Powershell 凭据未通过的问题
Issues with Powershell Credentials not passing through
我制作了一个应该自动执行的退出脚本。除了一部分外,该脚本工作正常;开头部分的凭据对象未在其中一个函数中执行。
它仍然需要凭据并连接到在线 Exchange Powershell,但由于某种原因,当脚本继续禁用 MSOl 帐户、删除许可证等时,它会停止并要求提供凭据;这没有意义,因为服务帐户登录并连接并且会话导入。
代码如下:
$username = "serviceaccountit@company.com"
$password = 'somepassword'
$secureStringPwd = $password | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $secureStringPwd
###############################################################
Set-ExecutionPolicy RemoteSigned -Force
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -
ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential
$creds -Authentication Basic -AllowRedirection
Import-PSSession $Session
Connect-MsolService -Credential $creds
Import-Module ActiveDirectory
########################################################################
$Exit = import-csv 'C:\File\Path\ETC'
$DisabledUserParams = @{
AccountName = $Exit.SamAccountName.Trim()
UPN = "$($Exit.SamAccountName.ToLower().Trim())@Company.com"
}
########################################################################
#Add the scrubber function to be standard on the script
function Disable-ThisMSOLACCOUNT{
#variables
$AccountInfo = Get-MsolUser -UserPrincipalName $DisabledUserParams.UPN
$CurrentAccountSku = $AccountInfo.Licenses.AccountSkuId
$MSOLAccountSku = Get-MsolAccountSku
$MSOLAccountLicense = $MSOLAccountSku.AccountSkuId
$DistributionGroups = Get-DistributionGroup
$DLs = $DistributionGroups.PrimarySmtpAddress
$CheckDL = Get-DistributionGroupMember -Identity $DLs
$SharedMailboxes = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox
$MailDGS= Get-Recipient -ResultSize unlimited -RecipientType MailUniversalDistributionGroup
############################################################################################
foreach ($License in $MSOLAccountLicense) {
$RemoveLicense =@{
RemoveLicense = $License
}
try {
Set-MsolUserLicense -UserPrincipalName $DisabledUserParams.UPN RemoveLicenses $RemoveLicense.RemoveLicense -ErrorAction Continue }
catch [Microsoft.Online.Administration.Automation.InvalidUserLicenseException,Microsoft.Online.Administration.Automation.SetUserLicense] {
if ($_.Exception.Message -ilike "*Unable to assign this license because it is invalid") {
Write-Host 'Error taking off License'
Write-Host 'Run the Check at End'
Continue
}
}
}
#####################################################################################################
foreach ($Distrolist in $DLs) {
$RemoveDLM =@{
RemoveGroup = $Distrolist
Name = $CheckDL.Name
}
if($DisabledUserParams.AccountName -match $RemoveDLM.Name) {
try {
Remove-DistributionGroupMember -identity $RemoveDLM.RemoveGroup -member $DisabledUserParams.AccountName -Confirm:$False -ErrorAction Continue }
catch [Microsoft.Exchange.Management.RecipientTasks.RemoveDistributionGroupMember]
{
if ($_.Exception.Message -ilike "*You don't have sufficient permissions") {
Continue
}
}
}
continue
}
#####################################################################################################
foreach ($SM in $SharedMailboxes) {
$RemoveSM =@{
RemoveSM = $SM.Name
}
try {
Remove-Mailboxpermission -identity $RemoveSM.RemoveSM -User $DisabledUserParams.AccountName -Confirm:$False -ErrorAction Continue }
catch {
continue
}
#####################################################################################################
foreach($DGS in $mailDGS) {
$RemoveMDGS = @{
RemoveMDGS = $DGS.Name}
try{
Remove-RecipientPermission $RemoveMDGS.RemoveMDGS -Trustee $DisabledUserParams.AccountName -AccessRights SendAs -Confirm:$False}
catch {
continue
}
}
}
}
function Disable-ThisADACCOUNT{
$OUTransfer = "OU=Disabled Users Accounts,DC=company,DC=local"
$ADAccountPG = Get-ADPrincipalGroupMembership -Identity $DisabledUserParams.AccountName
$CurrentAdGroup = $ADAccountPG.name
Foreach($Group in $CurrentAdGroup) {
$RemoveAdG = @{
RemoveGroup = $group}
Remove-ADGroupMember -Identity $RemoveAdG.RemoveGroup -Members $DisabledUserParams.AccountName -Confirm:$False -ErrorAction SilentlyContinue}
Get-ADUser $DisabledUserParams.AccountName | Move-ADObject -TargetPath $OUTransfer
}
try { Get-ADUser $DisabledUserParams.AccountName} catch
[Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADUser] {
if ($_.Exception.Message -ilike "*Cannot find an object with identity" ) {
Disable-ThisMSOLACCOUNT}
else {Disable-ThisADACCOUNT
Disable-ThisMSOLACCOUNT
}
}
代码在 Disable-ThisMSOOLACCOUNT 函数上挂起。它尝试让服务帐户重新登录,但创建了 PS 信用对象并且参数有效。
请告诉我可以做些什么来解决这个问题,因为拥有服务帐户可以更好地使用自动帐户 creation/exit。
谢谢,
这是我在 link 中找到如何使凭据起作用并且不再被提示的地方。
回答者:
EIG-Wes
问题出在远程签名上,已通过 运行 此命令修复:
Enable-PSRemoting -Force
归功于那个人,但去他妈的给我投反对票的家伙。严重地。如果有问题请发表评论。
