $adminpwd = Get-Content Software:\RootCrd.txt
    #Here we hardcoded the key to decrypt the domain admin password
    [Byte[]] $key = (200,4,85,12,54,56,87,54,52,45,85,45,89,52,56,87,87,85,74,20,32,65,98,71,73,91,64,82,79,41,10,30)
    #Create the domain admin credentials and store it in $admin variable
    $admin = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminuser, ($adminpwd | ConvertTo-SecureString -Key $key)
    #Launch a powershell session with domain admin user credentials and execute cmdlet to promote server to DC
    Start-Process "powershell.exe" -ArgumentList '-noexit -command &{
    Install-ADDSDomainController -DomainName "domain.local" -SkipPreChecks -SafeModeAdministratorPassword (ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force) -InstallDns:$true -Confirm:$false}' -Credential $admin

    Note: user that log in to server don't need to be local admin in the server and don't need to be in a privileged domain group, he could be a regular domain user.






    • Marked as answer by JRLOPS Sunday, December 18, 2016 1:49 AM
    • Edited by JRLOPS Sunday, December 18, 2016 3:09 AM Spelling
    Sunday, December 18, 2016 1:45 AM

All replies

  • The account you use Must be a member of the "Domain Admins" group.

    Delegated administration of parts of AD does not give Admin rights on the domain.


    \_(ツ)_/

    Saturday, December 17, 2016 5:31 PM
  • Hi jrv, thanks for your response, user is Domain Admin, Enterprise Admin, Schema Admin, is the god user of the domain.
    Saturday, December 17, 2016 6:34 PM
  • If the user is an admin the  you don't need to use credentials.  Just run the install.


    \_(ツ)_/

    Saturday, December 17, 2016 6:36 PM
  • Ok, It can't does directly, because delegated user that is not admin, needs to launch the script stored in an UNC path, Then the script internally try to promote the server as DC using alternate credential, in this case with the domain admin user account. In summary the script is launched from a session that is non-domain admin.



    • Edited by JRLOPS Saturday, December 17, 2016 6:50 PM
    Saturday, December 17, 2016 6:41 PM
  • If the server is part of the domain the n just run PowerShell as a domain admin and run the command without credentials.

    If the user is a local admin the they can run the command and supply domain admin credentials.

    I do not believe that you cannot delegate and admin on a DC until after the DC is installed.

    Post issues in the Directory Services forum.  The DS team builds and supports the commands and  will have quick access to a test platform.  I don't want to spend time turning up a raw virtual domain to test one command.


    \_(ツ)_/

    Saturday, December 17, 2016 6:58 PM
  • Thank you jrv, the user isn't local admin of the server, so He can't install software and promote the server to a DC, that is the reason because He must launch the script to promote the server as a DC. the script execute the command Install-ADDSDomainController with domain admin credentials. I tried launching the command in a domain admin session with powershell and it worked, but the user launching the script from his session don't worked.


    • Edited by JRLOPS Saturday, December 17, 2016 7:10 PM
    Saturday, December 17, 2016 7:06 PM
  • The user account must be an admin on the local machine or the user must be an admin.  The credentials are used when installing a DC only when a local admin does the install. 

    \_(ツ)_/

    Saturday, December 17, 2016 7:13 PM
  • I added the user to the server local admins group, It stills not working. Thank you.
    Saturday, December 17, 2016 7:37 PM
  • The user must logoff before the changes will be useable the he must still use a full domain admin credential to add the DC role to the server.  Be sure the server is joined to the domain correctly.  Use the domain parameter to explicitly reference the domain the server is to be promoted into.

    \_(ツ)_/

    Saturday, December 17, 2016 7:47 PM
  • Hi jrv, I think I don't expressing what I can say clearly I'm sorry.

    What I'm trying to do is:

    1. Domain user logon to the future DC server. User isn't domain admin.

    2. Logged on Domain user launch a Script.

    3. Script do the following:

    • $domainadmin = Get-credential #get encrypted credential for a domain admin
    • Install-ADDSDomainController -DomainName mydomain.local -ADPrepCredential $domainadmin -Credential $domainadmin <more parameters> #Try to promote server as DC, using domain admin credentials (impersonation)

    This isn't working.

    I hope my case is clear now.

    Thank you so much.


    • Edited by JRLOPS Saturday, December 17, 2016 9:39 PM
    Saturday, December 17, 2016 9:30 PM
  • That is correct. The user must be an admin on the local system.  They must log in as a local administrator.


    \_(ツ)_/

    Saturday, December 17, 2016 9:42 PM
  • Yeah, the user is local admin, I checked that with net localgroup administrators and I can see that my domain\myuser is the local admins group, however still not working.
    • Proposed as answer by jrv Sunday, December 18, 2016 2:19 AM
    Saturday, December 17, 2016 9:47 PM
  • Yeah, the user is local admin, I checked that with net localgroup administrators and I can see that my domain\myuser is the local admins group, however still not working.

