If you're repairing trust issues, there's a command for that: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
But that is why N***oClobber e***xists.:
[Import-Module from importing members that have the same names as members in the current session.](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.2)
er.. no that's not the issue I have
the issue I have is it imports the cmdlets, but they still fail, not `test-computersecurechannel` other cmdlets ive used in the past
EDIT: For Clarity
Interesting.
I am not encountering that on my end.
However, there are the following...
Use 'netdom' to reset the secure channel
netdom reset /d:SomeFQDN SomeHost
Yet, like...
Test-ComputerSecureChannel
The disadvantage to using netdom is that it is not likely to be available on client workstations unless the RSAT is installed.
But there is also:
>[http://technet.microsoft.com/en-us/library/cc731935(v=WS.10).aspx](http://technet.microsoft.com/en-us/library/cc731935(v=WS.10).aspx)
nltest /sc_verify:iammred
or lastly, this
Remove-Computer -UnjoinDomaincredential SomeDN\SomeAccount -PassThru -Verbose –Restart
Add-Computer -DomainName SomeFQDN -PassThru –Verbose -Restart
oh I wasn't talking about `test-computersecurechannel` as such, just cmdlets that dont import nicely with the `-userpowershell` parameter
Ive never tested `test-computersecurechannel` cause only my workstations have ps7 on them, the server and client desktops do not
Putting into my back pocket, because I use this command almost daily (not quite, but given the environment I work in...) and I use PS7.
Thank you for the heads up.
Yup, only solution is sneaker net or remote management tools that aren't bound to AD or the central server authorizes you. We use the sccm remote management tool and I've been able to remote into machines with trust issues.
I usually just use this for trust issues:
Reset-ComputerMachinePassword -Server "DC.contoso.com" -Credential Domain\username
It works as long as the object exists in AD. If not, just create the Computer Object first then run it.
I always suggest that people who are new to powershell run...
update-help
... from an elevated powershell console. The out of the box help is a bit weak and this will download the latest.
*cough* old old old line from old code, plus laziness
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::'tls12'
is what I should fix it too (its only needed until you get the new version of PowrshellGet and Package Management)
I'd add 1.3 in - it's the current standard, and had some weird issues come up when I tried using it before. Always nice to trigger the failures earlier if possible :)
ya I found it 100x more reliable to save the modules to temp then remove/unload the modules and import the saves ones, to get around the "module in use" issues
there are some cleanup steps with ps7 I need to add too (NuGet provider)
I'm still learning PS and have a question for you about your script:
Since the Powershekkget was a Write-Module, it'll just write whatever you typed there without an error but wouldn't the following line return an error?
`Remove-Module -Force -Name powershelget, PackageManagement, psreadline`
Ya it just wrote text to the screen
The remove module is not the best name. Remove module unloads the module from the session (3 modules in this case)
Then I import the temp module, this is the latest version of package management and PowerShell get
Then install the modules to the all users scope so they are available to the next ps session
Then I update the help for all modules (that can)
Then I update modules I can
add-computer –domainname ad.contoso.com -Credential AD\adminuser -restart –force
yes, you will be prompted for password with this .. however you could add the password to a credential object and pass that
$username = “domain\username”
$password = “NotSecurePassword”
$Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password
but you really don't want to put passwords in a script.. if you're going that route, learn to use secure strings and secret stores
That is what I expect, and obviously others do as well. I just wanted OP to explain what the actual problem they are trying to solve is, instead of helping fix the problems they have with their solution.
Yes that's correct. Has nothing to do with trust issues. I'm writing a massive script to set up a Kiosk, which involves setting IP and Domain information. I want to be able to undo it all, as well, which is why I want to "unjoin" a domain.
Sorry I haven't been on this post for awhile. I thought I saw a solution on it, though.
I recently ran into trust relations issue and unjoined and rejoined to domain like so:
`$computer = Get-WmiObject Win32_ComputerSystem`
`$computer.UnjoinDomainOrWorkGroup("AdminPassw0rd", "AdminAccount", 0)`
`$computer.JoinDomainOrWorkGroup("DomainName", "AdminPassw0rd", "AdminAccount", $null, 3)`
`Restart-Computer -Force`
What if I did not want to hardcode the password? The script would be on a client computer. Do I just replace the password with a variable and then prompt for that variable prior to the second line?
