Raz*_*anu 4 powershell active-directory remote
设想:
在 Azure VM 本地执行时,成功将机器添加到 AD,然后重新启动。
$DomainName = "test.local"
$AdminUserName = "sysadmin"
$Password = <mypass>
$SecurePassword = ConvertTo-SecureString $Password -asplaintext -force
$Credential = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $AdminUserName, $SecurePassword
$Credential
Add-Computer -DomainName $DomainName -Credential $Credential -Restart -Passthru -Verbose
题:
使用相同的变量,但现在在我的机器上运行脚本,以另一个 Azure VM 作为目标,通过远程 Powershell:
$ScriptBlockContent = {
Param ($Arg1,$Arg2)
Add-Computer -DomainName $Arg1 -Credential $Arg2 -Restart -Passthru -Verbose}
$Session = New-PSSession -ConnectionUri $Uri -Credential $Credential
Invoke-Command -Session $Session -ScriptBlock $ScriptBlockContent -ArgumentList ($DomainName,$Credential)
这在远程执行时失败。为什么 ?
PS C:\> Invoke-Command -Session $Session -ScriptBlock $ScriptBlockContent -ArgumentList $DomainName, $Credential
VERBOSE: Performing the operation "Join in domain 'test.local'" on target "testvm2".
Computer 'rzlab1sql1' failed to join domain 'test.local' from its current workgroup 'WORKGROUP' with following error
message: Unable to update the password. The value provided as the current password is incorrect.
+ CategoryInfo : OperationStopped: (testvm2:String) [Add-Computer], InvalidOperationException
+ FullyQualifiedErrorId : FailToJoinDomainFromWorkgroup,Microsoft.PowerShell.Commands.AddComputerCommand
+ PSComputerName : mylab.cloudapp.net
然而,一些更基本的,没有参数的,远程运行没有问题,所以我的 $Uri,$Credential 和一般语法看起来没问题,会话启动并运行我的代码:
$Path = "C:\"
$Attribute = "d"
$ScriptBlockContent = {
Param ($Arg1,$Arg2)
Get-ChildItem -Path $Arg1 -Attributes $Arg2}
$Session = New-PSSession -ConnectionUri $Uri -Credential $Credential
Invoke-Command -Session $Session -ScriptBlock $ScriptBlockContent -ArgumentList $Path, $Attribute
Invoke-Command 和我存储凭据的方式有问题吗?完成此操作的任何其他选项(从 PS 脚本向域添加新 VM)?
解决方案
使用test.local\sysadmin而不是sysadmin用户连接到 AD。
$DomainName = "test.local"
$AdminUserName = "sysadmin"
$DomainUserName = $DomainName+"\"+$AdminUserName
$Password = <mypass>
$SecurePassword = ConvertTo-SecureString $Password -asplaintext -force
$Credential = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist ($AdminUserName, $SecurePassword)
$DomainCredential = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist ($DomainUserName, $SecurePassword)
$ScriptBlockContent = {
Param ($Arg1,$Arg2)
Add-Computer -DomainName $Arg1 -Credential $Arg2 -Restart -Passthru -Verbose}
$Session = New-PSSession -ConnectionUri $Uri -Credential $Credential
Invoke-Command -Session $Session -ScriptBlock $ScriptBlockContent -ArgumentList ($DomainName, $DomainCredential)
另一种解决方案(不太安全)是将纯文本用户和密码发送到远程会话,并在那里创建凭据:
$ScriptBlockContent = {
Param ($Arg1,$Arg2,$Arg3,$Arg4)
Add-Computer -ComputerName $Arg4 -DomainName $Arg1 -Credential (New-Object -Typename System.Management.Automation.PSCredential -Argumentlist ($Arg1+"\"+$Arg2), (ConvertTo-SecureString $Arg3 -asplaintext -force)) -Restart -Passthru -Verbose}
$Session = New-PSSession -ConnectionUri $Uri -Credential $Credential
Invoke-Command -Session $Session -ScriptBlock $ScriptBlockContent -ArgumentList ($DomainName,$AdminUserName,$Password,$VMName)
我认为问题可能出在您使用ConvertTo-SecureString. 默认情况下,该 cmdlet 使用特定于当前主机的加密密钥(我认为),除非您提供带有-Key参数的显式加密密钥。在远程端,它需要使用它没有的相同加密密钥来解密字符串(因为主机密钥不同)。
首先,我会尝试将明文用户名和密码作为另一个参数传递给调用,并在脚本块中创建凭据。这至少会证明这是否真的是你的问题。
*编辑:这是ConvertTo-SecureString文档的链接
| 归档时间: |
|
| 查看次数: |
5427 次 |
| 最近记录: |