#Manage Active Directory Users And Computers Using Windows 10 Creators Edition Using PowerShell Direct Without CredSSP Or “Second-Hop” Issues
#If you connect to a virtual machine using PowerShell Remote then you need to enable CredSSP to avoid “Second-Hop“ or “Multi-Hop” Issues when managing Active Directory objects. CredSSP is always needed when connecting to a physical machine since PowerShell Direct only works when connecting to a virtual machine directly from the host computer.
#PowerShell Direct doesn’t have the “Second-Hop” issue when managing Windows Server 2016 from a Windows 10 Creators Edition virtual machine running Hyper-V. I have enabled the Hyper-V role on Windows 10 Professional and my physical machine is not joined to a domain. The Windows 10 virtual machine will need to be joined to the Active Directory domain you intend to manage without making further “workgroup” related configuration changes.
Enter-PSSession -VMName Win10 -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Direct New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $false #Unprotect OU=Test for intentional deletion Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Remove-ADOrganizationalUnit -Verbose #Delete OU=Test
#The Longer Story…
#Create a new Organizational Unit in PowerShell Remote using just the computer name
#Without CredSSP
enabled this command fails in PowerShell Remote
Enter-PSSession -ComputerName KERMIT -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Remote New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test
#Create a new Organizational Unit in PowerShell Direct using just the computer name
#Just using OU=Test
as an example to show how this command doesn’t fail in PowerShell Direct like it did in the previous example.
Enter-PSSession -VMName Win10 -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Direct New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test
#Set –ProtectedFromAccidentalDeletion
to $false
on OU=Test
so it can be deleted
#This needs to be done to allow the OU to be deleted.
Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $false #Unprotect OU=Test for intentional deletion
#Delete OU=Test
from -Server KERMIT
.
#KERMIT
is the NetBIOS computer name of my domain controller and not the domain NetBIOS name. They are different things.
Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Remove-ADOrganizationalUnit -Verbose #Delete OU=Test