• State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 38 subscribers
  • Views 7890 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom Activity PowerShell

frank.mueller
over 6 years ago

Hello,

i have the following issue. If a user changes his password on the pwm website and the user is currently logged on the system, the computer need to be locked so that the new password is recognized by our proxy and windows itself.

I try to create a custom activity with a powershell script that lock down the computer. I know how powershell works but i have no clue how to get a custom activity working. 

Thats an important step for me and i really need to know how it goes. I read the help file but i didn´t get it.

Here is what i am doing so far.

Create a custom activity inside the manage my passwords workflow.

Activity Name: lockpc

Powershell Script.

function PreLoad($workflow, $lockpc)
{
$xCmdString = {rundll32.exe user32.dll,LockWorkStation}

Invoke-Command $xCmdString

# #Add code to be executed before activity execution begins here
}

 

Nothing happens. The Text that i created on the user interface designer is displayed. But nothing more.

I hope that someone put me in the right direction.

Thanks

Frank

  • 0 over 6 years ago
    This PoSH is not going to work the way you think it does. Keep in mind that the PowerShell is going to execute in the context of the Password Manager server, not the user's workstation. So it will lock the console on the Password Manager server, not the user's workstation.
  • 0 over 6 years ago
    Hello George,

    ok, i found that out also. But with the information provided in the $workflow.userinfo i get enough information to do that. I thought. But, there is always a but. It is not working.

    Steps that i have done.

    1. Get the ip address out of the $pmuser = $workflow.userinfo
    $ip = $pmuser.ipaddress

    2. resolve the dns name for the ip
    $client = ([system.net.dns]::GetHostByAddress($ip)).hostname

    3. try to run the local task to lock the pc
    schtasks /run /tn lockpc

    But step 3 did not work. I dont know why. If i do all the steps manually in powershell it is working.
    Also when i try to start the task remotely with the following command.
    schtasks /run /s $Client /tn lockpc

    It is not working. Any ideas?
    Thanks for helping me to resolve it.
    Frank
  • 0 over 6 years ago
    Oh i forgott i try to create a remote session
    Enter-PSSession -ComputerName $client

    On my "normal" Powershell command it is working
  • 0 over 6 years ago
    I am also not able to send an easy message with the msg command. As soon as i want to do something with an executable it is not working.
  • 0 over 6 years ago
    Check the Security logs on the target host.

    This sounds like a Kerberos Double-Hop issue. Essentially, you are "spending" your authentication token on the local machine, and cannot use it in a remote PowerShell session.

    blogs.technet.microsoft.com/.../

    You'll have to trust the server that you are running the script on for Kerberos Delegation.

    Here is a very good writeup:

    blogs.technet.microsoft.com/.../
  • 0 over 6 years ago
    I only try to send a msg. that is also not working. This must working without any kerberos issues.
    I also trusted the pwm server for kerberos delegation.
  • 0 over 6 years ago
    Did you check the Security logs on both servers for any authentication issue?
  • 0 over 6 years ago
    Yes i check the logs but did not found something that looks like a authentication issue. I activate the kerberos logs and saw some KDC_ERR_PREAUTH_FAILED
    But not in the time i try to start the powershell script. Also try to remove the pre auth for kerberos for the particular user. But it doesnt work.
    Under which user is the powershell script running?
    Under the same user as the service is running?