I have written a script that allows to connect to a windows server machine using WinRM in order to run a script that exists on the Windows Server machine PS_Block_Access_Internet_GPO.ps1 but the script is not executed despite that the session was well created.
Besides the script needs administrator privileges to be executed, so how can I provide the needed privileges for script using PowerShell.
Enable-PSRemoting
Enter-PSSession -ComputerName Server.Admin.6NLG-AD
.\PS_Block_Internet_Access_GPO.ps1
To run a local script against a remote computer I would use use Invoke-Command, this doesn't need the script to be present on the remote computer.
Invoke-Command -ComputerName 'Server.Admin.6NLG-AD' -FilePath C:\Folder\myScript.ps1
As your script looks to create a GPO, you may likely need to use an alternative user account with appropriate permissions on your domain...
You can use the Credential param to specify an account like this:
Invoke-Command -ComputerName 'Server.Admin.6NLG-AD' -FilePath C:\Folder\myScript.ps1 -Credential Domain\Username
Related
Editing to be clear with the issue
I am running the below code from a local computer which should run the script Test.ps1 placed on $server at C:\Temp to collect data from $server and other servers.
When i perform this, the script runs but i only get data for the $server and not the others. While if i run the C:\Temp\Test.ps1 script sitting on the $server, i get the desired output for all servers.
I am using this code
$s = New-PSSession -ComputerName $server -Credential $credential
Invoke-Command -Session $s -Command {C:\Temp\Test.ps1}
I am getting the output for the remote server on which the code is placed (localhost for the script), buti am not getting any output for the other servers.
While if I run the script locally on the remote server i get output from all the servers
The script does not have to be on the remote host. PowerShell allows you to run local PS1 scripts on remote computers.
Running Remote Commands
https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
Run a Script
To run a script on one or many remote computers, use the FilePath
parameter of the Invoke-Command cmdlet. The script must be on or
accessible to your local computer. The results are returned to your
local computer.
For example, the following command runs the DiskCollect.ps1 script on
the remote computers, Server01 and Server02.
Invoke-Command -ComputerName Server01, Server02 -FilePath 'c:\Scripts\DiskCollect.ps1'
As for this...
'My requirement is to run that script from the remote host per
security protocols'
... just use a script block as shown via the same MS Docs link
Run a Remote Command
To run a command on one or more computers, use the Invoke-Command
cmdlet. For example, to run a Get-UICulture command on the Server01
and Server02 remote computers, type:
Invoke-Command -ComputerName Server01, Server02 -ScriptBlock {& .c:\Scripts\DiskCollect.ps1}
Of course, I just removed Get-UICulture cmdlet in the docs command, with a script to use.
It depends on how your remote script uses credentials to access other servers. This should classify as a double hop issue.
If you cannot use CredSPP, you can use Resource-Based Kerberos Constrained Delegation
or use credentials inside the Invoke-Command scriptblock i.e. you can define a credential object on the local computer to be used in the -credentials parameter, and refer to it with $using:cred in your scriptblock.
The article does a good job of summarizing all your options.
I'm trying to run invoke-command to launch a powershell script in a powershell file on a remote computer. I'm using the credentials for a user with Administrator privilege. The command needs to be executed by running powershell as an administrator. There are licensing issues with the application that i'm trying to invoke using the powershell script, so i cannot change the credentials to Administrator but need to run with that particular user itself. I have tried using -RunAsAdministrator at the end of the Invoke-Command, but i got an error saying:
Invoke-Command : Parameter set cannot be resolved using the specified named parameters.
$command = {
cd Folder
C:\Folder\build.ps1
}
Invoke-Command -ComputerName $RemoteSystemIP -ScriptBlock $command -credential $Credentials1 -ErrorAction Stop -AsJob
I'm trying to execute this as a background job that's why i added the -AsJob parameter.
Its been several days and i haven't found a solution yet.
tl;dr
The only way to get a remote PowerShell session to execute elevated (with admin privileges) is to connect with a user account (either implicitly or via -Credential) that has admin privileges on the target machine.
With such an account, the session automatically and invariably runs elevated.
The Invoke-Command's -RunAsAdministrator switch can only be used with (virtualization) containers (-ContainerId parameter), not regular remoting (-ComputerName parameter).
You cannot elevate on demand in a remote session (the way you can locally, interactively with Start-Process -Verb RunAs).[1]
Instead, you must make sure that the credentials you're passing to Invoke-Command -Credential to connect to the remote machine with refer to a user account that (also) has administrative privileges on the target machine, in which case the remote session automatically and invariably runs elevated (with admin privileges).[2]
If you cannot pass such credentials, I think you're out of luck.
To test if the current user has administrative privileges:
# Returns $true if elevated, otherwise $false.
[Security.Principal.WindowsPrincipal]::new(
[Security.Principal.WindowsIdentity]::GetCurrent()
).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
Separately, here's a simple test you can run from inside a session to determine whether it is running with elevation:
# Returns $true if elevated, otherwise $false.
[bool] (net session 2>$null)
[1] Unless the session at already is elevated, -Verb RunAs presents a pop-up UAC dialog that a user must confirm interactively, which is not supported in a remote session.
