Powershell - Pass in and execute string without using WinRM - powershell

I am trying to utilize a custom PS function that will accept a powershell command as a string parameter and execute/store the results in a variable within the function itself to be referenced later. After doing some research, I found a way of doing this by passing in "Get-WinEvent" as a string variable to the function and then within the function converting that variable to a scriptblock like so:
$PowershellQueryScript = [Scriptblock]::Create($PowershellQuery)
Once I did that, I called the variable in my foreach loop and stored the results like so:
$myResults = Invoke-Command -ComputerName $server -ScriptBlock $PowershellQueryScript
Now the error I receive is in regards to WinRM not being enabled ("Connecting to remote server myServer failed with the following error message : WinRM cannot process the request.") and unfortunately I do not think I will be allowed to make this settings change in production. If I were to call this command directly from my server -> production without utilizing Invoke-Command then everything works as expected as I think it does not have to create a remote PS session on the remote server so WinRM is not required.
Are there any other workarounds for allowing a user to call my function with a string and have that string be executed in the function itself WITHOUT having to enable WinRM?

After some more research, I found out WinRM was already enabled and the proper firewall settings were already configured as well. The problem was that I was using cnames and not FQDNs (Fully Qualified Domain Names) so the DNS was not resolving properly. Issue is resolved by converting cname to a value that can be resolved:
$ServerFQDN = [System.Net.Dns]::GetHostEntry([string]$ServerCname).HostName

Related

Double-Hop Errors when running Skype for Business Cmdlets

I am attempting to automate the Skype for Business Server installation process in Powershell, I have a script that remotes into specified machines and begins preparing them as Front-End servers. The problem lies when certain SfB cmdlets (SfB commands are all of the form "verb-Cs...", ex. Get-CsUser or Get-CsPool) are run in remote sessions, they throw the double-hop error:
Exception: Active Directory error "-2147016672" occurred while searching for domain controllers in domain...
This is after running Enable-CsComputer, which enables the computer's role-based off its definition in the topology (topology was published successfully). The user object is in all required groups (RTCUniversalServerAdmins, Schema Admins, CsAdministrators & Local Admin rights on all SfB Servers). Oddly enough, the command 'Import-CsConfiguration -localstore" does not throw errors, and it's in the same remote session. There may be other local or domain groups that I need to be in, but I cannot pinpoint exactly which and have not seen them documented in the Skype build guides. Skype commands that have parameters to specify targets or just pull data, such as Get-CsPool or Get-CsAdForest, do not have errors because they are run in the local scope. The Enable-CsComputer has no parameter for the computer name, it has to be executed from that machine itself.
Enabling CredSSP delegation on each server is not an option, and I'm not understanding why there is a "second hop" in this command! If the second hop was a resource on a file server or database, that would make sense, and be easy to solve, but in this case, I can't track it. Can anyone tell me what I may be missing?
Here's a code sample to try and illustrate. From the jumbox I get the pool data to create an array, and a session is opened to each machine:
$ServerArray =get-cspool -identity $poolName
$i=0
$SessionArray = #{}
foreach($server in $ServerArray.Computers){$SessionArray[$i] = new-PsSession -ComputerName $server}
foreach($session in $SessionArray.values){
invoke-Command -session $session -scriptBlock {
#remote commands:
import-csConfiguration -<config file path> -localstore; #no errors
enable-CsReplica; #no errors
enable-cscomputer; #double hop error here
}}
If I log into that machine and run the same command, it executes fine but the intention of the project is to automate it on an arbitrary number of machines.
It looks like it's just trying to authenticate to a domain controller, which is reasonable. You'll have to approach this like any other double-hop issue.
Microsoft has an article dedicated to the double hop issue, and has a few solutions other than CredSSP that you can look at: Making the second hop in PowerShell Remoting

