powershell - Trust relationship auto fix script -


i trying come script automate fix common issue in domain environment "the trust relationship error " help-desk employee , can run script required variable

options : using power-shell or psexec , should accept user input naive user .

looking @ powershell simple line may fix issue after google research : " test-computersecurechannel -repair " not require reboot

challenges in powershell per simple knowledge ( remote command execution should enabled in remote machine not option

> psexec not available default windows 7 / citrix employee

computer name : sawd456335355 ( should variable - user input ) local admin : administrator local password: variable differ computer computer ( should user input accept special character )

=================================

privilege admin level 1 account pop up

while trying change local computer using team viewer pop ask domain credentials instance : user name sth : admingroup1 password privlege admin : password@123 < example

there 3 ways fix this.

  1. what asking for, repair secure channel. need local admin account (local because trust relationship broken) , combination of psexec , powershell remoting.

    <# desk operator input#>

    $computer = read-host "enter computer name"

    $adminaccount = read-host "enter local admin account"

    $securepassword = read-host "enter local admin password" -assecurestring

    <# create plain text password object , credential object#>

    $bstr = [system.runtime.interopservices.marshal]::securestringtobstr($securepassword)

    $unsecurepassword = [system.runtime.interopservices.marshal]::ptrtostringauto($bstr)

    $credential = new-object -typename system.management.automation.pscredential -argumentlist $adminaccount, $securepassword

    <#enable ps remoting#>

    psexec.exe \$computer -u $adminaccount -p $unsecurepassword -h -d powershell.exe "enable-psremoting -force"

    <# repair secure channel#>

    invoke-command -computername $computer -credential $credential -scriptblock { test-computersecurechannel -repair }

  2. set domain not reset domain computer accounts. not recommended in environments.

  3. in environment found best solution prevent automatic system restore (probably after power outage or similar) older computer password discussed here: https://support.microsoft.com/en-us/kb/295049

my solution run scheduled task delete system restore points older current computer password.

 get-computerrestorepoint |`    {$_.converttodatetime($_.creationtime) -lt  $passwordlastset} | `      delete-computerrestorepoints

if no system restore points left script creates new one. detailed write can found here: http://blog.buktenica.com/issues-with-domain-membership-after-system-restore/


Comments

Post a Comment