0

I'm using the following command to reset a remote machine' s password.

$user="Domain\domainadmin";
$pass="dapassword" | ConvertTo-SecureString -AsPlainText -Force;
$creds=New-Object System.Management.Automation.PSCredential -ArgumentList $UserName, $pass;
Invoke-Command -Credential $creds -ComputerName "DomainControllerMachine" -ScriptBlock{ 
$ComputerName = @"
SomeRemoteHost
"@
Import-Module ActiveDirectory; 
Reset-ComputerMachinePassword -Server ${ComputerName};
}

I keep getting 'Access is denied' error.

This command cannot be executed on target computer('DomainControllerMachine') due to following error: Access is
 denied.
    + CategoryInfo          : InvalidOperation: (DomainControllerMachine:String) [Reset-ComputerMachinePasswor
   d], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.ResetCompute
   rMachinePasswordCommand

The account I use has all levels of access to the ActiveDirectory. So there won't be a issue with the credentials used for authentication.

If I run the same command on the 'DomainControllerMachine' (logged in as same user) it works fine.

Import-Module ActiveDirectory; 
Reset-ComputerMachinePassword -Server "SomeRemoteHost";

Even the whole invoke-command block above just works without complaining on the DomainControllerMachine. But when I do it remotely through Invoke-Command, or Enter-PSSession I get that dreaded access denied error..

I've also tried using CredSSP after setting up the WSManCredSSP (Client, delegation and Server) on the machines with no luck.

I may have missed something, or is there a better way to handle such a case?

Improve this question
7
  • Are you doing this from the same machine that your resetting the account on? Commented Jan 21, 2015 at 14:19
  • Have you tried perhaps storing the invoked commands as a script on the target machine then using invoke to run that script? social.technet.microsoft.com/Forums/en-US/… Commented Jan 21, 2015 at 14:33
  • Run your powershell session in elevated prompt(right click-> Run as Administrator) Commented Jan 21, 2015 at 15:21
  • @mjolinor no, they are different machines Commented Jan 21, 2015 at 15:31
  • @Raf Yeah, I always do. The shell is run as administrator. Commented Jan 21, 2015 at 15:33

1 Answer 1

Reset to default
1

It looks to me like you are running the Reset-computermachinepassword command on the domaincontroller. As far as I know it should be run on the computer that needs to be reset with the DC name in the -server field.

To do this you would need to run the command on the computer that needs it's credentials reset:

Reset-Computermachinepassword -server "DomainControllerMachine" -credential $PScredential

You can try to do it remotely with a PSsession if the computer has powershell remoting enabled. You will need to specify a different authentication method to reach a computer that has lost it's trust with the domain.

You can use Credssp but this will only work if your GPO allows delegating your credentials to the target computer. Or you can use Basic authentication. But for that to work the Target must accept unencrypted traffic.

The command to do it remotely would probably look something like this:

$session = new-PSSession "targetcomputer" -Authentication Basic -Credential  "Domain\domainadmin"
Invoke-Command -Session $session -scriptblock {Reset-Computermachinepassword -server "Domain\domainadmin"}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Close. I get Cannot validate argument on parameter 'Session'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again. I also replaced your -server "Domain\domainadmin" with -server "myserver.domain.com", but that's all I did. But it was a good answer in that it explained you can't run the command on the DC and expect it to update the affected server without doing the hocus-pocus.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.