Why would Get-Service not find the service with powershell

I am having problems with a powershell script.
I wrote a script that would search for a windows service with a specific name, and it would Stop or Start this service.
It works when I run it on a server which I log into with a service account that I know that can access the service console. However when it runs off of my build server, the script is no longer able to find the services. I tried giving the service account that runs script the same privaledges as the other service account but that doesn't seem to work.
[System.ServiceProcess.ServiceController]$service = Get-Service -Name $ServiceName -ComputerName $Remoteserver -ErrorAction SilentlyContinue
That is the line that is not longer able to find the service. What am I doing wrong. Is there a way to impersonate a user that can find the service? Any help would be appreciated.
You could try supplying the credentials of the service account using the -Credential parameter. However, since you imply that it used to work with the account that runs the script remotely and no longer does, I think a more likely culprit is that $ServiceName used to only match one service on the target computer, and now there is another service whose name matches that string. If more than one service matches the -Name parameter, Get-Service returns an array of ServiceController objects.
Try running it without ErrorAction -SilentlyContinue. If you get the following error message, then that's what's happening:
Cannot convert the "System.Object[]" value of type "System.Object[]" to type "System.ServiceProcess.ServiceController".
If you get a different error message, please add the full error message to the question.

Invalid computer name error with remote execution of PowerShell script

I am trying to execute some PowerShell code in a remote computer using the following:
$session = New-PSSession -Credential "myDomain\myUserName" -ComputerName "remoteCompName"
$result = Invoke-Command -Session $session -ScriptBlock {
New-Item -type file C:\test10.txt
}
I am prompted to enter my password in a GUI. I do that. It then errors out with:
New-PSSession : One or more computer names are not valid. If you are
trying to pass a URI, use the -ConnectionUri parameter, or pass URI
objects instead of strings.
I replaced the computer name with the FQDN. Still no luck. What is going on here?
There are other questions on stackoverflow on executing PowerShell scripts on remote machines of course but none address this error.
BTW, the machine is part of the domain and is running.
Additional info added later [EDIT]
Things to know:
The machine is part of the domain and is running.
I checked if PS remoting is enabled. It was.
I checked if WinRM is running. It is.
The remote machine is a VM and it is a 2012 R2.
Here is what I've tried:
I replaced the computer name with the FQDN. Still no luck.
I removed the credential parameter
I tried another remote machine (also a VM)
I tried another source machine, i.e. the machine I am running the command from)
Thanks!
-Rohan.
When I use a remote machine with a name that is just alphanumeric (no underscores, dashes, etc.), it works! The name of all machines I tried before had leading '_' in them. That was the cause of the error. (The answer was suggested by Rhys W Edwards on the Windows PowerShell TechNet forum, which is within Windows Server forums).
Just put your ComputerName to braces like this {Remote_Computer_Name}

Using a shared file variable in powershell

I am trying to execute a remote command to perform netsh command. The command will do a export of the nps configuration file and output it to a shared path. But, the command always give me an error "Access is denied". I realised the problem lies in the shared path value (\\shared-pc\temp). Without it, I am able to execute it successfully eg (C:\Users\User1\Desktop). I am able to browse to the shared location from the local and remote PC. Any advice is greatly appreciated. Below is the command. Thanks.
invoke-command -computername nap1 -scriptblock {netsh nps export filename = "\\shared-pc\temp\config.xml" exportPSK = yes}
This is the double-hop / second-hop authentication problem. You're credentials is passed to the nap1-server, but nap1 doesn't have the permission to pass on the same credentials(yours) to the fileserver to get access.
The solution to is to use CredSSP
There are some mixed feelings about how smart it is to use in a production enviroment, but that's up to your company to decide.

create a function with proper scope

I need to create a script to authenticate to a remote PC and access to PS console. It actually works, but I need to execute a number of commands when I need to terminate this session.
So I create a function STOP to be called to terminate the session, but it can't be used.
Is this a problem of scope (because it's inside an if statement)? If I manually create the same function and then I try to call it... It works!
# get connection parameters
$credential = Get-Credential -Credential xxx
$remote_PC = Read-Host "Insert the server name or IP (Q to abort): "
# connect
if (someKindOfCheck) {
Enter-PSSession -ComputerName $remote_PC -Credential $credential
# some commands
function STOP {
Exit-PSSession;
# some commands
}
}
I've come across a similar issue before, and I resolved it by creating a New-PSSession and assigning it to a varialbe, I then use the Invoke-Command with -Session option to execute the required commands.
Enter-PSSession is only for interactive use (once you've entered that session it only takes input from the console).
The only way I can think of that would make this work "automagically" would be to create a custom remoting session on the target machine that implements a proxy function for Exit-PSSession, and put your commands in that function.