I am trying to manage a Windows server 2012 R2 Standard server over winrm. On the server I would like to run dnscmd from the rsat package. You can see below if I just run the dnscmd in the power shell prompt it is successful. However when I invoke it remotely over winrm the command fails with ERROR_ACCESS_DENIED.
PS C:\Windows\system32> dnscmd adServer /RecordDelete mycompany.com newTestRecord A /f
Deleted A record(s) at mycompany.com
Command completed successfully.
PS C:\Windows\system32> Test-WsMan localhost
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
PS C:\Windows\system32> Invoke-Command -ComputerName localhost -ScriptBlock {
>> dnscmd adServer /RecordDelete mycompany.com newTestRecord A /f
>> }
Command failed: ERROR_ACCESS_DENIED 5 0x5
PS C:\Windows\system32> Invoke-Command -ComputerName localhost -ScriptBlock {
>> hostname
>> }
myServerHostname
The issue was double-hop/multi-hop. When you login over winRM it doesn't want to allow you to use the same credential token to reach to a different machine. I got around this issue by connecting over winrm then opening up a nested Powershell session. It's essentially refreshes the tokens allowing the user to connect to the active directory server.
Please see the following for more information
https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/
https://blogs.msdn.microsoft.com/sergey_babkins_blog/2015/03/18/another-solution-to-multi-hop-powershell-remoting/
Make sure to install Remote Server Administration Tools (RSAT) for dnscmd.
$password = '{pass}' | ConvertTo-SecureString -AsPlainText -Force
$username = '{user}'
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$password
Invoke-Command -ComputerName localhost -Credential $cred -ConfigurationName svc_dns_middleMan -ScriptBlock {
'{dnscmd_commands}'
}
Related
I'm building a VM image in Azure through automation pipelines using PowerShell. One of the requirements is to install a certificate on the CurrentUser store for a specific user. When I am currently logged into the VM, I can run the following command through Azure Run Commands:
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
$session = New-PSSession $env:ComputerName -credential $Credential
$command = {
param($certPassword, $filePath)
Import-PfxCertificate -FilePath $filePath -CertStoreLocation Cert:\CurrentUser\My -Password $certPassword
}
Invoke-Command -ScriptBlock $command -ArgumentList $certPassword,$filePath -Session $session
When I am not currently logged into the VM under that user, I get an Access Denied error. The error goes away as soon as I login to the machine again. If I run the pipeline while I'm logged into the VM, it succeeds.
What is different about PowerShell permissions while I am logged into the VM?
I'm new to the Jmeter and I need to run an executable file that exists on a remote windows machine, I used OS sampler request but I don't know how to make it connect to the remote machine
There are 2 options:
Using PsExec like:
Command: `cmd.exe'
First argument: /c
Second argument: `/path/to/psexec.exe \your-remote-machine -u username -p password -c /path/to/file.exe
Using Windows Powershell Remoting
Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
First argument: $password = ConvertTo-SecureString -String ${password} -AsPlainText -Force; $credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "${username}",$password; Invoke-Command -Computer ${host} -cred $credentials -scriptBlock { /path/to/file.exe }
More information: How to Run External Commands and Programs Locally and Remotely from JMeter
I need to execute some code on remote machine, I use powershell's Invoke-Command to do that.
Invoke-Command -ComputerName TESTPC -ScriptBlock { Get-WMIObject Win32_ComputerSystem | Select-Object -ExpandProperty name };
It works on my local but fails in TeamCity server. It says: Connecting to remote server TESTPC failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.. I tried to solve it this way https://stackoverflow.com/a/27872686/3561198 but the condition is always true and it looks like the script is run with admin rights. How to fix the issue? Otherwise suggest another way to execute some code on remote Windows machine.
Start an interactive session with the destination machine first and then use Invoke-Command to run the script block.
Enter-PSSession Server01
Invoke-Command -ComputerName Server01, Server02 -ScriptBlock { your code here }
Exit-PSSession
I have a script block that I'm trying to make it run as a different domain user.
$Username = 'domain\test'
$Password = '1234'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName,$pass
Invoke-Command -ScriptBlock{
write-host "hello"
} -Credential $cred -ComputerName $env:COMPUTERNAME
When I run it I got the following error:
[test-pc] Connecting to remote server test-pc failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests.
Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM se
rvice: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
Why the script is trying to authenticate locally and not against the DC ?
Thanks
If you don't actually want to run the script remotely, you can use Start-Process to run Powershell as another user, which will then execute your command/script as that user.
(See powershell command line help for full syntax options and examples)
# Using Get-Credential to illustrate, substitute with your own credential code
$cred = Get-Credential
# Run Command:
Start-Process -FilePath Powershell -Credential $cred -ArgumentList '-Command', 'Write-Host "Hello"'
# Run Script:
Start-Process -FilePath Powershell -Credential $cred -ArgumentList '-File', 'C:\folder\script.ps1'
I'm new to programming and am trying to write a powershell script.
I'm in a windows domain environment with over 50 remote offices. Each office has 4 computers. One computer, "Computer A," has dropbox installed that we use for backups, and now software updates. I want to execute a script from my local machine that copies a folder (~1 GB) to the other computers in that LAN, and runs the setup.exe file in the directory to update software on these computers.
As far as I can tell in order to use the Enter-pssession cmdlet & run a copy-item and start process, I have to:
On remote machine enable winrm by: enable-psremoting -force
On remote machine enable CredSSP authentication by: enable-smancredssp -role server -force
On local machine enable CredSSP authentication by: enable-SmanCredSSP -role
client -force
From here I can enter the Power shell session and begin the copy and install. Here is the code I'm running:
#Allow my computer to send credentials to remote computers
Enable-WSManCredSSP -Role Client -DelegateComputer * -Force
$credential = Get-Credential -Credential domain\user
#Getting Content
$path = "C:\computernames.csv"
Import-Csv -path $path |
foreach-object {
$computername = $_.Name
if (Test-Connection -cn $_.Name -quiet) {
#copy the batch file that allows remote powershell access
$source = "c:\"
$destination = "\\$computername\c$\install files\remoteaccess"
robocopy $source $destination
#open file to allow remote PS access
& psexec \\$computername -a runas -u domain\user -p password -c -f -h "\\$computername\c$\install files\remoteaccess\remoteaccess.bat"
#Initiates Power Shell session with remote computer
Enter-PSSession -cn $_.Name -Credential $credential -Authentication Credssp
#begin copy
#be sure to refine destination
copy-item -path $_.Source -Destination $_.Destination -force -verbose -recurse | out-file c:\copylog.txt
#begin silent install
#code here
#stop wsmancredssp accep
disable-wsmancredssp -role server
#close pssession
exit-pssession
} else {
"$computername is not online"
}
}
Disable-wsmancredssp -role client
The computernames.csv has the headers: Name, Source, Destination with UNC directories for each LAN's computer with dropbox and where to copy the file.
The "remoteaccess.bat" file contains the following two lines of code:
powershell.exe enable-psremoting -force >>c:\remotelog.txt
powershell.exe Enable-WSManCredSSP -role Server -force >>c:\remotelog.txt
The powershell window freezes after initiating the psexec session with the remote computer and sends the first powershell command to enable remoting. No error is generated, or input requested. The output of this command is saved in the remotelog text file:
"WinRM has been updated to receive requests.
WinRM service started.
WinRM already is set up for remote management on this machine."
It appears the powershell command to enable wsmancredssp is never received. When I run the batch file on the remote computer from remote access software, both commands execute and are logged successfully. Where is my psexec command going wrong, or how can I setup these computers to allow remote sessions with a remote command without using GPO?