none
Edit Administrators local group of a remote PC RRS feed

  • Question

  • I'm trying to make a script to edit the Administrators local group of an arbitrary remote PC. The user will usually have rights to the remote PC via their current credentials but not always - sometimes the user must supply credentials. I'm able to make the script only prompt for credentials if it fails to connect to the remote PC with the credentials of the running PowerShell session - this feature is a must-have. Unfortunately, this creates an issue when the user's current credentials are for a different forest than the remote PC. I can recreate this behavior outside of the script:

    • If the correct credentials are provided before attempting to use the remote computer then there is no problem. (This proves there is no firewall issue, rights issue, etc.)
    • If using the remote PC is attempted with the current credentials and it fails, then the remote PC can't be used immediately after the correct credentials are provided. It will fail over and over for about 2 minutes before it works. Closing PowerShell and opening it again avoids the 2-minute wait.

    To recreate, first do this knowing that your current ID does not have rights to somepc.somedomain.com on a different forest:

    $sPCtest = 'somepc.somedomain.com' ; # change this string
    Remove-Variable oPCtest, AdminGroupTest 2> $Null
    $oPCtest = New-Object System.DirectoryServices.DirectoryEntry("WinNT://$sPCtest")
    $AdminGroupTest = $oPCtest.psbase.children.find("Administrators")

    I get the error, 'Exception calling "Find" with "1" argument(s): "The network path was not found."' Now do this before about 2 minutes passes:

    $credTest = Get-Credential
    Remove-Variable oPCtest, AdminGroupTest 2> $Null
    $oPCtest = New-Object System.DirectoryServices.DirectoryEntry(
    	"WinNT://$sPCtest", $credTest.UserName, $credTest.GetNetworkCredential().password
    )
    $AdminGroupTest = $oPCtest.psbase.children.find("Administrators")
    

    I get the error, 'Exception calling "Find" with "1" argument(s): "Unspecified error"'. Then skip the 1st variable assignment and repeat the remaining commands. It will eventually work after about 2 minutes.

    I didn't bother with sample code using the $AdminGroupTest object. If PowerShell defines it without an error then it always works afterwards in my experience, e.g. Add and Remove methods.

    Note for testing: If you successfully define the the $AdminGroupTest object, then you will have a connection to IPC$ on the remote PC. You should run 'net use "\\$sPCtest" /d' before attempting to start a test over from the beginning.

    So, how can I avoid waiting 2 minutes?

    Tuesday, May 14, 2019 8:22 PM

All replies

  • Download and install the "LocalAccount" module from PowerShellGet.  It has a simple command that does this.


    \_(ツ)_/

    Tuesday, May 14, 2019 9:31 PM
    Moderator
  • "LocalAccount" has Add-LocalGroupMember commandlet? I don't see a use for that as it only manages the local computer, not a remote computer.
    Wednesday, May 15, 2019 2:54 PM
  • How about adding a test to see if C$ is accessible?

    $sPCtest = 'test10b.home' ; # change this string
    
    if ((test-path "\\$sPCtest\c$") -eq $false)
    {
        "Unable to access $sPCtest" 
    	$credTest = Get-Credential
    	Remove-Variable oPCtest, AdminGroupTest 2> $Null
    	$oPCtest = New-Object System.DirectoryServices.DirectoryEntry("WinNT://$sPCtest", $credTest.UserName, $credTest.GetNetworkCredential().password)
    
    }
    else
    {
            "We have admin rights on $sPCtest"
    	Remove-Variable oPCtest, AdminGroupTest 2> $Null
    	$oPCtest = New-Object System.DirectoryServices.DirectoryEntry("WinNT://$sPCtest")
    }
    $AdminGroupTest = $oPCtest.psbase.children.find("Administrators")
    $AdminGroupTest
    

    Wednesday, May 15, 2019 3:26 PM
  • "LocalAccount" has Add-LocalGroupMember commandlet? I don't see a use for that as it only manages the local computer, not a remote computer.

    Install-Module localaccount

    PS D:\scripts> Add-LocalGroupMember -?
    
    NAME
        Add-LocalGroupMember
    
    SYNOPSIS
        Add a local user to a local group in the Targeted computername
    
    
    SYNTAX
        Add-LocalGroupMember [-GroupName] <String[]> [[-Computername] <String[]>] [-name] <String[]> [<CommonParameters>]
    
    
    DESCRIPTION
        Add a local user to a local group in the Targeted computername
    

    Note that the module has a "Computername" parameter.


    \_(ツ)_/

    Wednesday, May 15, 2019 4:24 PM
    Moderator
  • I fixed it.

    I'm running Net Use "\\$remoteHost\c$" before defining my remote PC object and Net Use "\\$remoteHost\c$" /D >$Null 2>&1 before quitting to clean up.

    I'm relieved because adding support for the module to a script looks like a ton a work: Check to see if the module exists. If not, prompt to run as Administrator. Prompt for proxy credentials. Install the module and clobber any existing commandlets (scary.)

    Wednesday, May 15, 2019 6:25 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee



    Just do it.

    Monday, May 20, 2019 6:56 AM
    Moderator