-1

i am trying to come up with a script to automate the fix for the common issue in domain environment "the trust relationship error " for my help-desk employee , where they can just run the script with required variable

options : using power-shell or PsExec and should accept user input for naive user .

looking at powershell a simple line may fix the issue after google research : " Test-COmputerSecureChannel -Repair " which does not require reboot as well

challenges in powershell per my simple knowledge ( remote command execution should be enabled in remote machine which is not an option

> PsExec not available by default windows 7 / citrix employee

computer name : SAWD456335355 ( should be variable - user input ) local admin : Administrator local password: variable differ from computer to computer ( should be user input as well accept special character )

=================================

Privilege admin level 1 account for pop up

while trying to change the local computer using team viewer a pop up will ask for domain credentials for instance : user name would be sth like : admingroup1 password for privlege admin : password@123 < for example

kuku blr
  • 1
  • 1
  • 1
  • found this in google https://github.com/adbertram/Random-PowerShell-Work/blob/master/ActiveDirectory/Rejoin-Computer.ps1 need to applied to work in my environment and accept user input .. https://mcpmag.com/articles/2015/03/05/rejoin-a-computer-from-a-domain.aspx – kuku blr Jul 21 '16 at 18:37
  • 1
    Hi, what is your question ? Please show us some code you have written and you need to fix. You can edit your question to add more information. – sodawillow Jul 21 '16 at 18:51
  • @sodawillow , i need your kind help on what structure or idea to do this – kuku blr Jul 21 '16 at 19:27

1 Answers1

0

There are three ways you could fix this.

  1. What you are actually asking for, repair the secure channel. You will most likely need a local admin account (local because the trust relationship is broken) and a combination of Psexec and PowerShell remoting.

    <# Get Help desk operator input#>

    $Computer = Read-Host "Enter Computer name"

    $AdminAccount = Read-Host "Enter local Admin Account"

    $SecurePassword = Read-Host "Enter local Admin Password" -AsSecureString

    <# Create Plain text password object and Credential Object#>

    $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)

    $UnsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

    $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminAccount, $SecurePassword

    <#Enable PS Remoting#>

    Psexec.exe \$Computer -u $AdminAccount -p $UnsecurePassword -h -d powershell.exe "enable-psremoting -force"

    <# Repair secure Channel#>

    Invoke-Command -ComputerName $Computer -Credential $Credential -ScriptBlock { Test-ComputerSecureChannel -Repair }

  2. Set the domain to NOT reset domain computer accounts. This is probably not recommended in most environments.

  3. In my environment I found the best solution was to prevent automatic system restore (probably after a power outage or similar) that is older than the computer password as discussed here: https://support.microsoft.com/en-us/kb/295049

My solution was to run a scheduled task to delete system restore points that are older than the current computer password.

 Get-ComputerRestorePoint |`  
 Where {$_.ConvertToDateTime($_.CreationTime) -lt  $PasswordLastSet} | `
     Delete-ComputerRestorePoints

If no system restore points are left the script creates a new one. A detailed write up can be found here: http://blog.buktenica.com/issues-with-domain-membership-after-system-restore/

Glen Buktenica
  • 302
  • 2
  • 12
  • its not an option currently to remove the old restore points , we have plenty of machines connect over vpn only it would be a tragedy for them .. i still appreciate your input and will definitely work on it for the long term .. but as of now still looking for an options within powershell or psexce – kuku blr Jul 22 '16 at 19:38
  • i really appreciate your effort , and will definitely look for the second and third options for long run looking at the combination of psexce and powershell we have applied the local admin and password .. do i need to run the script using my helpdesk privilege account from helpdesk machines ... ?? should psexce be present on affected computer ? ... what would be the final script .. thank you – kuku blr Jul 24 '16 at 12:19
  • more stupid questions to add ,, should psexec be present on the same helpdesk operator profile or can i call it from shared directory > ? since i feel it would be more secure if not to be available on their machines .. any risk impact : if i enable powershell remoting ... can i be disabled once the command execute successfully .. – kuku blr Jul 24 '16 at 12:26
  • PsExec needs to be available to the helpdesk operator and computer but it can be on a remote share. The only security benefit I could see is if the remote share had execute but not copy permissions but this is of very limited benefit as it is a publically available binary. The account that is used will need remote PowerShell rights and will need to have logged on to the computer previously OR be a local account as the secure channel to the domain is broken. I have remote PowerShell enabled on all of my client computers. No advantage to disabling as any local admin can re-enable with Psexec. – Glen Buktenica Jul 25 '16 at 01:36
  • its seems can not work , the psExec fails to connect , i have no clue why !! – kuku blr Aug 02 '16 at 19:09
  • Are you running PsExec with a local admin account? A domain account with local admin will not work as the trust is broken. – Glen Buktenica Aug 03 '16 at 02:05