[NoBrainer] Set Credentials on ADSI WinNT Provider operations with PowerShell

Here is a quick post as a reminder because I tend to forget myself and documentation on the Internet is not really pointing you to the solution right away … When using the ADSI provider in PowerShell (for example to use WinNT) and you want to perform the actual operation with different credentials than the currently logged on user you can set credentials by setting the username and password on the base object (where you also invoke the actual ADSI method):

PS > $Domain = "myDomain";
PS > $Group = "myGroup";
PS > $Username = "myUser";
PS > [Adsi].FullName
System.DirectoryServices.DirectoryEntry
PS > $Cred = Import-CliXml ".\Credential.xml";
PS > $de = [ADSI] ("WinNT://{0}/{1},group" -f $Computer, $Group);
PS > $de;
distinguishedName :
Path              : WinNT://myDomain/myGroup,group
PS > $de.GetType();
IsPublic IsSerial Name           BaseType
-------- -------- ----           --------
True     False    DirectoryEntry System.ComponentModel.Component
PS > $de.PsBase.Username = "{0}\{1}" -f $Computername, $Cred.Username;
PS > $de.PsBase.Password = $Cred.GetNetworkCredential().Password;
PS > $de.PsBase.Invoke("Add", ([ADSI] ("WinNT://{0}/{1}" -f $Domain, $Username)).PsBase.Path);

As the [ADSI] shortcut is a DirectoryEntry, you can easily look up the class on MSDN to get more information about its members and properties. You can also check this Scripting Guy article on how to use ADSI and the PSBase property.

Comments

  1. Drew Chapin says:

    I get “Property ‘Username’ cannot be found on this object; make sure it exists and is settable.”

    • Ronald Rink says:

      Hi Drew, sorry for the late reply! I just checked the example and it seems I missed some brackets while posting to workpress. I updated it seems to run now.
      Essentially you have to enclose the expression in brackets to get back the correct object:
      $de = [ADSI] (“WinNT://{0}/{1},group” -f $Computer, $Group);

      I now also added some extra output so you can verify you get the correct objects returned (compare to your output).
      Regards, Ronald

      • Drew Chapin says:

        Thanks! That seems to work now. However, it seems I have a new problem. I get the error “Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again”. This will happen during echoing “$de” (line 8 of your example, or if I try to invoke any member of “$de” such as “SetPassword”. Running “net use”, there is no existing connection shown. Any ideas?

      • Ronald Rink says:

        I have not had that issue before.
        Here my setup for cross checking: When I used that script/approach I had a service account on a machine that was part of a Windows 2008 AD domain with local administrative permissions on the windows machine (but not on the domain, but with special permissions on the OU where I wanted to add the users to the group).
        I had no other connections to the domain open (as far as I know/can remember).

        Maybe you can double check by specifying the IP address or a DNS alias to see if it is the problem as described here https://support.microsoft.com/en-us/kb/938120/.

  2. Mike says:

    This doesnt work :(

    Can you provide a screenshot rather than random commands hit at the command line, it looks messy and is unreadable.

    • Ronald Rink says:

      Hi Mike, what exactly does not work? Do you get some error message that you could share?

      Regards, Ronald

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: