Use PowerShell to Enter-PSSession from the Active Directory Users and Computers MMC
I'm known for inserting PowerShell into most work-related conversations. I can't help it... there's probably a name for this 'affliction'...
Anyway, I was using the Active Directory Users and Computers MMC (dsa.msc) the other day and I recalled some functionality I'd leveraged years ago to insert a HTA into a context menu.
Two things immediately sprang to mind:
- How can I use PowerShell to make a change to a dsa.msc context menu?
- How can I call PowerShell from a dsa.msc context menu?
Update Context Menu using PowerShell
To do this we need to make a change to an item in the configuration partition. How?
There's a container in the configuration partition called DisplaySpecifiers. In this container are numbered sub-containers and in these sub-containers are DisplaySpecifier objects that can control the behaviour of EVERY Active Directory Users and Computers MMC in the forest. To create a new context menu item, all we do is tweak an attribute on the specifier that deals with the object type we want to add a custom action to, e.g. if we want to a PowerShell option to show up every time we right-click a computer object we amend the computer DisplaySpecifier. Let me show you where these objects live:
Here's how you make a change to the computer DisplaySpecifier object with PowerShell:
$Config = (Get-ADRootDSE).ConfigurationNamingContext
Set-ADObject -Identity "CN=computer-Display,CN=409,CN=DisplaySpecifiers,$Config" -Add @{adminContextMenu = "2,PowerShell...,\\HALODC02\Enter-PSSession\Enter-PSSession.bat"}
First we get a reference to the distinguished name of the configuration partition by using the Get-ADRootDSE cmdlet. Once we have this stored as a variable we can target the computer-Display object with the Set-ADObject cmdlet. We pass a hash table to the -Add parameter that includes the variable we want to append to - adminContextMenu. The value associated with the attribute is interesting. It can be broken down thus:
- '2' is positional, i.e. we have a numbered sequence of additional items... 1 will already be taken and if you've made extensions previously, 2 might be in use, too - best check with PowerShell...
(Get-ADObject -Identity "CN=computer-Display,CN=409,CN=DisplaySpecifiers,$Config" -Properties adminContextMenu).adminContextMenu
- 'PowerShell...' is what gets displayed on the context menu
- '\\HALODC02\...' etc. is a reference to a script file called by the context menu item
Start PS Remoting from dsa.msc
We now have a context menu item for computer objects called 'PowerShell...' . When clicked this item calls a batch file. The batch file takes a parameter passed to it by the MMC and calls a PowerShell script. Both the batch file and the PowerShell script are stored on a resilient and secured network share - remember, the context menu item is now available for every instance of Active Directory Users and Computers in the forest. Here's the contents of the Enter-PSSession.bat batch file:
@echo off
Title "Enter-PSSession"
echo.
PowerShell.exe -ExecutionPolicy Unrestricted -NoExit -File "\\HALODC02\Enter-PSSession\enter-pssession.ps1" -Computer %2
The last line is what we're interested in. We call a simple PowerShell script with the second argument passed to the batch file by the MMC ( %2) supplied to the -Computer parameter of the PowerShell script - %2 is the hostname of the computer we highlighted, so in the above example image it will be HALOMEM01.
Here's the contents of the Enter-PSSession.ps1 PowerShell script:
param ($computer)
$UI = (Get-Host).UI.RawUI
$UI.WindowTitle = "Enter-PSSession: $computer"
Enter-PSSession $computer
Here's what happens when I click the context menu item:
Sweet! A remote, interactive PowerShell session established to the computer object selected in Active Directory Users and Computers!
Now, you might be asking yourself why the batch file and why not just call the PowerShell script directly? Well, this is to do with the fact that the MMC will only call a script file or executable without parameters and also because a ps1 file, by default, opens up in notepad and not with a PowerShell host (this is to prevent accidental or malicious execution of ps1 script files). To get round the fact that we can't call PowerShell.exe with parameters, we call a batch file that contains the parameters. Make sense?
NB - sadly, the Enter-PSSession example won't work against a domain controller computer object. This is because the parameters passed to the batch file by the MMC for a DC object aren't the same as for a standard computer object... pesky developers!
Comments
- Anonymous
June 30, 2015
Recent Releases and Announcements
Cumulative Update #1 for SQL Server 2014 SP1
https://support - Anonymous
September 10, 2015
This is awesome; I'm really surprised no one commented. Now to find the alterations for a domain controller. - Anonymous
February 24, 2016
great article, but how did you know which numbered container to go up against? im guessing each one is an OU? - Anonymous
April 27, 2017
First, I want to say thank you, very informative and to the point. I do some questions though, lets say I want to make a right click for a user instead of a computer. I already know how to add the right click option but what mmc argument would pass the user account along? Would it still be %2 or would it be %1? Or is it something completely different? Also, is there a list of arguments arguments for mmc and what they are? Like %2 is the name of the object, %1 is the description of the object etc? - Anonymous
July 21, 2017
Is it possible to use the DisplaySpecifier script method but allow multiple selections? E.g. add a context menu item to perform a custom task, and perform that custom task on 10 computers by selecting all of them in ADUC?