Powershell – Access is Denied when Reset-ComputerMachinePassword is run through Invoke-command

invoke-commandpowershellpowershell-remoting

I'm using the following command to reset a remote machine'
s password.

$user="Domain\domainadmin";
$pass="dapassword" | ConvertTo-SecureString -AsPlainText -Force;
$creds=New-Object System.Management.Automation.PSCredential -ArgumentList $UserName, $pass;
Invoke-Command -Credential $creds -ComputerName "DomainControllerMachine" -ScriptBlock{ 
$ComputerName = @"
SomeRemoteHost
"@
Import-Module ActiveDirectory; 
Reset-ComputerMachinePassword -Server ${ComputerName};
}

I keep getting 'Access is denied' error.

This command cannot be executed on target computer('DomainControllerMachine') due to following error: Access is
 denied.
    + CategoryInfo          : InvalidOperation: (DomainControllerMachine:String) [Reset-ComputerMachinePasswor
   d], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.ResetCompute
   rMachinePasswordCommand

The account I use has all levels of access to the ActiveDirectory. So there won't be a issue with the credentials used for authentication.

If I run the same command on the 'DomainControllerMachine' (logged in as same user) it works fine.

Import-Module ActiveDirectory; 
Reset-ComputerMachinePassword -Server "SomeRemoteHost";

Even the whole invoke-command block above just works without complaining on the DomainControllerMachine.
But when I do it remotely through Invoke-Command, or Enter-PSSession I get that dreaded access denied error..

I've also tried using CredSSP after setting up the WSManCredSSP (Client, delegation and Server) on the machines with no luck.

I may have missed something, or is there a better way to handle such a case?

Best Answer

It looks to me like you are running the Reset-computermachinepassword command on the domaincontroller. As far as I know it should be run on the computer that needs to be reset with the DC name in the -server field.

To do this you would need to run the command on the computer that needs it's credentials reset:

Reset-Computermachinepassword -server "DomainControllerMachine" -credential $PScredential

You can try to do it remotely with a PSsession if the computer has powershell remoting enabled. You will need to specify a different authentication method to reach a computer that has lost it's trust with the domain.

You can use Credssp but this will only work if your GPO allows delegating your credentials to the target computer. Or you can use Basic authentication. But for that to work the Target must accept unencrypted traffic.

The command to do it remotely would probably look something like this:

$session = new-PSSession "targetcomputer" -Authentication Basic -Credential  "Domain\domainadmin"
Invoke-Command -Session $session -scriptblock {Reset-Computermachinepassword -server "Domain\domainadmin"}
Related Topic