Christopher Casey
asked on
Powershell script reciving The following exception occurred while retrieving member "SetInfo": "Access is denied.
Hello,
When trying to run a powershell script to change a local admin password I receive the following:
The following exception occurred while retrieving member "SetInfo": "Access is denied.
The account I am running the script under had domain admin access so I am a bit lost as to why this is happening..
Thank you for any help!
When trying to run a powershell script to change a local admin password I receive the following:
The following exception occurred while retrieving member "SetInfo": "Access is denied.
The account I am running the script under had domain admin access so I am a bit lost as to why this is happening..
Thank you for any help!
ASKER
Yes, I am running logged in as domain admin and running PS as "Administrator"
Try running PS as a Different user that you know has Domain Admin privileges.
Can you post the script?
You may need to do this in your script
Can you post the script?
You may need to do this in your script
$SecurePassword=ConvertTo-SecureString Pa$$W0rd1 –asplaintext –force
ASKER
Ok here is the script:
$path = "C:\scripts\OutputTEST\OutputTEST.csv.gpg"
$fileexists = Test-Path $path
if ($fileexists) {
Write-Output "Nothing to do, Output directory already exists"
} else {
New-Item -ItemType directory -Path C:\Scripts\Output\OutputTEST
}
$OldFileName = "C:\scripts\Output\OutputTEST\OutputTEST.csv.gpg"
$OldFileName2 = "C:\scripts\Output\PWLog.txt"
if (Test-Path $OldFileName)
{
Remove-Item $OldFileName
}
if (Test-Path $OldFileName2)
{
Remove-Item $OldFileName2
}
Import-Module C:\scripts\PWRandom\GnuPg.psm1 -Force
$computers = Get-Content -path C:\Scripts\PWRandom\serversTEST.txt
$account = "employee"
$month = Get-Date -UFormat %m
$csv_file = "C:\scripts\Output\OutputTEST\OutputTEST.csv"
Set-Content -Path $csv_file -Value '"Server","Password"'
Foreach($computer in $computers)
{
$Private:OFS=""
$PasswordLength = 8
$InclChars = "abcdefghkmnprstuvwxyzABCDEFGHKLMNPRSTUVWXYZ1234567890!@#$%^&*()?"
$RandomNums = 1..$PasswordLength | ForEach-Object { Get-Random -Maximum $InclChars.length }
$RNDOM = [String]$InclChars[$RandomNums]
$m_start = "$month".Substring(0,1)
$m_end = "$month".Substring(1,1)
$comp_sub = "$computer".Substring(3,3)
$password = "$m_start" + "$RNDOM" + "$comp_sub".ToLower() + "$m_end"
Add-Content -Path $csv_file -Value "$computer,$password"
$user = [ADSI]"WinNT://$computer/$account,user"
$user.SetPassword($password)
$user.SetInfo()
}
# Encrypt File
Add-Encryption -FolderPath C:\scripts\Output\OutputTEST
# Clear directory of all but encrypted file
$FileName = "C:\scripts\Output\OutputTEST\OutputTEST.csv"
$FileName2 = "C:\scripts\Output\OutputTEST\OutputTEST.csv.gpg.*"
if (Test-Path $FileName)
{
Remove-Item $FileName
}
if (Test-Path $FileName2)
{
Remove-Item $FileName2
}
# Email DL of Success/Fail
$path = "C:\scripts\Output\OutputTEST\OutputTEST.csv.gpg"
$fileexists = Test-Path $path
if ($fileexists) {
Send-MailMessage `
-From `
-To `
-Subject "Password Change successful!(Test)" `
-Body "The password has been successfuly changed." `
-SmtpServer prcrelay.prcins.net
} else {
Send-MailMessage `
-From `
-To `
-Subject "Password Change has failed! (Test)" `
-Body "The password change script has failed,please check for errors and rerun PWRandom from the server again." `
-SmtpServer
}
Does it have to be Random or are you looking to change all computers local admin password?
ASKER
Yes, the random is necessary, this is changing the password on all the local admin IDs
But you want it to be different on each machine?
Also how are you running this? Are you connecting via Remote PSSESSION?
Also how are you running this? Are you connecting via Remote PSSESSION?
ASKER
The script reads from a list of servers and performs the action against each server in the list
I do not anywhere in your script the connection to the remote machines.
You can try this
$password = "$m_start" + "$RNDOM" + "$comp_sub".ToLower() + "$m_end"
############################################################
#This will create a secure string for your password. I do this when creating bulk
#accounts in AD
############################################################
$SecurePassword=ConvertTo-SecureString $password –asplaintext –force
############################################################
Add-Content -Path $csv_file -Value "$computer,$password"
$user = [ADSI]"WinNT://$computer/$account,user"
$user.SetPassword($SecurePassword)
$user.SetInfo()
Are you using a netbios name even if the computer is domain joined? Are you using credentials of a user which is local admin?
IMO using LAPS is a better way of doing this.
ASKER
@yo_bee: I will try that and see if that resolves the issue.
