Powershell. Load AD module and perform AD action

1
votes

Short explanation:

We have more than 1000 PCs (Win7+8+10)

On the PCs, I would like to run a script that can remove a Computer Account from a group. (In the code examples below I'm using Get-AdComputer as it gives the same error)

I need to do this without Domain Admin rights.

The PC's do not have RSAT / Admin Tools installed.

First I tried: 

$Session = New-PSSession -ComputerName DomainController1
Import-PSSession -Session $Session -Module ActiveDirectory
Get-Adcomputer TestPC

With Domain Admin account, it works just fine.

With Non Domain Admin account it fails the 1. line with: 

New-PSSession : [DomainController1] Connecting to remote server DomainController1 failed with the following error message : Access is denied

Then I installed RSAT/Admin tools on a member server and tried to import AD module from that server:

$Session = New-PSSession -ComputerName MemberServer1
Import-PSSession -Session $Session -Module ActiveDirectory
Get-Adcomputer TestPC

The Import of the ActiveDirectory module is fine, with both Domain Admin account and non-Domain Admin account, but I get an error when running the "Get-Adcomputer TestPC" command:

Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
+ CategoryInfo          : ResourceUnavailable: (TestPC:ADComputer) [Get-ADComputer], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
+ PSComputerName        : MemberServer1

I notice the PSComputername is the Memberserver1 now, and not the DomainController1.

I guess thats why I get the error: It's trying to perform it on a non Domain Controller

Other information:

The "Get-Adcomputer TestPC" works fine with Non-Domain Admin account on a PC where RSAT / Admin tools are installed.

"Exit-PSSession" and "Remove-PSSession Memberserver1" does not help

So: How can I either :

  1. Import the AD module from a DC, without beeing Domain Admin?

  2. After Import of AD module from MememberServer, change "active" computer to be any DC?

  3. Solve my problem in another way?

Thanks

1
powershellactive-directory
You can try to use LDAP instead of the PowerShell ActiveDirectory functions defined in the module on the DC, see here for more info. - DarkLite1

1 Answers

0
votes

Build a remote constrained session on one or more of your DCs.

Create a function for removing a computer from that group, and constrain the session to just being able to run that function. You can use a delegated account if the users don't have permission directly (If you have WMF 5 installed on the DC, you can use a virtual account).

The users can use Enter-PSSession to enter that session and run the function manually, or you can give them a local function that will do it using Invoke-Command directed at that session.