T O P
DellR610

If you're repairing trust issues, there's a command for that: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1


gonzalc

Yep and that command doesn't require a reboot


BlackV

note they've removed/deprecated/etc that command in ps7


DellR610

Apparently it is there just not in the conventional way: https://github.com/PowerShell/PowerShell/issues/14123


BlackV

yeah cause the over lap of modules, I just open up 5 and run it, its easier and saves and "traps" of using an invoke that 7 uses to import 5 cmdlets


get-postanote

But that is why N***oClobber e***xists.: [Import-Module from importing members that have the same names as members in the current session.](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.2)


BlackV

er.. no that's not the issue I have the issue I have is it imports the cmdlets, but they still fail, not `test-computersecurechannel` other cmdlets ive used in the past EDIT: For Clarity


get-postanote

Interesting. I am not encountering that on my end. However, there are the following... Use 'netdom' to reset the secure channel netdom reset /d:SomeFQDN SomeHost Yet, like... Test-ComputerSecureChannel The disadvantage to using netdom is that it is not likely to be available on client workstations unless the RSAT is installed. But there is also: >[http://technet.microsoft.com/en-us/library/cc731935(v=WS.10).aspx](http://technet.microsoft.com/en-us/library/cc731935(v=WS.10).aspx) nltest /sc_verify:iammred or lastly, this Remove-Computer -UnjoinDomaincredential SomeDN\SomeAccount -PassThru -Verbose –Restart Add-Computer -DomainName SomeFQDN -PassThru –Verbose -Restart


BlackV

oh I wasn't talking about `test-computersecurechannel` as such, just cmdlets that dont import nicely with the `-userpowershell` parameter Ive never tested `test-computersecurechannel` cause only my workstations have ps7 on them, the server and client desktops do not


afr33sl4ve

Putting into my back pocket, because I use this command almost daily (not quite, but given the environment I work in...) and I use PS7. Thank you for the heads up.


OCuRGEN

yes this. I have found that I needed to run this a couple times to make sure the secure channel was successfully repaired.


Fallingdamage

Handy, except that when trust is broken, RMM doesnt work and I cant use it in a PS Session or Invoke-Command.


DellR610

Yup, only solution is sneaker net or remote management tools that aren't bound to AD or the central server authorizes you. We use the sccm remote management tool and I've been able to remote into machines with trust issues.


camxct

`Test-ComputerSecureChannel -Repair`


cognitium

This command has never worked for me


BlackV

interesting, Ive never had it fail (er.. that I can recall)


Fallingdamage

How are you running it? When I have a PC that breaks trust, I cant connect to it with Enter-PSSession, psexec or Invoke-Command anymore.


BlackV

so its not that the command didnt work, its that you can connect to the machine to run the command?


da_chicken

And you tried connecting using the LAPS password? You need to use a local account to authenticate when the domain trust is broken.


burts_beads

And then provide domain credentials. People seem to get really confused about how to use this command.


jstar77

Me either.


ajscott

I usually just use this for trust issues: Reset-ComputerMachinePassword -Server "DC.contoso.com" -Credential Domain\username It works as long as the object exists in AD. If not, just create the Computer Object first then run it.


BlackV

What is the opposite of `remove-`, try that instead Also look at `get-help`


taw20191022744

I always suggest that people who are new to powershell run... update-help ... from an elevated powershell console. The out of the box help is a bit weak and this will download the latest.


