Hello All
Can someone please help me with the following issue please.
Ultimate goal:
Reset a Local Users password on a Workgroup computer (not joined to the domain) remotely. Assuming the workgroup computer does not have PowerShell installed.
All the following script examples I am running from a Domain Joined computer called Windows7X64CL1 (i.e. remotely from the Computer I am targeting)
With the above in mind the following works no issues when the target computer is joined to the domain
The Computer is called W7-LC2
The Local user on this computer is called Bert
$Flags = [System.Reflection.BindingFlags]::InvokeMethod
$Att = @("NewPassword55!")
$user = [adsi]"WinNT://W7-LC2/Bert,User"
$user = $user.NativeObject
$user.gettype().InvokeMember('setPassword',$Flags,$null,$user,$Att)
No Worries so far
I think I have half an idea of that the following issue boils down to but need some help and advise please :)
Next I remove the compute from the domain and place it in a workgroup on its own called WORKGROUP
If I now to the following this also works (e.g. I can list Properties of the user on the workgroup computer)
The Computer is called W7-LC2
The Local user on this computer is called Bert
Local User with Administrator rights is called Fred
$Flags = [System.Reflection.BindingFlags]::InvokeMethod
$Att = @("NewPassword55!")
$Auth = [System.DirectoryServices.AuthenticationTypes]::Delegation
$ArgList = @("WinNT://W7-LC2/Bert,user",'W7-LC2\Fred','198465a',$Auth)
$UserAccount = $null
$UserAccount = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList $ArgList
$UserAccount.psbase.properties.Description
So the above will give me the users description, if I change the users description on the target workgroup computer and run again from my source computer it works again e.g. I get the new description of the user.
Now I know ADSI will put such information on the local property cache each time I go get the info (as I nulled out the account variable)
The problem is then I try to invoke a method when against the workgroup computer from my source computer, like so
$Flags = [System.Reflection.BindingFlags]::InvokeMethod
$Att = @("NewPassword55!")
$Auth = [System.DirectoryServices.AuthenticationTypes]::Delegation
$ArgList = @("WinNT://W7-LC2/Bert,user",'W7-LC2\Fred','198465a',$Auth)
$UserAccount = $null
$UserAccount = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList $ArgList
$UserAccount.psbase.properties.Description
$user = $UserAccount.NativeObject
$user.GetType().InvokeMember('setPassword',$Flags,$null,$user,$Att)
I get the following exception
Exception calling "InvokeMember" with "5" argument(s): "Access is denied.
"
At C:\Scripts\PowerShell\Reset Local User Password on Workgroup Computer.ps1:10 char:1
+ $user.GetType().InvokeMember('setPassword',$Flags,$null,$user,$Att)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : UnauthorizedAccessException
OK so that is quite clear.
I think what is happening is I have an Object that Object is Local to my source computer (held in RAM on the source computer). Therefore when I try to invoke the method it tries to do this against the target object but using my current credentials (e.g. my domain credentials Ernies-ad\Ernie) as I cannot pass (or at least I did not see a method constructor) the credential for W7-LC2\Fred to
$user.GetType().InvokeMember('setPassword',$Flags,$null,$user,$Att)
hence the access denied as the target computer is now standalone and no longer in the domain.I
I am not sure if my logic above is correct?
Can someone please help me find a way to overcome this issue
Thanks all in advance
Ernie