I am trying to remote into another desktop using Powershell's Enter-PSSession to run a script automatically, however, i am not even able to connect to the remote desktop.
Enter-PSSession -Computername 172.16.164.14 -credential $cred
But it says access is denied. This is the error message:
Enter-PSSession : Connecting to remote server 172.16.164.14 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
I also tried using:
Invoke-Command -ComputerName 7450-56Z0BP2 -FilePath -C:\user_automation\automate.vbs -credential $cred
where 7450-56Z0BP2 is the hostname, but the error it gave me is:
[7450-56Z0BP2] Connecting to remote server 7450-56Z0BP2 failed with the following error message : WinRM cannot process the request.
I am not sure what could be the cause of me not being able to access the remote computer. I am able to access it via RDP, but I am not able to log in using the powershell script.
PowerShell Remoting is not Remote Desktop, they are both setup differently, use different components and do not really share any commonality.
Permissions are not linked between the two, just because you can RDP to a computer does not mean you have PSRemoting permissions.
You use PSRemoting you need to run Enable-PSRemoting on the remote machine. This sets up all the requirements: settings, firewall rules and services. This command needs to be run as a user with Administrator permissions on the remote machine.
Once this is setup, you will be able to connect using Enter-PSSession / Invoke-Command
Your code to run a vbscript remotely won't work because the FilePath param is for a PowerShell script. To run a vbscript remotely you need to call cscript:
Invoke-Command -ComputerName '7450-56Z0BP2' -ScriptBlock { cscript.exe "C:\user_automation\automate.vbs" } -Credential $cred
This is permissions problem, not powershell remoting problem.
Your error is "access denied"(Your example 1) , not "could not connect".
Essentially being able to log on using remote desktop requires different permissions than being able to use psremoting.
Here is how You check on target servers what security group membership will allow You to use psremoting:
PS C:> (Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllo
wed
While remote desktop is granted by being a member of Remote Desktop Users group or local administrators group.
You need to enable PowerShell Remoting on Remote Server as Follows:
Allowing remote PowerShell Windows Endpoint access
Open a PowerShell session as Administrator.
Execute the following command to open the PowerShell Endpoint security windows:
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force
Click Add.
Select the desired user to include to the list.
Enable Read and Execute permissions.
Click OK to apply your change.
Related
I am trying to remotely deploy wsp file present in server2 by running a powershell script in server1.
I am able to successfully log in to the server2 through server1 using the below command:
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("username",$password)
but I am not able to deploy the wsp file. This is the code that I tried:
Enter-PSSession -ComputerName server2 -Credential $cred
Add-PSSnapin Microsoft.Sharepoint.Powershell –EA 0
Update-SPSolution -Identity TechSoup.Web.wsp -LiteralPath "C:\Program Files ...Debug\Some.wsp" -GacDeployment
I have also tried to put the above code in a script, save it and run the script remotely.
This is the error that I am getting. I believe it is because I don't have admin privileges, I can say this because when I run the deployment code from server2 as admin, the wsp file is getting deployed. So, how can I get admin privileges remotely. The user has the admin privileges, all I need to do is run it with elevated privileges(like right-click and run as admin, but programatically)
Update-SPSolution : Cannot access the local farm. Verify that the
local farm is properly configured, currently available, and that you
have the appropriate permissions to access the database before trying
again
EDIT
I have tried the below script code in admin mode in powershell:
$password = ConvertTo-SecureString "serverpassword" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("userName",$password)
Enable-PSRemoting
Enable-WSmanCredSSP -Role Server
winrm set winrm/config/winrs '#{MaxShellsPerUser="25"}'
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="600"}'
Enter-PSSession -ComputerName Server2 -Credential $cred -Authentication credssp
However, I keep getting this error:
Enter-PSSession : Connecting to remote server Server2 failed
with the following error message : The WinRM client cannot process
the request. CredSSP authentication is currently disabled in the
client configuration. Change the client configuration and try the
request again. CredSSP authentication must also be enabled in the
server configuration. Also, Group Policy must be edited to allow
credential delegation to the target computer. Use gpedit.msc and look
at the following policy: Computer Configuration -> Administrative
Templates -> System -> Credentials Delegation -> Allow Delegating
Fresh Credentials. Verify that it is enabled and configured with an
SPN appropriate for the target computer. For example, for a target
computer name "myserver.domain.com", the SPN can be one of the
following: WSMAN/myserver.domain.com or WSMAN/*.domain.com For more
information, see the about_Remote_Troubleshooting Help topic
No matter what I try, I get this error. I have tried these techniques:
Allowed Delegating fresh credentials as well as NTLM fresh credentials in GPEdit.
I have tried the script present in This link
I have added user privileges in compmgmt.msc at
Remote Desktop Users
WinRMRemoteWMIUsers__
WSS_ADMIN_WPG
Remote Management Users
Can anyone suggest any thing ??
In order to run SharePoint commands remotely please follow the steps outlined in: Remote PowerShell to Manage SharePoint on-premises
Essentially, after enabling remoting, you have to enable CredSSP access in order for your credentials to be sent to the remote and local computer in order for you to run elevated commands.
On the server:
Enable-PSRemoting
Enable-WSmanCredSSP -Role Server
winrm set winrm/config/winrs '#{MaxShellsPerUser="25"}'
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="600"}'
And on the client:
Enable-PSRemoting
Enable-WSmanCredSSP -Role Client -DelegateComputer "server2.contoso.com"
Then on the client you can enter the session:
Enter-PSSession -ComputerName server2 -Credential $cred -Authentication Credssp
I have written a script that allows to connect to a windows server machine using WinRM in order to run a script that exists on the Windows Server machine PS_Block_Access_Internet_GPO.ps1 but the script is not executed despite that the session was well created.
