#Manage Active Directory Users And Computers Using Windows 10 in PowerShell Direct Without CredSSP Or “Second-Hop” Issues
#When connecting to a virtual machine using PowerShell Remoting, enabling CredSSP (Credential Security Support Provider) is essential to avoid “Second-Hop” or “Multi-Hop” issues when managing Active Directory objects. CredSSP is particularly necessary when connecting to physical machines, as PowerShell Direct only functions when connecting directly from the host computer to a virtual machine.
#PowerShell Direct does not encounter the “Second-Hop” problem when managing Windows Server 2016 from a Windows 10 virtual machine running Hyper-V. Since I have enabled the Hyper-V role on my Windows 10 Professional system and my physical machine is not part of a domain, the Windows 10 virtual machine must be joined to the Active Directory domain that I intend to manage. This setup avoids additional configuration changes related to workgroup settings.
1 2 3 4 |
Enter-PSSession -VMName Win10 -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Direct New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $false #Unprotect OU=Test for intentional deletion Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Remove-ADOrganizationalUnit -Verbose #Delete OU=Test |
#The Longer Story…
#Create a new Organizational Unit in PowerShell Remote using just the computer name
#Without CredSSP
enabled this command fails in PowerShell Remote which is initiated by using-ComputerName with Enter-PSSession
1 2 |
Enter-PSSession -ComputerName KERMIT -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Remote New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test |
#Create a new Organizational Unit in PowerShell Direct using just the virtual machine name
#Just using OU=Test
as an example to show how this command doesn’t fail in PowerShell Direct using -VMName like it did in the previous example using -ComputerName.
1 2 |
Enter-PSSession -VMName Win10 -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Direct New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test |
#Set –ProtectedFromAccidentalDeletion
to $false
on OU=Test
so it can be deleted
#This needs to be done to allow the OU to be deleted.
1 |
Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $false #Unprotect OU=Test for intentional deletion |
#Delete OU=Test
from -Server KERMIT
.
#KERMIT
is the NetBIOS computer name of my domain controller and not the domain NetBIOS name. They are different things.
1 |
Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Remove-ADOrganizationalUnit -Verbose #Delete OU=Test |