Problem: Fixes for Windows Service Error 1067
Solution:
Method 1: Fix Permissions Issues
Permission problems are responsible for error 1067. To fix the issue, having access to the service controls from a personal user profile is helpful.
Steps to follow:
Press Win+ R keys at the same time to open the Run utility, type services.msc, and hit Enter.
Find the service which has the error 1067 from the services list, right-click on it and choose Properties from the context menu.
If the service is running, stop it. If it is stopped, go to the Log On tab and click the Browse button.
Type your account name to the Enter the object name to select a section and click Check Names. Wait for the name to be available.
Click OK If needed, input the password. Now, the service should start without error code 1067.
Method 2: Repair the Problematic Service
Process terminated unexpectedly occurs when the service you are trying to start becomes faulty or corrupted. Try to delete and install the service to get rid of the trouble.
Problem: Running PS script with parameters support
Solution:
Navigate to the directory where the script is located Ex. cd c:/folder;
Pass the script name along with input params delimited with space if more than one.
Note: all commands work the same as native PowerShell, except a few, for example -ComputeName may not work as expected as it requires a different protocol to work rather than WinRM.
Example
cd C:\Users\Administrator\Desktop; .\demo.ps1 parameter1 parameter2
Problem: Get-ADGroupMember: The size limit for this request was exceeded
Solution:
This is due to a limitation in AD web services, check: http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx
The default limit is 5000, this can be adjusted in a config file but to keep things consistent you have to update that file on each DC.
On the Domain Controller navigate to the file C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config
Put this entry (if you don't already have it)
<add key="MaxGroupOrMemberEntries" value="25000" />
Save the config file and restart the ADWS service on the Domain Controller.
Powershell
stop-service adwssvr
start-service adwssvr
Repeat this on all your Domain Controllers
Problem: Godaddy SSL certificate issue
To get Godaddy certificates to work in Java with SHA2 you will need to use their cross-certificate in your chain to chain the G2(SHA2) root to the G1(SHA1) root until Java decides to update their repository. The Cross Certificate bundle can be downloaded here:
https://certs.godaddy.com/anonymous/repository.pki
Problem: Add-Content: Access to the path is denied
Solution:
Check the path existence, Test-path "path-to-be-checked"
Check for special cases like
If you need to create/update your file in c:\ drive directly, make sure that you have added Set-ExecutionPolicy "Unrestricted" at the beginning of your PowerShell Script.
Problem: SSL_connect
Solution:
If there is no CA(Certificate Authority), Ideally, verification will not happen in the case of a self-signed certificate. It is meant for encryption only not for authentication. So whenever self-signed certificates are configured, then app configuration should be for key Disable SSL Certificate Verification has to be true.
If Certificate Authority is present then verify certificate chain with SSL Certificate Validator.
Problem: The ampersand (&) character is not allowed.
Sample Command
New-ADUser -Name '<Name>' -AccountPassword (ConvertTo-SecureString QWE&60(nm -AsPlainText -Force) -DisplayName '<DisplayName>' -Enabled 1 -GivenName ‘<GivenName>’-Path 'OU=<OU>,OU=<OU>,OU=<OU>,DC=<DC>,DC=<DC>,DC=<DC>' -SamAccountName ‘<SamAccountName>’-Surname ‘<Surname>’-Type 'user' -UserPrincipalName '<UserPrincipalName>'
Error Response
{
"response" : {
"result" : "At line:1 char:72\r\n+ ... -Name '<Name>' -AccountPassword (ConvertTo-SecureString QWE&60(nm -A ...\r\n+ ~\nThe ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks (\"&\") to pass it as part of a string.\r\n\r\nAt line:1 char:353\r\n+ ... 'User1' -Type 'user' -UserPrincipalName '<UserPrincipalName>'\r\n+ ~\nMissing closing ')' in expression.\n + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException\n + FullyQualifiedErrorId : AmpersandNotAllowed,Microsoft.PowerShell.Commands.InvokeExpressionCommand\n"
},
"meta" : {
"exit-code" : 0,
"message" : "success"
}
}
Solution:
Since & the operator is reserved for future use, you should omit this character.
Problem: No connection could be….
No connection could be made because the target machine actively refused it. - No connection could be made because the target machine actively refused it. - connect(2) for "10.109.152.241" port 5886 (10.109.152.241:5886)
Solution:
This issue basically comes when IP/username/password/port is wrong. Double-check all the configurations.
Problem: Cannot open Service Control Manager on computer…...
PS C:\Users\Administrator> Get-Service -ComputerName 'EC2AMAZ-JDAKI9N'
Get-Service: Cannot open Service Control Manager on computer 'EC2AMAZ-JDAKI9N'. This operation might require other privileges.
At line:1 char:1
+ Get-Service -ComputerName 'EC2AMAZ-JDAKI9N'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
Solutions :
By default Windows Firewall blocks remote management, which may explain why sc and mmc aren't working either. So open the required port on the machine.
Try using the IP address instead of hostname, sometimes hostname does not resolve.
Problem: Get-ADGroup will work perfectly but Get-ADGroupMember will not
Solution:
Look at the groups that have errors in ADUC you will see that some of the members are foreign principles (members of another domain). you can get around it with this:
Function Get-ADGroupMemberFix {
[CmdletBinding()]
param(
[Parameter(
Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true,
Position = 0
)]
[string[]]
$Identity
)
process {
foreach ($GroupIdentity in $Identity) {
$Group = $null
$Group = Get-ADGroup -Identity $GroupIdentity -Properties Member
if (-not $Group) {
continue
}
Foreach ($Member in $Group.Member) {
Get-ADObject $Member
}
}
}
}
Get-ADGroupMemberFix '<group name>’
Configure WinRM over HTTPS with Self signed Certificate
winrm e winrm/config/Listener
New-SelfSignedCertificate -DnsName "<hostname>", "<hostname>" -CertStoreLocation "cert:\LocalMachine\My"
To get hostname type ‘hostname’ on target machines powershell
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<hostname>"; CertificateThumbprint="<cert thumbprint here>"}'
