Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Deploy: run Powershell script from PDQDeploy server?

Hi,

I'm rolling out LAPS in my org and have installed the powershell module on the PDQ central server. This saves installing it on all the workstations. I would like to create a new PDQ package which simply executes the reset-admpwdpassword command targetted at the computer which the deploy package is set to run for.

If Deploy typically executes packages on the targetted computers, how can I make sure it runs on the central server instead, then pass it the targetted computer name as a variable?

Thanks in advance.

1

Comments

6 comments
Date Votes
  • Unfortunately, that isn't possible in Deploy.

    However, an Inventory Tool set to a Run Type of Local should work: https://link.pdq.com/docs-PDQInventory?creatingtools.htm

    1
  • Colby Bouma, thanks! As an alternative, I guess I could push out the powershell module when deploying the LAPS client to the endpoints, then execute the command locally on the endpoints, correct?

    1
  • I believe so, but I've never set up LAPS before, so I can't say for sure.

    0
  • Colby Bouma, thanks again. That worked! I'll post my findings here for anyone else who is looking to do this...

    I re-deployed the LAPS client using 

    msiexec.exe /i "LAPS.x64.msi" ALLUSERS=1 /qn /norestart /log output.log ADDLOCAL=CSE,Management.PS

    The ADDLOCAL bit specifies which components to install, CSE is for the GPO Client Side Extension (this is installed by default if you don't inlcude the ADDLOCAL parameter) and Management.PS is the powershell module. 

    I then have another package which simply forces a reset of the LAPS password.

    Step 1 (Powershell):

    Reset-AdmPwdPassword -ComputerName $env:COMPUTERNAME

    Step 2 (command):

    gpupdate /force

    Step 1 expires the password immediately. Step 2 runs the CSE and forces the password to reset and write this back to the Active Directory.

    I then tried to create a PDQ Inventory Tool as Colby Bouma suggested. I created the tool using a powershell command to run. This is a Local tool (runas Console user).

    Reset-AdmPwdPassword -ComputerName $(Computer:TARGET)
    PsExec -accepteula \\$(Computer:TARGETHOSTNAME) Gpupdate /target:computer

    The reset-AdmPwdPassword bit works. However, I'm getting an error regarding psexec...

    PsExec : The term 'PsExec' is not recognized as the name of a cmdlet, function, script file, or operable program

    This is installed in C:\windows\system32\psexec.exe on the PDQ central server, so not sure why I'm getting this error. Can you help?

    0
  • Are you running that Tool from a Client? If so, you will need to install PsExec on it too.

    0
  • I'm trying to follow your suggestion and create a tool. https://help.pdq.com/hc/en-us/community/posts/4411254123931/comments/4411284728347

    The tool is set to Local, which I understood to mean it would run on the PDQ central server. I have re-read the documentation and now understand Local to mean the computer running PDQ Deploy console, which is my local PC, not the PDQ server. This now makes sense as I didn't have psexec on my local PC. I do now, and the tool is working well!

    Many thanks.

    0