    Have the user log in as the local administrator.  Enter the command and type in the domain admin credentials and enter password when prompted.

    You will not be able to use credentials encrypted  by AES.  You must use correct admin credentials.

    You can temporarily add the user to the Domain Admins group and then they won't need credentials to add the DC role.

    There is no way to safely store credentials in a script.  To be usable the credentials must be decryptable by the account using them.  Because of that they can be seen.


    \_(ツ)_/

    Saturday, December 17, 2016 9:55 PM
  • Hi jrv, I encrypted the password of my domain admin in a txt file. Then in the script are lines of code that decrypt it and get the credentials correctly, so I run some commands to test that the impersonation is working, and It worked. even I installed netfx3 and create a user in domain using Connect-ADService and New-ADUser everything worked fine, I see that the only command or cmdlet that is failing is Install-ADDSDomainController.

    I can't let the user to know domain admin credentials and I can't do the process, because the requirement is that a non domain admin user can promote his own server as DC. That is because the script that I created.

    • Edited by JRLOPS Saturday, December 17, 2016 10:33 PM
    Saturday, December 17, 2016 10:11 PM
  • Everything will work fine if you  do it under your account but it will not work under another users account.

    Log into the remote server as the local admin and try to run the command by entering the domain credentials directly.  Then try  it with you encrypted credentials. One will work and the other won't.

    If you think this should work your way then post in Directory Services forum to see if anyone there thinks you can do what you are trying to do.

    You also fail to say how a user account can decrypt the credentials.  You would have to give them the key. If you are using a cert they would have to have the cert in their account.  IN all cases they will know the password and can use it at any time.


    \_(ツ)_/


    • Edited by jrv Saturday, December 17, 2016 10:47 PM
    Saturday, December 17, 2016 10:45 PM
  • Hi jrv, thanks for your time helping me, I really appreciated that.

    Finally I could make the Script work. I solved this eliminating the extra Credentials passed to the parameters of Install-ADDSDomainController cmdlet, the only credentials that is needed is the credentials passed to the Start-Process cmdlet:

    #Get Credentials for the user (LocalInstall) that has access to Shared Folder
    $localInstall = Get-Credential -UserName domain\localinstall -Message "Enter LocalInstall credentials"
    #Clear all shared folder connections
    net use * /delete /y
    #Map a PSDrive so We can access the shared Folder, it runas LocalInstall user
    New-PSDrive -Name Software -PSProvider FileSystem -Root \\ADDS01\Software -Credential $localInstall
    #Get the username of domain admin and store it in $adminuser variable
    $adminuser = Get-Content Software:\RootUN.txt
    #Get the encrypted (AES 32Bit) domain admin password and store it in $adminpwd variable
    $adminpwd = Get-Content Software:\RootCrd.txt
    #Here we hardcoded the key to decrypt the domain admin password
    [Byte[]] $key = (200,4,85,12,54,56,87,54,52,45,85,45,89,52,56,87,87,85,74,20,32,65,98,71,73,91,64,82,79,41,10,30)
    #Create the domain admin credentials and store it in $admin variable
    $admin = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminuser, ($adminpwd | ConvertTo-SecureString -Key $key)
    #Launch a powershell session with domain admin user credentials and execute cmdlet to promote server to DC
    Start-Process "powershell.exe" -ArgumentList '-noexit -command &{
    Install-ADDSDomainController -DomainName "domain.local" -SkipPreChecks -SafeModeAdministratorPassword (ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force) -InstallDns:$true -Confirm:$false}' -Credential $admin

    Note: user that log in to server don't need to be local admin in the server and don't need to be in a privileged domain group, he could be a regular domain user.






    • Marked as answer by JRLOPS Sunday, December 18, 2016 1:49 AM
    • Edited by JRLOPS Sunday, December 18, 2016 3:09 AM Spelling
    Sunday, December 18, 2016 1:45 AM
  • An EXE created from a script is not encrypted and anyone can extract the script.  I recommend that you takes some time learning more about the technology behind what you are trying to so.

    Encrypted or not your posted solution has little to do with your question or issue as originally posted.


    \_(ツ)_/

    Sunday, December 18, 2016 2:21 AM
  • Hi jrv,

    You're right, I'm so sorry I confused the original idea by deeping in the details of the problem, instead of the script itself that I'm trying to execute, for that reason I edited the Initial thread and the answer. Could you help me how can I delete the thread?. Because I confused you with my explanation and I made that you help me with answers coming of a confused idea for my bad description of the problem.





    • Edited by JRLOPS Sunday, December 18, 2016 3:26 AM
    Sunday, December 18, 2016 3:05 AM
  • Sorry but threads cannot be deleted.

    \_(ツ)_/

    Sunday, December 18, 2016 3:59 AM