Problem: Fixes for Windows Service Error 1067


Method 1: Fix Permissions Issues

Permission problems are responsible for error 1067. To fix the issue, having access to the service controls from a personal user profile is helpful.

Steps to follow:

  1. Press Win+ R keys at the same time to open the Run utility, type services.msc, and hit Enter.

  2. Find the service which has the error 1067 from the services list, right-click on it and choose Properties from the context menu.

  3. If the service is running, stop it. If it is stopped, go to the Log On tab and click the Browse button.

  4. Type your account name to the Enter the object name to select a section and click Check Names. Wait for the name to be available.

  5. Click OK If needed, input the password. Now, the service should start without error code 1067.

Method 2: Repair the Problematic Service

 Process terminated unexpectedly occurs when the service you are trying to start becomes faulty or corrupted. Try to delete and install the service to get rid of the trouble.

Problem: Running PS script with parameters support


  1. Navigate to the directory where the script is located Ex. cd c:/folder; 

  1. Pass the script name along with input params delimited with space if more than one.

Note: all commands work the same as native PowerShell, except a few, for example -ComputeName may not work as expected as it requires a different protocol to work rather than WinRM.


cd C:\Users\Administrator\Desktop; .\demo.ps1 parameter1 parameter2  

Problem: Get-ADGroupMember: The size limit for this request was exceeded


This is due to a limitation in AD web services, check:

The default limit is 5000, this can be adjusted in a config file but to keep things consistent you have to update that file on each DC.

  1. On the Domain Controller navigate to the file C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config

  1. Put this entry (if you don't already have it)

<add key="MaxGroupOrMemberEntries" value="25000" /> 

  1. Save the config file and restart the ADWS service on the Domain Controller. 


stop-service adwssvr

start-service adwssvr

  1. Repeat this on all your Domain Controllers

Problem: Godaddy SSL certificate issue

To get Godaddy certificates to work in Java with SHA2 you will need to use their cross-certificate in your chain to chain the G2(SHA2) root to the G1(SHA1) root until Java decides to update their repository. The Cross Certificate bundle can be downloaded here:

Problem: Add-Content: Access to the path is denied


  1. Check the path existence, Test-path "path-to-be-checked"

  2.  Check for special cases like

    1. If you need to create/update your file in c:\ drive directly, make sure that you have added Set-ExecutionPolicy "Unrestricted" at the beginning of your PowerShell Script.

Problem: SSL_connect


If there is no CA(Certificate Authority), Ideally, verification will not happen in the case of a self-signed certificate. It is meant for encryption only not for authentication. So whenever self-signed certificates are configured, then app configuration should be for key Disable SSL Certificate Verification has to be true.

If Certificate Authority is present then verify certificate chain with SSL Certificate Validator.

Problem: The ampersand (&) character is not allowed.

Sample Command

 New-ADUser -Name '<Name>' -AccountPassword (ConvertTo-SecureString QWE&60(nm -AsPlainText -Force) -DisplayName '<DisplayName>' -Enabled 1 -GivenName ‘<GivenName>’-Path 'OU=<OU>,OU=<OU>,OU=<OU>,DC=<DC>,DC=<DC>,DC=<DC>' -SamAccountName ‘<SamAccountName>’-Surname ‘<Surname>’-Type 'user' -UserPrincipalName '<UserPrincipalName>'

Error Response


  "response" : {

    "result" : "At line:1 char:72\r\n+ ... -Name '<Name>' -AccountPassword (ConvertTo-SecureString QWE&60(nm -A ...\r\n+                                                                 ~\nThe ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks (\"&\") to pass it as part of a string.\r\n\r\nAt line:1 char:353\r\n+ ... 'User1' -Type 'user' -UserPrincipalName '<UserPrincipalName>'\r\n+                                                                          ~\nMissing closing ')' in expression.\n    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException\n    + FullyQualifiedErrorId : AmpersandNotAllowed,Microsoft.PowerShell.Commands.InvokeExpressionCommand\n"


  "meta" : {

    "exit-code" : 0,

    "message" : "success"




Since & the operator is reserved for future use, you should omit this character.

Problem: No connection could be….

No connection could be made because the target machine actively refused it. - No connection could be made because the target machine actively refused it. - connect(2) for "" port 5886 (


This issue basically comes when IP/username/password/port is wrong. Double-check all the configurations.

Problem: Cannot open Service Control Manager on computer…...

PS C:\Users\Administrator> Get-Service -ComputerName 'EC2AMAZ-JDAKI9N'

Get-Service: Cannot open Service Control Manager on computer 'EC2AMAZ-JDAKI9N'. This operation might require other privileges.

At line:1 char:1

+ Get-Service -ComputerName 'EC2AMAZ-JDAKI9N'

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException

    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand

Solutions :

By default Windows Firewall blocks remote management, which may explain why sc and mmc aren't working either. So open the required port on the machine. 

Try using the IP address instead of hostname, sometimes hostname does not resolve. 

Problem: Get-ADGroup will work perfectly but Get-ADGroupMember will not


Look at the groups that have errors in ADUC you will see that some of the members are foreign principles (members of another domain).  you can get around it with this:

Function Get-ADGroupMemberFix {




            Mandatory = $true,

            ValueFromPipeline = $true,

            ValueFromPipelineByPropertyName = $true,

            Position = 0





    process {

        foreach ($GroupIdentity in $Identity) {

            $Group = $null

            $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member

            if (-not $Group) {



            Foreach ($Member in $Group.Member) {

                Get-ADObject $Member 





Get-ADGroupMemberFix '<group name>’

Configure WinRM over HTTPS with Self signed Certificate

  1. winrm e winrm/config/Listener

  2. New-SelfSignedCertificate -DnsName "<hostname>", "<hostname>" -CertStoreLocation "cert:\LocalMachine\My"

    1. To get hostname type ‘hostname’ on target machines powershell

  3. winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<hostname>"; CertificateThumbprint="<cert thumbprint here>"}'