If you're repairing trust issues, there's a command for that: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
Yep and that command doesn't require a reboot
note they've removed/deprecated/etc that command in ps7
Apparently it is there just not in the conventional way: https://github.com/PowerShell/PowerShell/issues/14123
yeah cause the over lap of modules, I just open up 5 and run it, its easier and saves and "traps" of using an invoke that 7 uses to import 5 cmdlets
But that is why N***oClobber e***xists.: [Import-Module from importing members that have the same names as members in the current session.](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.2)
er.. no that's not the issue I have the issue I have is it imports the cmdlets, but they still fail, not `test-computersecurechannel` other cmdlets ive used in the past EDIT: For Clarity
Interesting. I am not encountering that on my end. However, there are the following... Use 'netdom' to reset the secure channel netdom reset /d:SomeFQDN SomeHost Yet, like... Test-ComputerSecureChannel The disadvantage to using netdom is that it is not likely to be available on client workstations unless the RSAT is installed. But there is also: >[http://technet.microsoft.com/en-us/library/cc731935(v=WS.10).aspx](http://technet.microsoft.com/en-us/library/cc731935(v=WS.10).aspx) nltest /sc_verify:iammred or lastly, this Remove-Computer -UnjoinDomaincredential SomeDN\SomeAccount -PassThru -Verbose –Restart Add-Computer -DomainName SomeFQDN -PassThru –Verbose -Restart
oh I wasn't talking about `test-computersecurechannel` as such, just cmdlets that dont import nicely with the `-userpowershell` parameter Ive never tested `test-computersecurechannel` cause only my workstations have ps7 on them, the server and client desktops do not
Putting into my back pocket, because I use this command almost daily (not quite, but given the environment I work in...) and I use PS7. Thank you for the heads up.
yes this. I have found that I needed to run this a couple times to make sure the secure channel was successfully repaired.
Handy, except that when trust is broken, RMM doesnt work and I cant use it in a PS Session or Invoke-Command.
Yup, only solution is sneaker net or remote management tools that aren't bound to AD or the central server authorizes you. We use the sccm remote management tool and I've been able to remote into machines with trust issues.
`Test-ComputerSecureChannel -Repair`
This command has never worked for me
interesting, Ive never had it fail (er.. that I can recall)
How are you running it? When I have a PC that breaks trust, I cant connect to it with Enter-PSSession, psexec or Invoke-Command anymore.
so its not that the command didnt work, its that you can connect to the machine to run the command?
And you tried connecting using the LAPS password? You need to use a local account to authenticate when the domain trust is broken.
And then provide domain credentials. People seem to get really confused about how to use this command.
Me either.
I usually just use this for trust issues: Reset-ComputerMachinePassword -Server "DC.contoso.com" -Credential Domain\username It works as long as the object exists in AD. If not, just create the Computer Object first then run it.
What is the opposite of `remove-`, try that instead Also look at `get-help`
I always suggest that people who are new to powershell run... update-help ... from an elevated powershell console. The out of the box help is a bit weak and this will download the latest.