@David Johnson: Unfamiliar with LAPS can it change a large list of servers?
Thank you all for the assistance
@David Johnson: Unfamiliar with LAPS can it change a large list of servers?
Thank you all for the assistance
ASKER
@David Johnson: Thank you for the suggestion, however that's a bit more involved than the project calls on.
Still trying to work through what is causing the error, something changed in the environment. Just not sure as to what.
As I keep on this I will update should I find a solution.
Thank you all! And if anyone has further ideas please let me know.
Still trying to work through what is causing the error, something changed in the environment. Just not sure as to what.
As I keep on this I will update should I find a solution.
Thank you all! And if anyone has further ideas please let me know.
Just out of curiosity: are you using netbios names? WinNT provider should not work with FQDNs.
Moreover, you have to provide Administrator Credentials. On non joined computers that means using local admin creds
https://msdn.microsoft.com/en-us/library/aa746534(v=vs.85).aspx
Find here an old post which is explaining the process clearly and coincisely
https://blogs.technet.microsoft.com/heyscriptingguy/2009/03/25/hey-scripting-guy-how-can-i-change-the-passwords-of-multiple-local-computer-accounts/
Moreover, you have to provide Administrator Credentials. On non joined computers that means using local admin creds
https://msdn.microsoft.com/en-us/library/aa746534(v=vs.85).aspx
Find here an old post which is explaining the process clearly and coincisely
https://blogs.technet.microsoft.com/heyscriptingguy/2009/03/25/hey-scripting-guy-how-can-i-change-the-passwords-of-multiple-local-computer-accounts/
ASKER
@Michelangelo: These servers are joined on the domain. The script is to randomize the local admin PW on the servers. I will look at the articles you posted as well
Roger that. Neverthless you have to provide netbios names (i.e mymachine ok, mymachine.dir.domain.com wrong)
I found this link https://4sysops.com/archives/change-the-local-administrator-password-on-multiple-computers-with-powershell/ that looks like it will get you passed the issue you are having.
Snippet from the site that should replace your FOREACH loop
Snippet from the site that should replace your FOREACH loop
foreach ($Computer in $Computers) {
$Computer = $Computer.toupper()
$Isonline = "OFFLINE"
$Status = "SUCCESS"
Write-Verbose "Working on $Computer"
if((Test-Connection -ComputerName $Computer -count 1 -ErrorAction 0)) {
$Isonline = "ONLINE"
Write-Verbose "`t$Computer is Online"
} else { Write-Verbose "`t$Computer is OFFLINE" }
try {
$account = [ADSI]("WinNT://$Computer/Administrator,user")
$account.psbase.invoke("setpassword",$pwd1_text)
Write-Verbose "`tPassword Change completed successfully"
}
catch {
$status = "FAILED"
Write-Verbose "`tFailed to Change the administrator password. Error: $_"
}
$obj = New-Object -TypeName PSObject -Property @{
ComputerName = $Computer
IsOnline = $Isonline
PasswordChangeStatus = $Status
}
$obj | Select ComputerName, IsOnline, PasswordChangeStatus
if($Status -eq "FAILED" -or $Isonline -eq "OFFLINE") {
$stream.writeline("$Computer `t $isonline `t $status")
}
}
Yep. It basically changes the method on the change password action. However, I suspect the error is in the format of the pathnames used with the winnt provider for the ADSI accelerator
ASKER
@yo_bee: Will give that snippet a shot
@Michelangelo: the list of servers are set to the netbios names (<servername> not <servername.domain.tld>)
@Michelangelo: the list of servers are set to the netbios names (<servername> not <servername.domain.tld>)
Who is Employeee?
I see $account = "employee"
I see $account = "employee"
ASKER
@yo_bee: Typo on the dummy name for the admin account
ASKER
Ok, so in stripping down the script to it's core I was able to run successfully..Now when I add the encryption lines back in that's when I get failure..
Import-Module C:\scripts\PWRandom\GnuPg.psm1 -Force
# Encrypt File
Add-Encryption -FolderPath C:\scripts\Output\OutputTEST
# Email DL of Success/Fail
$path = "C:\scripts\Output\OutputMOD\OutputTEST.csv.gpg"
$fileexists = Test-Path $path
if ($fileexists) {
Send-MailMessage `
-From email@email.com `
-To email@email.com `
-Subject "Password Change successful!(MOD)" `
-Body "The password has been successfuly changed." `
-SmtpServer prcrelay.prcins.net
} else {
Send-MailMessage `
-From email@email.com `
-To email@email.com `
-Subject "Password Change has failed!(MOD)" `
-Body "The password change script has failed,please check for errors and rerun PWRandom from the server again." `
-SmtpServer <relay server>
}
Paste the error text
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The PW script itself works with no issues, the encryption part is not showing an error as mush as just not doing anything.
So the issue seems to have shifted.
So the issue seems to have shifted.
Right Click run as Administrator or hold Ctrl + Shift while opening.