none
How to create and edit GPO as a domain user? RRS feed

  • Question

  • I am trying create a GPO and update the firewall settings using the below script, however the script test2.ps1 still executes the commands as the local user instead of using the domain credentials.

    so the script is basically creating a new session with domain credentials, however, the code that actually has commands to create and edit the GPO(test2.ps1 script, sent as command line arguments) is still executing in the old session with the local user account instead of executing the commands in the new session opened with the domain credentials in test1.ps1 

    test1.ps1

    -----------
    $username = "admin@mydomain"
    $password = ConvertTo-SecureString "somepassword" -AsPlainText -Force

    $credential = New-Object System.Management.Automation.PSCredential($username, $password)

    $StartProcInfo = new-object system.Diagnostics.ProcessStartInfo
    $StartProcInfo.UserName = $username
    $StartProcInfo.Password = $password
    $StartProcInfo.UseShellExecute = $false
    $StartProcInfo.FileName = 'C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe'
    $StartProcInfo.Arguments = test2.ps1
    $StartProcInfo.CreateNoWindow=$true
    $process = New-Object System.Diagnostics.Process
    $process.StartInfo = $StartProcInfo
    $process.Start() | Out-Null
    $StartProcInfo.RedirectStandardError=$true
    $standardOut = $StartProcInfo.StandardOutput.ReadToEnd()
    $process.WaitForExit()

    # $standardOut should contain the results of "test2.ps1"
    $standardOut

    test2.ps1
    --------------
    New-GPO "check1” -Domain "mydomain" -Server "mydomain"
    Open-NetGPO –PolicyStore  mydomain\check1
    Set-NetFirewallProfile -Profile Domain -Enabled False -GPOSession  mydomain\check1
    Save-NetGPO -GPOSession  mydomain\check1

    output

    ---------

    PS C:\Users\Administrator\Documents> .\test.PS1
    New-GPO : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    At C:\Users\Administrator\Documents\test2.ps1:2 char:1
    + New-GPO "check1” -Domain "mydomain" -Server "mydomain"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [New-GPO], UnauthorizedAccessException
        + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.GroupPolicy.Commands.NewGpoCommand

    Open-NetGPO : The user name or password is incorrect.
    At C:\Users\Administrator\Documents\test2.ps1:3 char:1
    + Open-NetGPO –PolicyStore mydomain\check1
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : AuthenticationError: (MSFT_NetGPO:root/standardcimv2/MSFT_NetGPO) [Open-NetGPO], CimException
        + FullyQualifiedErrorId : Windows System Error 1326,Open-NetGPO

    Set-NetFirewallProfile : The user name or password is incorrect.
    At C:\Users\Administrator\Documents\test2.ps1:4 char:1
    + Set-NetFirewallProfile -Profile Domain -Enabled False -GPOSession  ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : AuthenticationError: (MSFT_NetFirewallProfile:root/standardci...FirewallProfile) [Set-NetFirewallProfile], CimException
        + FullyQualifiedErrorId : Windows System Error 1326,Set-NetFirewallProfile

    Save-NetGPO : The user name or password is incorrect.
    At C:\Users\Administrator\Documents\test2.ps1:5 char:1
    + Save-NetGPO -GPOSession mydomain\check1
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : AuthenticationError: (MSFT_NetGPO:root/standardcimv2/MSFT_NetGPO) [Save-NetGPO], CimException
        + FullyQualifiedErrorId : Windows System Error 1326,Save-NetGPO

    You cannot call a method on a null-valued expression.
    At C:\Users\Administrator\Documents\test.PS1:16 char:1
    + $standardOut = $StartProcInfo.StandardOutput.ReadToEnd()
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull




    Monday, July 29, 2019 6:36 PM