I have a powershell script which has been installing our software for years on our servers. Since a while we have a new server, which as far as we can check is a duplicate of an older one.
We have a script:
Invoke-Command -ComputerName $appServer -ScriptBlock $ConfigureServer
Where $appServer = localhost
this command works on all the other servers but on the new one we get Access Denied. We have tried things as Enable-PSRemoting -Force. We also start Powershell as administrotor. We have been stuck on this for days.
Hope someone can help.
Firstly, have you ran Test-WSMan to see if the server is listening to remoting commands?
If this does return fine, can you check the execution policy on the machine? Try running Set-ExectionPolicy unrestricted and see if the script then runs?
Related
I encounter strange behavior when trying to remotely start a service.
on Server A i'm running this line (it's part of bigger script named RunRemoteService.ps1):
Invoke-Command -ComputerName $B_comp -ScriptBlock {Powershell.exe -File "run_service.ps1"} -Credential $cred
And the script run_service.ps1 contains the following line (it's also part of bigger script):
$my_service_name.Start()
Now here's the strange thing, If I run RunRemoteService.ps1 when I have an open remote connection (mstsc) to server B then the script works perfectly and the required service on B is really starting.
However, if I run RunRemoteService.ps1 when there is no mstsc connection with server B then the script failed (service doesn't start).
Why is this happening and how can it be resolved?
EDIT: I explored this issue a bit more and found out that this occurs only when trying to run my specific service.
that means that my service must run from a session of already logged on user (that is why it's working if I mstsc to the server before).
So I guess my new question is - is there a way I can login to remote machine from powershell?
Thanks.
If you cannot use Credential delegation as suggested by #EBGreen. Try using psexec.exe for calling the script instead of PowerShell remoting.
psexec \\server "cmd /c powershell.exe -f c:\script.ps1"
Get psexec from sysinternals.com
Ok, so my question had evolved and modified on the fly so this solution is to the latest issue I had which is - I couldn't remotely start my service if no user is logged on to remote machine.
The solution is a workaround:
I configured auto-login (using sysinternals auto-login tool) on remote server.
I used Restart-Computer cmdlet at the beginning of the test.
Now after the restart is complete and ps-session is restored, user is logged in automatically to server and I can remotely start my service.
Thanks.
First off: This is not a duplicate of How to remote execute an ELEVATED remote script in PowerShell.
My scenario is similar but different in a certain way. What I want to do is the following:
Invoke-Command -UseSSL -ComputerName "$COMPUTER" -FilePath \\script.example.com\secretshare$\install_test.ps1 -ArgumentList 'U'
As the called script performs an installation and manipulates firewall rules, it needs elevated privileges. Irritatingly the error I get is an access error on the share mentioned above.
When I use this suggestion where I use PowerShell DSC, which is run as SYSTEM, it works. But only on Servers running Windows Management Framwork 4.0. So obviously I need a solution for Windows Server 2008 (R2) systems.
I hope someone can point me to the right direction so I can update this question to help other admins aswell.
Here is the command I am trying to run
Invoke-Command -ComputerName DOG-02 C:\Users\user\Documents\PowerShell\PowerShellmenuz.ps1
I want to be able to run the script PowerShellmenuz.ps1 on a remote machine. I am very close but am stuck at this point.
It is hard to tell where is the problem without error output, but probably you've missed first configuration step on remote machine. There things that should be done before executing scripts on remote machine.
Enabling PowerShell Remoting on the computer that you want access remotely. Open a PowerShell window as Administrator – right click the PowerShell shortcut and select "Run as Administrator". And execute the following command:
Enable-PSRemoting -Force - it will start service WinRM to allow incoming connections.
I am trying to use the Invoke-Command powershell cmdlet to install a MSI installer. From within powershell on the local machine and from the proper directory, the following works:
./setup /quiet
The following does not seem to work:
$script =
{
param($path)
cd "$path"
& ./setup /quiet
return pwd
}
return Invoke-Command -ComputerName $product.IPs -ScriptBlock $script -Args $sourcePath
For test purposes I am working on the local machine passing in "." for the -ComputerName argument. The paths have been verified correct before passing in to Invoke-Command, and errors generated on different versions of this code indicate the paths are correct. I have also tried with and without the "& " on the remote call to setup. Other Invoke-Command calls are working, so I doubt it is a permissions issue. I have verified that the return from the pwd call is the expected directory.
How do I get the install to work?
What error (if any) are you receiving? Unfortunately, you must run the shell as admin on your local machine to be able to connect to your local machine with invoke-command or any WINRM based command that requires administrative privilege (this is not a requirement when connecting remotely).
When connecting to loopback, I believe it is unable (for some security reason) to enumerate groups and determine if you are in an admin enabled AD or local group, which is how it auto elevates when invoking on a remote machine. The only solution may be to have a conditional which checks for localhost and if so, don't use the -ComputerName parameter.
This GitHub Issue covers it
You might try using Start-Process in your script block:
cd $path
start-process setup.exe -arg "/quiet"
Not sure if you will want or need to wait. Look at help for Start-Process.
I have had weird issues when trying to remotely execute a script on a local machine. In other words, remote powershell to the local machine. It comes back with an error that seems to say that PowerShell remoting is not enabled on the machine, but it was. I can run the script remotely from another machine to the target, but when using remoting to the same box, the issue crops up.
Verify that the WinRM service is running.
Verify powershell remoting has been enabled as in Enable-PSRemoting -force.
Verify your powershell execution policy is loose enough as in Set-ExecutionPolicy Unrestricted, for example. If the policy was set to RemoteSigned, this might be the problem.
You might also want to verify the user you are running the script as (locally, but using remoting) has privileges to "log on as a service" or as a batch job. Just guessing there, if the above list doesn't solve anything.
I’m having a problem remotely executing scripts as a non administrator on the target server.
This is an portion of the scripts I’m trying to run:
New-PSSession -computername ServerA.DomainA.org -Credential $LoginCredentials
$PSServerA = Get-PSSession -computername bl ServerA.DomainA.org
Invoke-Command -Session $PSServerA -scriptblock {Add-PSSnapin Quest.ActiveRoles.ADManagement}
I get the following error:
The following error occurred while loading the extended type data file: Quest.ActiveRoles.ADManagement, C:\Program Files\Quest Software\Management Shell for AD\Quest.ActiveRoles.ADManagement.Types.ps1xml : File skipped because of the following validation exception: AuthorizationManager check failed..
This is a small part of an account creation script I’m writing. I want the helpdesk to be able to execute the script and they are not members of the administrators group on the target server although they are members of the server operators group. I can logon to the target server as them and from a Standard (non admin) PowerShell prompt I can successfully run the command the Add-PSSnapin.
The ExecutionPolicy on the target server is Unrestricted.
I have given the users Execute rights to the default microsoft.Powershell remote session configuration, this is successful as they can open the session.
So the question I have is what rights do I need to assign the users in order for them to execute the commands remotely?
You're probably running into a PowerShell double-hop restriction. PowerShell doesn't like it when you remote into a machine and then try to access another computer from there. I've never used the AD snap-in before, though. This is my best guess.
Any chance you can contact the developer's of your AD snap-in for help? They might know.