none
How can I pass the rename-computer credential in a powershell script (.ps1)? RRS feed

Answers

  • Hi,

    Rename-Computer wont work as expected as it accepts only a user name, if the user has the permission to rename the computer then it will proceed else it will error out. Hence you can use:

    Rename-Computer -NewName <something> -DomainCredential domain\administrator -Force

    Renaming the computer using WMI:

    # Encrypt Password using AES 256 bit encryption (32 bytes). Can be used on any Machine
    $File256 = "AESPwd256.txt"
    [Byte[]] $key = (1..32)
    $AESPwd256 = 'Passw0rd@123' | ConvertTo-SecureString -AsPlainText -Force
    $AESPwd256 | ConvertFrom-SecureString -key $key | Out-File $File
    
    Save the above file along with your script: $path\password.bin 
    
    # Set new name for the computer
    $NewName = 'newname'
    
    # Set User Name 
    $UserName = 'Domain\Administrator'
    
    # Now Import the Password in your script
    [Byte[]] $key = (1..32)
    $Password = Get-Content $AESPwd256.txt | ConvertTo-SecureString -key $key
    
    # Rename the computer using WMI
    (Get-WmiObject win32_computersystem).Rename( $NewName,$Password,$UserName)


    Thanks, Rajiv Iyer






    • Proposed as answer by Rajiv IR Thursday, July 18, 2019 12:46 PM
    • Edited by Rajiv IR Thursday, July 18, 2019 1:19 PM
    • Marked as answer by 2019_315 Wednesday, August 21, 2019 6:02 PM
    Thursday, July 18, 2019 12:42 PM
  • Not very secure if "key" in part of the script. No point in encrypting if you tell everyone the key.

    The code also does not answer the original issue.


    \_(ツ)_/

    Hi jrv,

    I am still a little confused:

    The key is encrypted and stored in a share accessible only to a specific account, so why is it still insecure?


    The key is NOT encrypted.  It is in the PS1 file.

    # Now Import the Password in your script
    [Byte[]]$key = (1..32)
    $Password
    = Get-Content $AESPwd256.txt | ConvertTo-SecureString -key $key

    See the key is in the script.  It is also a key that anyone can guess.  You cannot make the key visible.  This is why we never store admin credentials.

    TO secure this just grant the user running it permissions in AD to rename the computer object.  By default all users have "domain join" permission.  You can let them unjoin, rename, rejoin their own workstations.



    \_(ツ)_/

    Friday, July 19, 2019 2:10 AM
    Moderator
  • Hi,

    Pardon me for noticing this a bit late. Since you're renaming a computer I see that you're using a Domain Administrator credentials. Normally, when we rename a computer, we first disjoin the computer from the domain, rename the computer and join it back to the domain.

    What say you...


    Thanks, Rajiv Iyer

    That is the preferred method and it does not require a domain admin as all users are allowed to join up to 10 computers to the network.  Of course this can be disabled via Group Policy.

    The first requirement is that the user must also be an admin on the local system.


    \_(ツ)_/

    Friday, July 19, 2019 6:22 AM
    Moderator

All replies

  • Please read the following link carefully: An image of code is not helpful

    Also carefully read the following: How to ask questions in a technical forum


    \_(ツ)_/

    Thursday, July 18, 2019 9:22 AM
    Moderator
  • You will also need to read the full help for the command that you are trying to use:

    help rename-computer -online

    The examples will help you understand how to use the command.


    \_(ツ)_/

    Thursday, July 18, 2019 9:24 AM
    Moderator
  • Hi,

    Rename-Computer wont work as expected as it accepts only a user name, if the user has the permission to rename the computer then it will proceed else it will error out. Hence you can use:

    Rename-Computer -NewName <something> -DomainCredential domain\administrator -Force

    Renaming the computer using WMI:

    # Encrypt Password using AES 256 bit encryption (32 bytes). Can be used on any Machine
    $File256 = "AESPwd256.txt"
    [Byte[]] $key = (1..32)
    $AESPwd256 = 'Passw0rd@123' | ConvertTo-SecureString -AsPlainText -Force
    $AESPwd256 | ConvertFrom-SecureString -key $key | Out-File $File
    
    Save the above file along with your script: $path\password.bin 
    
    # Set new name for the computer
    $NewName = 'newname'
    
    # Set User Name 
    $UserName = 'Domain\Administrator'
    
    # Now Import the Password in your script
    [Byte[]] $key = (1..32)
    $Password = Get-Content $AESPwd256.txt | ConvertTo-SecureString -key $key
    
    # Rename the computer using WMI
    (Get-WmiObject win32_computersystem).Rename( $NewName,$Password,$UserName)


    Thanks, Rajiv Iyer






    • Proposed as answer by Rajiv IR Thursday, July 18, 2019 12:46 PM
    • Edited by Rajiv IR Thursday, July 18, 2019 1:19 PM
    • Marked as answer by 2019_315 Wednesday, August 21, 2019 6:02 PM
    Thursday, July 18, 2019 12:42 PM
  • Not very secure if "key" in part of the script. No point in encrypting if you tell everyone the key.

    The code also does not answer the original issue.


    \_(ツ)_/

    Thursday, July 18, 2019 4:17 PM
    Moderator
  • Hi jrv,

    I'm sorry that I didn't notice the way I asked question which would be unfavorable for solving my problem.

