Executable causing some issues, (0xc0000142)

Ask your Windows PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Post Reply
DaveMcDonald
Posts: 13
Joined: Tue Sep 04, 2018 8:41 am

Executable causing some issues, (0xc0000142)

Post by DaveMcDonald » Fri Aug 23, 2019 11:36 am

To help you better we need some information from you.

*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***

Product, version and build: PowerShell Studio 2019 Version 5.6.167 build v10.0.16299.0
32 or 64 bit version of product:64
Operating system:Windows 10 Enterprise.
32 or 64 bit OS:64

*** Please add details and screenshots as needed below. ***

DO NOT POST SUBSCRIPTIONS, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM

Background: We needed a tool to check share information (security groups, permissions on the security groups etc). Our network has some issues with shared drives, not everyone at our Service Desk can access the information (even the same issue with the Account Management group). So, the only solution was to create a service account that did have access to all shares but no access to AD other than Domain User.

This worked for the first two versions of the application. The third version, of which I am working on, contains some new features. One of them is the ability to modify managedby and add write-members permissions to security groups. because the account the program is impersonating has no access to AD to modify security groups, I have set it up as a Job to change this information.

The start-job is running as credentials provided by the user. These credentials do have the required access to AD.

When the start-job runs, it returns the subject error.

I am thinking it's an issue with the impersonation and the start-job running as different credentials.

The error within the script is:
[localhost] The background process reported an error with the following message: .
+ CategoryInfo : OpenError: (localhost:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : 2100,PSSessionStateBroken

User avatar
brittneyr
Site Admin
Posts: 154
Joined: Thu Jun 01, 2017 7:20 am

Re: Executable causing some issues, (0xc0000142)

Post by brittneyr » Fri Aug 23, 2019 11:41 am

[TOPIC MOVED TO WINDOWS POWERSHELL FORUM BY MODERATOR]
Brittney Ryn
SAPIEN Technologies, Inc.

User avatar
jvierra
Posts: 13717
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Executable causing some issues, (0xc0000142)

Post by jvierra » Fri Aug 23, 2019 11:46 am

You have a mistake in your coding. YOu are passing an array where a simple string is required. Please get nd read the complete error as it will tell you the exact command.

DaveMcDonald
Posts: 13
Joined: Tue Sep 04, 2018 8:41 am

Re: Executable causing some issues, (0xc0000142)

Post by DaveMcDonald » Tue Aug 27, 2019 8:11 am

Here is the function.

Code: Select all

Function Change-SecACL
{
<#
.SYNOPSIS
This function will modify a security group ACL.

.DESCRIPTION
This function will run as a job with diffrent credeitanls (supplied at start of the script).
It will ADD or REMOVE an ACE from the ACL. It only currently adds or removes the Write-Members allow
ACE for the User.

.EXAMPLE
PS C:\> Change-SecACL mcdonalddw ETIAll -AR ADD

.NOTES
Since the whole script runs as a service account, this funtion actually runs as a job with diffrent
credentials. We do not want the serivce account modifying AD objects. Admin account credentials must be
supplied at the start of the script.

.PARAMETER $USER
An AD User Account

.PARAMETER $Group
An AD Security Group

.PARAMETER $AR
Add or Remove the user from the group ACL
#>
param (

[Parameter(Mandatory = $true)]
[System.String]$User,
[Parameter(Mandatory = $true)]
[System.String]$Group,
[ValidateSet("ADD", "REMOVE")]
[System.String]$AR
)

# Must be run as a job with diffrent crednetials
Write-Host "Starting Job"
Try
{
Start-job -InitializationScript ({ Import-Module Microsoft.PowerShell.Security }) -PSVersion 3.0 -name "Set-ACL" -Credential $admincred -ScriptBlock {
$AR = $args[2]
$userinfo = get-aduser $args[0]
$groupinfo = Get-adgroup $args[1]
#Create the SID object
$Sid = New-Object System.Security.Principal.NTAccount($userinfo.SamAccountName)
$sid = $sid.Translate([System.Security.Principal.SecurityIdentifier])
$identity = $sid
$aclpath = "AD:\$($groupinfo.DistinguishedName)"
#Get the current ACL
$GroupACL = Get-Acl -Path $aclpath
#Create the access control entry we wish to modify.
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$identity,
[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
[System.Security.AccessControl.AccessControlType]::Allow,
"bf9679c0-0de6-11d0-a285-00aa003049e2",
[DirectoryServices.ActiveDirectorySecurityInheritance]::All
)
#Decide if we are going to add the ACE to the ACL or remove the ACE from the ACL.
switch ($AR)
{
"ADD" { $GroupACL.AddAccessRule($ACE); break }
"REMOVE" { $GroupACL.RemoveAccessRule($ACE); break }
}
#Set the ACL with the modifications. This will preserve the original entries other than the one we modified.
Set-Acl -path $aclpath -AclObject $GroupACL

} -ArgumentList $User, $Group, $AR
}
catch
{
if ($_.Exception.InnerException)
{
Write-Host $_.Exception.InnerException.Message
}
}
#Wait for the job to complete.
#Write-Host "Waiting for Job"
Wait-job -name "Set-Acl"
Receive-Job -Name "Set-ACL"
}

User avatar
jvierra
Posts: 13717
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Executable causing some issues, (0xc0000142)

Post by jvierra » Tue Aug 27, 2019 10:44 am

The error indicates a network or system issue. Please carefully read the complete error.

It is more helpful to return the exact and complete error object. Your "Catch" should just rethrow the error and quit.

Code: Select all

Catch{
     Throw $_
}

User avatar
jvierra
Posts: 13717
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Executable causing some issues, (0xc0000142)

Post by jvierra » Tue Aug 27, 2019 12:16 pm

Here is a cleaner and more correct way to write your code:

Code: Select all

Function Change-SecACL {
    Param(
        [Parameter(Mandatory = $true)]
        [string]$User,
        [Parameter(Mandatory = $true)]
        [string]$Group,
        [Boolean]$RemoveAce
    )
    
    $jobScript = {
        $ErrorActionPreference = 'Stop'
        Try{
            $AR = $args[2]
            $aduser = get-aduser $User
            $adgroup = Get-adgroup $Group
            $adpath = "AD:\$($adgroup.DistinguishedName)"
            $GroupACL = Get-Acl $adpath
            $ace = [System.DirectoryServices.ActiveDirectoryAccessRule]::New($aduser.SID,'WriteProperty','Allow','bf9679c0-0de6-11d0-a285-00aa003049e2','All')
            if($RemoveAce){
                $GroupACL.RemoveAccessRule($ace)
            }else{
                $GroupACL.AddAccessRule($ace)
            }
            Set-Acl -path $adpath -AclObject $GroupACL
        }
        Catch{
            Throw $_
        }
    }
        
    # Must be run as a job with diffrent crednetials
    Write-Host "Starting Job"
    $ErrorActionPreference = 'Stop'
    Try{
        $job = Start-job -Name SetACL -Credential $admincred -ScriptBlock $jobScript -ArgumentList $User, $Group, $RemoveAce
        $job | Receive-Job -Wait
    }
    Catch{
        Throw $_
    }
}

Post Reply