Notifications

1029 views

Description

Overview


 

Where does the command / script run

The command / script in the custom PowerShell activity is running on local MID server under MID server service account,

instead of running on the Target host.

 

For example, command: hostname, will always show hostname of the MID server,

command: whoami, will always show MID server service account.

 

Before the command/script runs, MID server will test active windows credentials one by one against the target host, using credential testing method.

By default, the test method is WMI query, which picks the credential that has WMI query permission on the target host.

 

If the remote target is a domain controller, it makes more sense to change the test method to AD query instead.

So that credential test will pick the credential that can do AD query on port 389 on target host, and does not need it to be able to run WMI query to the target host.

Check (Tip 2) section below for more details.

 

The first windows credential that succeeds the test method, will be stored in $cred variable.

You have to explicitly use -credential $cred in your command, otherwise the command is run as MID server service account. 

 

The value of "Target host" field is stored in PowerShell variable $computer, that can be used in the command / script.

  


 

Sample Script 1

In below command, $computer is from value of "Target host" field, and $cred is the windows credential that succeeds credential test:

gwmi win32_operatingsystem -computer $computer -credential $cred

 

Sample Script 2

add-adgroupmember -identity "testgroup" -member "testuser" #this line is run using MID server service account, and likely causes error "Insufficient access rights to perform the operation"

add-adgroupmember -identity "testgroup" -member "testuser" -credential $cred #this line is run using the windows credential that succeeds credential test

 

 


 

Tip 1

In certain situations, a credential should be picked without invoking credential test method, in this case please set Target host to 127.0.0.1

If Target host is set to 127.0.0.1, no credential test is carried out, and the Windows credential that has lowest order is used.

You can combine this with credential tagging to choose the credential you need. (the credential is also stored in variable $cred)

(credential tag is renamed as credential alias from Kingston)

 

Tip 2

If the Target host is a domain controller, you can create a Powershell Variable

( Activity Designer > Execution Command > Powershell variables )

Specify Name as "credType", value as "AD".

This way the credential test method will be an AD query to the Target host.

 

For other credType options, please check here.

 


 

To run a command / script on remote host

If you would like to execute a command on remote server, PowerShell remote has to be used.

For example, if you have a batch script as c:\temp\test.bat on server server01.lab01.com, you can do below:


Update Target host field to server01.lab01.com

In Command, type in:
$s = New-PSSession -ComputerName $computer -credential $cred
Invoke-Command -Session $s -ScriptBlock {c:\temp\test.bat}

(as the Target host above is a FQDN instead of an IP, it's recommended that a cmdb_ci_dns_name record is created for this FQDN)

Article Information

Last Updated:2019-08-12 14:27:40
Published:2019-08-06