Join Log in
Score:-1
avatar Server

Rename-Computer : Fail to rename computer due to the following exception: Access is denied

us flag
user242114

I'm domain joining new machines with provisioning packages (ppkg) and using temporary names (PENDING_%serial%). the ppkg works ok, but I then want to bulk rename them, instead of remoting and renaming individually. The issue is that rename-computer is giving an error. This is after completely disabling the firewall and running the command from a domain admin account.

I command I run

rename-computer -computername PENDING#### -newname US#### -domaincredential mydomain\admin1

Rename-Computer : Fail to rename computer 'PENDING#####' to 'us####' due to the following exception: Access is denied.

I can run get-wmiobject remotely using the same credentials. So I know it isn’t a credential issue.

And event viewer on the remote PC shows successful logins during the attempted moments.

Edit: Apparently I was doing something wrong. Using -DomainCredential domainname\domainadmin works. But doesn't work without it, even when PowerShell is elevated with that same account.

46
0 + 0
wmi
Semicolon avatar
jo flag
Semicolon
You need to run it on the endpoint, or configure Kerberos/CredSSP. It doesn’t matter if you’re running it from the DC, it’s still a second-hop. You’re passing credentials to the endpoint and then trying to pass those back to the DC; it’s not going to work.
0
Reply
us flag
user242114
So to run rename-computer on a remote target, you need to configure Kerberos/credssp? Come come running Get-WMIObject from another PC with the same credentials works fine. Isn’t that also a second hop?
0
Reply
Semicolon avatar
jo flag
Semicolon
Get-WMIObject doesn’t make a second hop, it’s reads information directly on that machine. Rename-Computer has to connect to a domain controller to update the computer object. I think you’re clearly missing something. When using the -computername parameter, you’re starting the rename operation on that computer. The second hop is when it attempts to connect to a dc to complete the process. Kerberos delegation isn’t configured, so your credentials can’t be delegated from the remote computer to a dc, and the attempt to rename goes through as anonymous — which fails with access denied.
0
Reply
Semicolon avatar
jo flag
Semicolon
Open an remote powershell session on the client and try accessing a file share on the DC. Even if it’s the computer that you opened the powershell session from - you’re going to get an access denied — it’s the same process.
0
Reply
Semicolon avatar
jo flag
Semicolon
Its a double-hop problem. You're attempting to remotely run a command that needs to contact a third computer.
0
Reply
us flag
user242114
Sorry, but I don’t understand. Are you saying I have to run the command from the DC? Because that’s where the credentials from the domain account are stored, right?
0
Reply
us flag
user242114
remote powershell session to the DC and try to access a share on the same DC?
0
Reply
Semicolon avatar
jo flag
Semicolon
Nope. From the DC, open a powershell session on PENDING_xxx, and access a file share on the DC (or any other computer) - it won’t work
0
Reply
us flag
user242114
Ok, thanks. Are there any ways I could rename the computer remotely, without modifying domain settings, GPOs, etc? Preferably, local settings I could change through putting a script in a ppkg?
0
Reply
Semicolon avatar
jo flag
Semicolon
I join the computer to the domain in the path with the correct name initially. How are you joining the domain?
0
Reply
us flag
user242114
Through a provisional package. Which only lets me choose fixed string + %random% + %serialnumber%. https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-accounts
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.