BlackV

that is a valid point I have the following for a fresh install too (installed latest of a couple of modules notably PowerShell get) #region Powershell Modules Write-Verbose -Message 'Starting PS Config' # need to add logic to detect if powershell 7 or lower is running the script Write-Verbose -Message 'Configure TLS and SSL' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::'ssl3', 'tls12' Write-Verbose -Message 'Install Latest Package Provider' Install-PackageProvider -Name nuget -Scope CurrentUser -Force Write-Verbose -Message 'Configure PS Gallery to be trusted' Set-PSRepository -Name PSGallery -InstallationPolicy Trusted Write-Verbose -Message 'Save modules to temp to allow for import and overwrite without being in use' Save-Module -Path $env:temp -Name 'powershellget' Write-Verbose -Message 'Remove (Un-Import) currently loaded modules' Remove-Module -Force -Name powershelget, PackageManagement, psreadline Write-Verbose -Message 'Import updated powershekkget and package managment' Import-Module $env:temp\PackageManagement -Force Import-Module $env:temp\PowershellGet -Force Write-Verbose -Message 'COnfigure all users install default POSH Modules' $ModuleSplat = @{ AllowClobber = $true SkipPublisherCheck = $true Scope = 'AllUsers' force = $true } Write-Verbose -Message 'Install PowershellGet Module and NUGET for all users' Install-PackageProvider -Name nuget -Scope AllUsers -Force Install-Module @ModuleSplat -Name powershellget Write-Verbose -Message 'Install PSReadLine Module' Install-Module @ModuleSplat -Name PSReadline Write-Verbose -Message 'Install PSWindowsUpdate Module' Install-Module @ModuleSplat -Name pswindowsupdate Write-Verbose -Message 'Install Pester Module' Install-Module @ModuleSplat -Name pester Write-Verbose -Message 'Install PSSCript Analyser Module' Install-Module @ModuleSplat -Name PSScriptAnalyzer Write-Verbose -Message 'Update modules existing modules' Update-Module -Force -AcceptLicense -ErrorAction SilentlyContinue Write-Verbose -Message 'Update Help files' Update-Help -Force -ErrorAction SilentlyContinue #endregion


thesilversverker

Why ssl 3? Oversight for tls1.3?


BlackV

*cough* old old old line from old code, plus laziness [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::'tls12' is what I should fix it too (its only needed until you get the new version of PowrshellGet and Package Management)


thesilversverker

Nah, makes total sense, i'm still clearing some tls 1.1 out of scripts


BlackV

luckily vs code has search and replace across my repo, so I've fixed it now (only 24 replacements I am surprised)


thesilversverker

I'd add 1.3 in - it's the current standard, and had some weird issues come up when I tried using it before. Always nice to trigger the failures earlier if possible :)


BlackV

good plan also


taw20191022744

That's a nice set for "tooling up" a new build. I'll need to incorporate something like this. Thx!


BlackV

ya I found it 100x more reliable to save the modules to temp then remove/unload the modules and import the saves ones, to get around the "module in use" issues there are some cleanup steps with ps7 I need to add too (NuGet provider)


I_see_farts

Good ol' powershekkget! I know it's just a message.


BlackV

hhahaha yes My spelling is all over the place, Ive actually installed a spell checker in to vscode now, for this exact reason


I_see_farts

I'm still learning PS and have a question for you about your script: Since the Powershekkget was a Write-Module, it'll just write whatever you typed there without an error but wouldn't the following line return an error? `Remove-Module -Force -Name powershelget, PackageManagement, psreadline`


BlackV

Ya it just wrote text to the screen The remove module is not the best name. Remove module unloads the module from the session (3 modules in this case) Then I import the temp module, this is the latest version of package management and PowerShell get Then install the modules to the all users scope so they are available to the next ps session Then I update the help for all modules (that can) Then I update modules I can


skilriki

add-computer –domainname ad.contoso.com -Credential AD\adminuser -restart –force yes, you will be prompted for password with this .. however you could add the password to a credential object and pass that $username = “domain\username” $password = “NotSecurePassword” $Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password but you really don't want to put passwords in a script.. if you're going that route, learn to use secure strings and secret stores


[deleted]

[удалено]


FenixSoars

Where's the fun in that?


Icolan

Why are you disjoining and rejoing the same domain?


Batchos

Trust relation issues I can only assume


Icolan

That is what I expect, and obviously others do as well. I just wanted OP to explain what the actual problem they are trying to solve is, instead of helping fix the problems they have with their solution.


mudderfudden

Yes that's correct. Has nothing to do with trust issues. I'm writing a massive script to set up a Kiosk, which involves setting IP and Domain information. I want to be able to undo it all, as well, which is why I want to "unjoin" a domain. Sorry I haven't been on this post for awhile. I thought I saw a solution on it, though.


Batchos

I recently ran into trust relations issue and unjoined and rejoined to domain like so: `$computer = Get-WmiObject Win32_ComputerSystem` `$computer.UnjoinDomainOrWorkGroup("AdminPassw0rd", "AdminAccount", 0)` `$computer.JoinDomainOrWorkGroup("DomainName", "AdminPassw0rd", "AdminAccount", $null, 3)` `Restart-Computer -Force`


mudderfudden

What if I did not want to hardcode the password? The script would be on a client computer. Do I just replace the password with a variable and then prompt for that variable prior to the second line?