Besides the script needs administrator privileges to be executed, so how can I provide the needed privileges for script using PowerShell.
Enable-PSRemoting
Enter-PSSession -ComputerName Server.Admin.6NLG-AD
.\PS_Block_Internet_Access_GPO.ps1
To run a local script against a remote computer I would use use Invoke-Command, this doesn't need the script to be present on the remote computer.
Invoke-Command -ComputerName 'Server.Admin.6NLG-AD' -FilePath C:\Folder\myScript.ps1
As your script looks to create a GPO, you may likely need to use an alternative user account with appropriate permissions on your domain...
You can use the Credential param to specify an account like this:
Invoke-Command -ComputerName 'Server.Admin.6NLG-AD' -FilePath C:\Folder\myScript.ps1 -Credential Domain\Username
I am having an issue running a remote script using Jenkins. I have installed the PowerShell plug-in and can run PowerShell scripts on the local build server, but when I try to run it on a remote server, it fails all the time. I can run the same script outside of Jenkins locally and remotely and it works just fine. My assumption is that there is a security setting I am missing but for the life of me, I can not find it.
Any insight/help would be greatly appreciate it.
The code below runs using PowerShell on the server but not through Jenkins:
$ErrorActionPreference = 'Stop'
# Create a PSCredential Object using the "User" and "Password" parameters
that you passed to the job
$SecurePassword = 'xxxxxxx' | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList 'ci-user', $SecurePassword
# Invoke a command on the remote machine.
# It depends on the type of job you are executing on the remote machine as
to if you want to use "-ErrorAction Stop" on your Invoke-Command.
Invoke-Command -ComputerName xxx.xx.xx.xxx -Credential $cred -ScriptBlock {
# Restart the W32Time service
Restart-Service -Name W32Time
}
The error below is what I get when I run it in Jenkins. I am using the same username and password when I run it outside of Jenkins and works:
Connecting to remote server xxx.xx.xx.xxx failed with the
following error message : WinRM cannot process the request. The following
error with errorcode 0x8009030d occurred while using Negotiate authentication:
A specified logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does
not exist.
-The client and remote computers are in different domains and there is no
trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM
TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command:
winrm help config. For more information, see the about_Remote_Troubleshooting
Help topic.
At C:\Windows\TEMP\jenkins3589460126620702793.ps1:12 char:1
+ Invoke-Command -ComputerName xxx.xx.xx.xxx -Credential $cred -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (xxx.xx.xx.xxx:String) [], PSRemoting
TransportException
+ FullyQualifiedErrorId : 1312,PSSessionStateBroken
This could be caused by a few different issues:
Are your remote machine and connecting machine on the same domain? If not, verify the domain of your ci-user and retry.
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList
'connectingserver/ci-user', $SecurePassword
Is WinRM enabled on your remote server, is the WinRM service running, are you setup to allow the appropriate remoting? Follow these steps to verify: https://technet.microsoft.com/en-us/library/ff700227.aspx?f=255&MSPPError=-2147217396
Are both the remote and connecting server setup with the same authentication method? You will want to use either Kerberos or CredSSP. I would consider CredSSP only if you are trying to solve the Double-Hop issue.
I found the error of my ways but hopefully this answer will help anyone else that encounters it.
The problem was that the user I am using is a local user and it needs to be treated as a workgroup user. So instead of ci-user, I needed to pass it as \ci-user. Once I did this, it works like a charm.
Thank you for all your input.
I am working on a script that i want to store centrally and run on a few different servers.
I have problems getting kerberos to work so i am using local accounts for now.
The target server is properly configured and a local admin account has been created for my script.
I am able to connect to the server and run local scripts with:
Enter-PSSession -ComputerName server01 -Credential server01\localusername
I am able to do some basic commands like dir.
I logged in on the central repo server and created the exact same username and exact same password.
I am able to browse to that directory from the target server by using:
cd \\server02\folder\
in PowerShell.
Now, i try to connect trough Remote Powershell with:
Enter-PSSession -ComputerName server01 -Credential server01\localusername
cd \\server02\folder\
I get the following error:
cd : Access is denied
+ CategoryInfo : PermissionDenied: [...]
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.SetLocationCommand
How can i get the browsing to external computers working trough remote PowerShell?
In order to automate test releases, I need access to remote computer in other domain group.
What I've done on remote computer:
run Enable-PSRemoting
set TrustedHosts "*"
added https listener with self-signed certificate
opened 5985 and 5986 ports
So now scripts are running successfuly via PowerShell console.
But when I'm trying to run remote script via TeamCity agent I've been receiving following error:
Connecting to remote server failed with the following error message :
Access is denied. For more information, see the
about_Remote_Troubleshooting Help topic.
TeamCity agent service is running with Local System rights.
Session initialization
$password = ConvertTo-SecureString $appServerPwd -AsPlainText -Force
$appCred = New-Object System.Management.Automation.PsCredential($appServerUser,$password)
$rs = New-PSSession -ComputerName $appServer -Credential $appCred -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Authentication Negotiate
Also when I'm trying to make remote call to domain computer via TeamCity everything works.
Do you have any idea how to solve this issue ?
Dima
I've found the problem, as soon I changed "Local System" user to Administrator user on TeamCity agent service, everything started to work.
So the issues was in rights (starting PSSesion) between "Local System" and Administrator.