[2] The same applies if you use "loopback remoting", i.e. if you target the local machine via remoting, using Invoke-Command -ComputerName ., for instance, with additional restrictions, however: You cannot use a user that is authorized for remoting but isn't part of the local Administrators group, and if you use the current user (whether or not with explicit credentials), the calling session must itself be elevated.
I think you should do this:
$command = {
Start-Process "powershell" -Verb runas -Workingdirectory "C:\Folder\" -ArgumentList "build.ps1"
}
Invoke-Command -ComputerName $RemoteSystemIP -ScriptBlock $command -credential $Credentials1 -ErrorAction Stop -AsJob
I am trying to remote into another desktop using Powershell's Enter-PSSession to run a script automatically, however, i am not even able to connect to the remote desktop.
Enter-PSSession -Computername 172.16.164.14 -credential $cred
But it says access is denied. This is the error message:
Enter-PSSession : Connecting to remote server 172.16.164.14 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
I also tried using:
Invoke-Command -ComputerName 7450-56Z0BP2 -FilePath -C:\user_automation\automate.vbs -credential $cred
where 7450-56Z0BP2 is the hostname, but the error it gave me is:
[7450-56Z0BP2] Connecting to remote server 7450-56Z0BP2 failed with the following error message : WinRM cannot process the request.
I am not sure what could be the cause of me not being able to access the remote computer. I am able to access it via RDP, but I am not able to log in using the powershell script.
PowerShell Remoting is not Remote Desktop, they are both setup differently, use different components and do not really share any commonality.
Permissions are not linked between the two, just because you can RDP to a computer does not mean you have PSRemoting permissions.
You use PSRemoting you need to run Enable-PSRemoting on the remote machine. This sets up all the requirements: settings, firewall rules and services. This command needs to be run as a user with Administrator permissions on the remote machine.
Once this is setup, you will be able to connect using Enter-PSSession / Invoke-Command
Your code to run a vbscript remotely won't work because the FilePath param is for a PowerShell script. To run a vbscript remotely you need to call cscript:
Invoke-Command -ComputerName '7450-56Z0BP2' -ScriptBlock { cscript.exe "C:\user_automation\automate.vbs" } -Credential $cred
This is permissions problem, not powershell remoting problem.
Your error is "access denied"(Your example 1) , not "could not connect".
Essentially being able to log on using remote desktop requires different permissions than being able to use psremoting.
Here is how You check on target servers what security group membership will allow You to use psremoting:
PS C:> (Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllo
wed
While remote desktop is granted by being a member of Remote Desktop Users group or local administrators group.
You need to enable PowerShell Remoting on Remote Server as Follows:
Allowing remote PowerShell Windows Endpoint access
Open a PowerShell session as Administrator.
Execute the following command to open the PowerShell Endpoint security windows:
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force
Click Add.
Select the desired user to include to the list.
Enable Read and Execute permissions.
Click OK to apply your change.
I am trying to use powershell to run a bat script that is located on Computer A and execute it on Computer B
Computer A is the computer calling the Invoke Command function
I am trying to do this via
Invoke-Command -ComputerName ComputerB -ScriptBlock{& "\\ComputerA\filepath\batch.bat"} -Credential $Cred
When I run this I recieve the error
The term '\\ComputerA\filepath\batch.bat' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I have also tried to run it by calling cmd on Computer B and pass this bat script as an argument and I dont recieve any errors but I can tell the script did not run
The command I use for this is
Invoke-Command -ComputerName ComputerB -ScriptBlock{& "C:\Windows\System32\cmd.exe"} -ArgumentList "\\ComputerA\filepath\batch.bat" -Credential $Cred
When I go onto Computer B and call the script manually through cmd it works
I confirmed the Invoke-Command works because I was able to run programs that were local to Computer B
I am trying to not have to put any files on computer B such as psexec or the bat script itself which is why I am trying it this way
Thank you
When you remote to a machine (in this case ComputerB) and try to access something on ComputerA you are basically trying to access a network resource which by default isn't allowed. Use the -EnableNetworkAccess parameter in Invoke-Command to explicitly allow the same
This sounds like the "double hop"-/"second hop"-problem. You're credentials aren't available in the remote session (to access the network share).
Solutions:
Use CredSSP authentication
Requires some configuration
Invoke-Command -Authentication Credssp
Run it locally..
Copy the file to the remote computer
Use Invoke-Command -Scriptblock { & "c:\temp\batch.bat" }
Remove fiel on the remote computer if necessary
Use psexec.exe
I am attempting to run a batch file on several remote machines. It has some registry changes and other commands that I am able to run remotely. I have one command I have not been able to figure out an alternative:
net user USERNAME /PASSWORDREQ:yes
Is there a way to run this command remotely without psexec? I'd rather not distribute my batch file with a dependancy.
Yes, you can enable powershell remoting on the remote computers, and then use the Invoke-Command cmdlet. Example:
Invoke-Command -ComputerName RemoteComputer -Script { param($userName) net use $userName /PASSWORDREQ:yes } -Args "UserNameArgumentValue"