    I'll pay attention to these details later. 

    I am a powershell noob and learning.

    I had read the help rename-computer -online, but didn't solve it.


    • Edited by 2019_315 Friday, July 19, 2019 1:40 AM
    Friday, July 19, 2019 1:23 AM
  • Hi jrv,

    I'm sorry that I didn't notice the way I asked question which would be unfavorable for solving my problem.

    I'll pay attention to these details later. 

    I am a power shell noob and learning.

    I had read the help rename-computer -online, but didn't solve it.

    Please edit your original post and use the code posting tool to post your code.  This has nothing to do with not knowing PwoerSHell.  It has to do with learning how to asking questions in these technical forums.

    This can be helpful: How to ask questions in a technical forum

    How to post code in Technet Forums


    \_(ツ)_/


    Friday, July 19, 2019 1:36 AM
    Moderator
  • Hi Rajiv IR,

    I have run the below script to save my password.bin to my $path\password.bin:

    $path="\\sc\cont"
    [Byte[]] $key = (1..32)
    $AESPwd256 = '123.com' | ConvertTo-SecureString -AsPlainText -Force
    $AESPwd256 | ConvertFrom-SecureString -key $key | Out-File $path\password.bin 

    And the run the below script on my clients:

    # $number = Computer Serial_NO.last 7 bits
    # $path = One shared folder in my site server
    $newname="CN-D"+$number
    $oldname=(Get-CimInstance -ClassName Win32_ComputerSystem).Name
    $user="sc\joindomain"
    [Byte[]] $key = (1..32)
    $password = Get-Content $path\password.bin | ConvertTo-SecureString -key $key
    if($oldname -ne $newname){
        (Get-WmiObject win32_computersystem).Rename( $newname,$password,$user)
    }

    When testing manually on the client side, there are the following tips


    I've tried to restart and re-join domain,but it's not helpful.

    Do you have any ideas?

    Friday, July 19, 2019 1:39 AM
  • Not very secure if "key" in part of the script. No point in encrypting if you tell everyone the key.

    The code also does not answer the original issue.


    \_(ツ)_/

    Hi jrv,

    I am still a little confused:

    The key is encrypted and stored in a share accessible only to a specific account, so why is it still insecure?


    Friday, July 19, 2019 2:04 AM
  • See this for the error code returned.

    https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/joindomainorworkgroup-method-in-class-win32-computersystem


    \_(ツ)_/

    Hi jrv,

    Thank you .

    I will read it carefully.

    Friday, July 19, 2019 2:04 AM
  • 非常有趣。我们可以安排您或不使用此论坛。也许这会有所帮


    \_(ツ)_/

    Friday, July 19, 2019 2:06 AM
    Moderator
  • Not very secure if "key" in part of the script. No point in encrypting if you tell everyone the key.

    The code also does not answer the original issue.


    \_(ツ)_/

    Hi jrv,

    I am still a little confused:

    The key is encrypted and stored in a share accessible only to a specific account, so why is it still insecure?


    The key is NOT encrypted.  It is in the PS1 file.

    # Now Import the Password in your script
    [Byte[]]$key = (1..32)
    $Password
    = Get-Content $AESPwd256.txt | ConvertTo-SecureString -key $key

    See the key is in the script.  It is also a key that anyone can guess.  You cannot make the key visible.  This is why we never store admin credentials.

    TO secure this just grant the user running it permissions in AD to rename the computer object.  By default all users have "domain join" permission.  You can let them unjoin, rename, rejoin their own workstations.



    \_(ツ)_/

    Friday, July 19, 2019 2:10 AM
    Moderator
  • Thank you for fixing the original post.


    \_(ツ)_/

    Friday, July 19, 2019 2:40 AM
    Moderator
  • Hi jrv,

    So sorry.

    Please forgive my poor English. 
    So sometimes I need the help of Google tool bar.
    Obviously, it just translated my post into Chinese automatically.

    Could you speak Chinese? I saw you write Chinese above?


    Friday, July 19, 2019 2:52 AM
  • I Googled the Chinese.  I hoped it would get your attention.

    祝你今天愉快。


    \_(ツ)_/

    Friday, July 19, 2019 2:56 AM
    Moderator
  • Hi,

    Pardon me for noticing this a bit late. Since you're renaming a computer I see that you're using a Domain Administrator credentials. Normally, when we rename a computer, we first disjoin the computer from the domain, rename the computer and join it back to the domain.

    What say you...


    Thanks, Rajiv Iyer

    Friday, July 19, 2019 6:13 AM
  • Hi,

    Pardon me for noticing this a bit late. Since you're renaming a computer I see that you're using a Domain Administrator credentials. Normally, when we rename a computer, we first disjoin the computer from the domain, rename the computer and join it back to the domain.

    What say you...


    Thanks, Rajiv Iyer

    That is the preferred method and it does not require a domain admin as all users are allowed to join up to 10 computers to the network.  Of course this can be disabled via Group Policy.

    The first requirement is that the user must also be an admin on the local system.


    \_(ツ)_/

    Friday, July 19, 2019 6:22 AM
    Moderator
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Wednesday, July 31, 2019 7:23 AM
    Moderator
  • Hi all,

    Sorry for late mark.

    Thank you for your help.

    Wednesday, August 21, 2019 6:06 PM