我希望这可以帮助在 PS
中使用 IT 服务帐户的人
我制作了一个应该自动执行的退出脚本。除了一部分外,该脚本工作正常;开头部分的凭据对象未在其中一个函数中执行。
它仍然需要凭据并连接到在线 Exchange Powershell,但由于某种原因,当脚本继续禁用 MSOl 帐户、删除许可证等时,它会停止并要求提供凭据;这没有意义,因为服务帐户登录并连接并且会话导入。
代码如下:
$username = "serviceaccountit@company.com"
$password = 'somepassword'
$secureStringPwd = $password | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $secureStringPwd
###############################################################
Set-ExecutionPolicy RemoteSigned -Force
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -
ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential
$creds -Authentication Basic -AllowRedirection
Import-PSSession $Session
Connect-MsolService -Credential $creds
Import-Module ActiveDirectory
########################################################################
$Exit = import-csv 'C:\File\Path\ETC'
$DisabledUserParams = @{
AccountName = $Exit.SamAccountName.Trim()
UPN = "$($Exit.SamAccountName.ToLower().Trim())@Company.com"
}
########################################################################
#Add the scrubber function to be standard on the script
function Disable-ThisMSOLACCOUNT{
#variables
$AccountInfo = Get-MsolUser -UserPrincipalName $DisabledUserParams.UPN
$CurrentAccountSku = $AccountInfo.Licenses.AccountSkuId
$MSOLAccountSku = Get-MsolAccountSku
$MSOLAccountLicense = $MSOLAccountSku.AccountSkuId
$DistributionGroups = Get-DistributionGroup
$DLs = $DistributionGroups.PrimarySmtpAddress
$CheckDL = Get-DistributionGroupMember -Identity $DLs
$SharedMailboxes = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox
$MailDGS= Get-Recipient -ResultSize unlimited -RecipientType MailUniversalDistributionGroup
############################################################################################
foreach ($License in $MSOLAccountLicense) {
$RemoveLicense =@{
RemoveLicense = $License
}
try {
Set-MsolUserLicense -UserPrincipalName $DisabledUserParams.UPN RemoveLicenses $RemoveLicense.RemoveLicense -ErrorAction Continue }
catch [Microsoft.Online.Administration.Automation.InvalidUserLicenseException,Microsoft.Online.Administration.Automation.SetUserLicense] {
if ($_.Exception.Message -ilike "*Unable to assign this license because it is invalid") {
Write-Host 'Error taking off License'
Write-Host 'Run the Check at End'
Continue
}
}
}
#####################################################################################################
foreach ($Distrolist in $DLs) {
$RemoveDLM =@{
RemoveGroup = $Distrolist
Name = $CheckDL.Name
}
if($DisabledUserParams.AccountName -match $RemoveDLM.Name) {
try {
Remove-DistributionGroupMember -identity $RemoveDLM.RemoveGroup -member $DisabledUserParams.AccountName -Confirm:$False -ErrorAction Continue }
catch [Microsoft.Exchange.Management.RecipientTasks.RemoveDistributionGroupMember]
{
if ($_.Exception.Message -ilike "*You don't have sufficient permissions") {
Continue
}
}
}
continue
}
#####################################################################################################
foreach ($SM in $SharedMailboxes) {
$RemoveSM =@{
RemoveSM = $SM.Name
}
try {
Remove-Mailboxpermission -identity $RemoveSM.RemoveSM -User $DisabledUserParams.AccountName -Confirm:$False -ErrorAction Continue }
catch {
continue
}
#####################################################################################################
foreach($DGS in $mailDGS) {
$RemoveMDGS = @{
RemoveMDGS = $DGS.Name}
try{
Remove-RecipientPermission $RemoveMDGS.RemoveMDGS -Trustee $DisabledUserParams.AccountName -AccessRights SendAs -Confirm:$False}
catch {
continue
}
}
}
}
function Disable-ThisADACCOUNT{
$OUTransfer = "OU=Disabled Users Accounts,DC=company,DC=local"
$ADAccountPG = Get-ADPrincipalGroupMembership -Identity $DisabledUserParams.AccountName
$CurrentAdGroup = $ADAccountPG.name
Foreach($Group in $CurrentAdGroup) {
$RemoveAdG = @{
RemoveGroup = $group}
Remove-ADGroupMember -Identity $RemoveAdG.RemoveGroup -Members $DisabledUserParams.AccountName -Confirm:$False -ErrorAction SilentlyContinue}
Get-ADUser $DisabledUserParams.AccountName | Move-ADObject -TargetPath $OUTransfer
}
try { Get-ADUser $DisabledUserParams.AccountName} catch
[Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADUser] {
if ($_.Exception.Message -ilike "*Cannot find an object with identity" ) {
Disable-ThisMSOLACCOUNT}
else {Disable-ThisADACCOUNT
Disable-ThisMSOLACCOUNT
}
}
代码在 Disable-ThisMSOOLACCOUNT 函数上挂起。它尝试让服务帐户重新登录,但创建了 PS 信用对象并且参数有效。
请告诉我可以做些什么来解决这个问题,因为拥有服务帐户可以更好地使用自动帐户 creation/exit。
谢谢,
这是我在 link 中找到如何使凭据起作用并且不再被提示的地方。
回答者:
EIG-Wes
问题出在远程签名上,已通过 运行 此命令修复:
Enable-PSRemoting -Force
归功于那个人,但去他妈的给我投反对票的家伙。严重地。如果有问题请发表评论。
我希望这可以帮助在 PS
中使用 IT 服务帐户的人