Use PowerShell to Enter-PSSession from the Active Directory Users and Computers MMC

I'm known for inserting PowerShell into most work-related conversations. I can't help it... there's probably a name for this 'affliction'...

Anyway, I was using the Active Directory Users and Computers MMC (dsa.msc) the other day and I recalled some functionality I'd leveraged years ago to insert a HTA into a context menu.

 

 

Two things immediately sprang to mind:

  1. How can I use PowerShell to make a change to a dsa.msc context menu?
  2. How can I call PowerShell from a dsa.msc context menu?

 

Update Context Menu using PowerShell

To do this we need to make a change to an item in the configuration partition. How?

There's a container in the configuration partition called DisplaySpecifiers. In this container are numbered sub-containers and in these sub-containers are DisplaySpecifier objects that can control the behaviour of EVERY Active Directory Users and Computers MMC in the forest. To create a new context menu item, all we do is tweak an attribute on the specifier that deals with the object type we want to add a custom action to, e.g. if we want to a PowerShell option to show up every time we right-click a computer object we amend the computer DisplaySpecifier. Let me show you where these objects live:

 

  

Here's how you make a change to the computer DisplaySpecifier object with PowerShell:

$Config = (Get-ADRootDSE).ConfigurationNamingContext

Set-ADObject -Identity "CN=computer-Display,CN=409,CN=DisplaySpecifiers,$Config" -Add @{adminContextMenu = "2,PowerShell...,\\HALODC02\Enter-PSSession\Enter-PSSession.bat"}

 

First we get a reference to the distinguished name of the configuration partition by using the Get-ADRootDSE cmdlet. Once we have this stored as a variable we can target the computer-Display object with the Set-ADObject cmdlet. We pass a hash table to the -Add parameter that includes the variable we want to append to - adminContextMenu. The value associated with the attribute is interesting. It can be broken down thus:

  • '2' is positional, i.e. we have a numbered sequence of additional items... 1 will already be taken and if you've made extensions previously, 2 might be in use, too - best check with PowerShell...

(Get-ADObject -Identity "CN=computer-Display,CN=409,CN=DisplaySpecifiers,$Config" -Properties adminContextMenu).adminContextMenu

  • 'PowerShell...' is what gets displayed on the context menu
  • '\\HALODC02\...' etc. is a reference to a script file called by the context menu item

Start PS Remoting from dsa.msc

We now have a context menu item for computer objects called 'PowerShell...' . When clicked this item calls a batch file. The batch file takes a parameter passed to it by the MMC and calls a PowerShell script. Both the batch file and the PowerShell script are stored on a resilient and secured network share - remember, the context menu item is now available for every instance of Active Directory Users and Computers in the forest. Here's the contents of the Enter-PSSession.bat batch file:

@echo off
Title "Enter-PSSession"
echo.
PowerShell.exe -ExecutionPolicy Unrestricted -NoExit -File "\\HALODC02\Enter-PSSession\enter-pssession.ps1" -Computer %2

 

The last line is what we're interested in. We call a simple PowerShell script with the second argument passed to the batch file by the MMC ( %2) supplied to the -Computer parameter of the PowerShell script -  %2 is the hostname of the computer we highlighted, so in the above example image it will be HALOMEM01.

Here's the contents of the Enter-PSSession.ps1 PowerShell script:

param ($computer)

$UI = (Get-Host).UI.RawUI

$UI.WindowTitle = "Enter-PSSession: $computer"

Enter-PSSession $computer 

   

Here's what happens when I click the context menu item:

 

 

Sweet! A remote, interactive PowerShell session established to the computer object selected in Active Directory Users and Computers!

Now, you might be asking yourself why the batch file and why not just call the PowerShell script directly? Well, this is to do with the fact that the MMC will only call a script file or executable without parameters and also because a ps1 file, by default, opens up in notepad and not with a PowerShell host (this is to prevent accidental or malicious execution of ps1 script files). To get round the fact that we can't call PowerShell.exe with parameters, we call a batch file that contains the parameters. Make sense?

 

NB - sadly, the Enter-PSSession example won't work against a domain controller computer object. This is because the parameters passed to the batch file by the MMC for a DC object aren't the same as for a standard computer object... pesky developers!