I'm in a bit of a bind here! In my environment, privileged users have three different accounts: one for logging into their EUC device, one for member servers, and one for domain controllers. This complicates things when I try to use New-PSSession because I'm only able to work with one set of credentials at a time which often fails on certain servers. Does anyone have a better approach than my current script, which tries each set of credentials one after the other, logging success or failure?
3 Answers
Are all the machines domain joined? If so, you might be able to gather more info about your targets before making connections. For domain controllers, you can check the Domain Controllers OU. For everything else, you can use the alternate credentials or even prompt for them when needed.
Even with that, their RBAC is strictly managed, so I’m not sure how much you could retrieve programmatically.
So if it's possible to connect at all, then does it mean only one credential will work per machine? A simple way around this could be to create a list of computer names and corresponding credentials. Then, try connecting with each credential while suppressing errors like this:
```
$ComputerName = 'computer1', 'computer2', 'computer3'
$credList = $cred1, $cred2, $cred3
$sessionList = $credList | ForEach-Object {
New-PSSession -ComputerName $ComputerName -Credential $_ -ErrorAction SilentlyContinue
}
Invoke-Command -Session $sessionList {
"Doing stuff on $env:COMPUTERNAME"
}
Remove-PSSession $sessionList
```
This way, you can establish sessions without getting stopped by errors for each credential that doesn’t work.
I assume you know which credentials work with which machines. You could set up a switch/case statement based on machine names to choose the right credentials or create a function that takes both the credentials and the server name as parameters to streamline the process.
Yes, they are all domain joined! The OU structure is quite messy, though, so there's no guarantee of organization.