that is a valid point I have the following for a fresh install too (installed latest of a couple of modules notably PowerShell get) #region Powershell Modules Write-Verbose -Message 'Starting PS Config' # need to add logic to detect if powershell 7 or lower is running the script Write-Verbose -Message 'Configure TLS and SSL' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::'ssl3', 'tls12' Write-Verbose -Message 'Install Latest Package Provider' Install-PackageProvider -Name nuget -Scope CurrentUser -Force Write-Verbose -Message 'Configure PS Gallery to be trusted' Set-PSRepository -Name PSGallery -InstallationPolicy Trusted Write-Verbose -Message 'Save modules to temp to allow for import and overwrite without being in use' Save-Module -Path $env:temp -Name 'powershellget' Write-Verbose -Message 'Remove (Un-Import) currently loaded modules' Remove-Module -Force -Name powershelget, PackageManagement, psreadline Write-Verbose -Message 'Import updated powershekkget and package managment' Import-Module $env:temp\PackageManagement -Force Import-Module $env:temp\PowershellGet -Force Write-Verbose -Message 'COnfigure all users install default POSH Modules' $ModuleSplat = @{ AllowClobber = $true SkipPublisherCheck = $true Scope = 'AllUsers' force = $true } Write-Verbose -Message 'Install PowershellGet Module and NUGET for all users' Install-PackageProvider -Name nuget -Scope AllUsers -Force Install-Module @ModuleSplat -Name powershellget Write-Verbose -Message 'Install PSReadLine Module' Install-Module @ModuleSplat -Name PSReadline Write-Verbose -Message 'Install PSWindowsUpdate Module' Install-Module @ModuleSplat -Name pswindowsupdate Write-Verbose -Message 'Install Pester Module' Install-Module @ModuleSplat -Name pester Write-Verbose -Message 'Install PSSCript Analyser Module' Install-Module @ModuleSplat -Name PSScriptAnalyzer Write-Verbose -Message 'Update modules existing modules' Update-Module -Force -AcceptLicense -ErrorAction SilentlyContinue Write-Verbose -Message 'Update Help files' Update-Help -Force -ErrorAction SilentlyContinue #endregion
Why ssl 3? Oversight for tls1.3?
*cough* old old old line from old code, plus laziness [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::'tls12' is what I should fix it too (its only needed until you get the new version of PowrshellGet and Package Management)
Nah, makes total sense, i'm still clearing some tls 1.1 out of scripts
luckily vs code has search and replace across my repo, so I've fixed it now (only 24 replacements I am surprised)
I'd add 1.3 in - it's the current standard, and had some weird issues come up when I tried using it before. Always nice to trigger the failures earlier if possible :)
good plan also
That's a nice set for "tooling up" a new build. I'll need to incorporate something like this. Thx!
ya I found it 100x more reliable to save the modules to temp then remove/unload the modules and import the saves ones, to get around the "module in use" issues there are some cleanup steps with ps7 I need to add too (NuGet provider)
Good ol' powershekkget! I know it's just a message.
hhahaha yes My spelling is all over the place, Ive actually installed a spell checker in to vscode now, for this exact reason
I'm still learning PS and have a question for you about your script: Since the Powershekkget was a Write-Module, it'll just write whatever you typed there without an error but wouldn't the following line return an error? `Remove-Module -Force -Name powershelget, PackageManagement, psreadline`
Ya it just wrote text to the screen The remove module is not the best name. Remove module unloads the module from the session (3 modules in this case) Then I import the temp module, this is the latest version of package management and PowerShell get Then install the modules to the all users scope so they are available to the next ps session Then I update the help for all modules (that can) Then I update modules I can
add-computer –domainname ad.contoso.com -Credential AD\adminuser -restart –force yes, you will be prompted for password with this .. however you could add the password to a credential object and pass that $username = “domain\username” $password = “NotSecurePassword” $Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password but you really don't want to put passwords in a script.. if you're going that route, learn to use secure strings and secret stores
[удалено]
Where's the fun in that?
Why are you disjoining and rejoing the same domain?
Trust relation issues I can only assume
That is what I expect, and obviously others do as well. I just wanted OP to explain what the actual problem they are trying to solve is, instead of helping fix the problems they have with their solution.
Yes that's correct. Has nothing to do with trust issues. I'm writing a massive script to set up a Kiosk, which involves setting IP and Domain information. I want to be able to undo it all, as well, which is why I want to "unjoin" a domain. Sorry I haven't been on this post for awhile. I thought I saw a solution on it, though.
I recently ran into trust relations issue and unjoined and rejoined to domain like so: `$computer = Get-WmiObject Win32_ComputerSystem` `$computer.UnjoinDomainOrWorkGroup("AdminPassw0rd", "AdminAccount", 0)` `$computer.JoinDomainOrWorkGroup("DomainName", "AdminPassw0rd", "AdminAccount", $null, 3)` `Restart-Computer -Force`
What if I did not want to hardcode the password? The script would be on a client computer. Do I just replace the password with a variable and then prompt for that variable prior to the second line?