0

Sorry if this is in the wrong community but it seemed the best.

My organization is trying to automate the commands that it has done manually before (Indexing computer storage, etc.). However, we use smart cards instead of standard username/password.

I am trying to pass Get-Credential to Get-ADComputer So we can use our smart cards without directly remoting in (that way we can just run the script and forget about it). Unfortunately, it is not working.

Our smart cards have two logins (one admin, one regular). Could that be the issue? Get-Credential opens up twice asking for a login, but after entering the credentials twice, you get the standard The server has rejected the client credentials error.

The code I currently have is here (Just used to discover computers):

$password = Get-credential


Get-ADComputer -Credential "$password"  -Filter 'Name -like "DESK*"' -Properties IPv4Address | FT Name,IPv4Address -A
Qiangong2
  • 101
  • 1
  • 1
    Smart cards are for interactive logons. Why would those credentials be required if they are already logged on and presumably authenticated? – Greg Askew Jul 08 '20 at 16:35
  • @GregAskew We don't allow administrators to login to the desktops directly, only as regular users. They need to authenticate themselves when they connect to the server – Qiangong2 Jul 08 '20 at 17:54
  • You may want to try `runas /netonly /user:domain\adminusername`. cmd.exe should prompt for credentials and select the credentials in the correct smart card slot. Then run powershell from that cmd prompt. Or use the hack here: https://github.com/bongiovimatthew-microsoft/pscredentialWithCert/issues/1 – Greg Askew Jul 08 '20 at 18:50
  • Ordinary users have Read access to AD. Get-ADComputer can be run from a standard user account on a PC with the AD Powershell module installed. – A J Wilson Jul 09 '20 at 09:54
  • @AJWilson Yes, but we will be using the script to automatically back up certain folders to our local server. That's why we need the smart card login – Qiangong2 Jul 10 '20 at 15:13
  • 1
    If you don't allow the administrators to log into the desktop computer, then you shouldn't be exposing those administrator credentials using PowerShell on the desktop computer. If you're looking for automation, consider using the Windows task scheduler to run your scripts. Either as the SYSTEM account or a domain service account. – twconnell Jul 10 '20 at 22:52
  • If you're backing up folders to a central server, you seem to be doing it backwards. Create a domain account with permissions to read the target locations and write to the destination location. Configure it in Task Scheduler on the destination server (with run as batch permission on the server) to copy the files from the target machines. – LeeM Jul 13 '20 at 08:21
  • I think the question needs editing to explain your workflow fully. Does the credential prompt open multiple times when you run the script line-by line? If so, when? – A J Wilson Jul 13 '20 at 15:07

0 Answers0