I'm using enter-pssession to run scripts on remote servers. So I can login remotely to the servers. Run commands interactively, close the powershell console and later I can reattach the session and check the commands outputs.
Is there a Linux screen like functionality in powershell? I cannot use Windows remote desktop to connect the servers.
You can use Invoke-Command with -InDisconnectedSession, it will start session in asynchronous mode. After you can connect to this session, take data from it, etc. You can read more about this here.
You can create session, disconnect from session, connect back to it.
May be useful for you: New-PSSessionOption with -IdleTimeout.
-IdleTimeout:
Determines how long the session stays open if the remote computer does not receive any communication from the local computer. This includes the heartbeat signal. When the interval expires, the session closes. MSDN Link
I have recently run into double-hop issues with using PSSessions. What I did to work around that is to create a Session Configuration on the remote server that uses the -RunAs parameter to set the credentials that I need the commands on the remote server to be executed as. Then you connect to that session configuration on the remote server, and things should work as expected.
$MyCreds = Get-Credential ''
Invoke-Command -ScriptBlock {
Set-PSSessionConfiguration -Name "My Remote Config" -RunAsCredential $using:MyCreds -Force
} -ComputerName Server01
Then once the session configuration exists I can start a session using that config, and the whole double hop issue is null and void.
Now, mind you I do add some additional security, so that other people cannot use my session config, since that config has my credentials cached on the server (encrypted), and if they used that config they could do whatever they wanted as me. So to accomplish that I get my domain account SID, generate a SDDL line, and restrict access to the Session Config to only my account.
$Searcher = [adsisearcher]"(&(sAMAccountName=$($Creds.UserName.Split('\')[1]))(objectClass=user))"
$Results=$Searcher.FindOne().GetDirectoryEntry()
$MySID = new-object System.Security.Principal.SecurityIdentifier($Results.objectSid.value,0)|% value
$SDDL = "O:NSG:BAD:P(A;;GR;;;BA)(A;;GR;;;IU)(A;;GA;;;$MySID)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)"
$FQDN = $Server.ServerName,$Server.Forest -join '.'
$MySessionName = "DoubleHop-{0}" -f $MyCreds.UserName.Split('\')[1]
Invoke-Command -ScriptBlock {
Register-PSSessionConfiguration -Name $using:MySessionName -RunAsCredential $using:MyCreds -Force -SecurityDescriptorSddl $using:SDDL
} -ComputerName $FQDN -ea 4
Related
I've created a pssession on a remote computer and entered that possession. From within that session I use start-process to start notepad. I can confirm that notepad is running with the get-process command, and also with taskmgr in the remote computer. However, the GUI side of the process isn't showing. This is the sequence I've been using:
$server = New-PSSession -ComputerName myserver -Credential mycreds
Enter-PSSession $server
[$server]: PS C:\>Start-Process notepad -Wait -WindowStyle Maximized
The process is running, but while RDP'd to the box, notepad does not open. If I open notepad from the server, a new notepad process begins. I also tried by using the verb parameter like this:
[$server]: PS C:\>Start-Process notepad -Wait -WindowStyle Maximized -Verb Open
Same result tho... Process starts, but no notepad shows. I've tried this while remoted into the box (but issued from my local host) as well as before remoting into the server.
That is because your powershell session on the remote machine does not go to any visible desktop, but to an invisible system desktop. The receiving end of your powershell remote session is a Windows service. The process is started, but nor you nor anyone else can ever see it.
And if you think about it, since multiple users could RDP to the same machine, there is really no reason to assume a remote powershell session would end up showing on any of the users desktops. Actually, in almost all cases you wouldn't want it anyway.
psexec with the -i parameter is able to do what you want, but you have to specify which of the sessions (users) you want it to show up in.
I know this is old, but I came across it looking for the solution myself so I wanted to update it for future poor souls.
A native workaround for this problem is to use a scheduled task. That will use the active session
function Start-Process-Active
{
param
(
[System.Management.Automation.Runspaces.PSSession]$Session,
[string]$Executable,
[string]$Argument,
[string]$WorkingDirectory,
[string]$UserID
)
if (($Session -eq $null) -or ($Session.Availability -ne [System.Management.Automation.Runspaces.RunspaceAvailability]::Available))
{
$Session.Availability
throw [System.Exception] "Session is not availabile"
}
Invoke-Command -Session $Session -ArgumentList $Executable,$Argument,$WorkingDirectory,$UserID -ScriptBlock {
param($Executable, $Argument, $WorkingDirectory, $UserID)
$action = New-ScheduledTaskAction -Execute $Executable -Argument $Argument -WorkingDirectory $WorkingDirectory
$principal = New-ScheduledTaskPrincipal -userid $UserID
$task = New-ScheduledTask -Action $action -Principal $principal
$taskname = "_StartProcessActiveTask"
try
{
$registeredTask = Get-ScheduledTask $taskname -ErrorAction SilentlyContinue
}
catch
{
$registeredTask = $null
}
if ($registeredTask)
{
Unregister-ScheduledTask -InputObject $registeredTask -Confirm:$false
}
$registeredTask = Register-ScheduledTask $taskname -InputObject $task
Start-ScheduledTask -InputObject $registeredTask
Unregister-ScheduledTask -InputObject $registeredTask -Confirm:$false
}
}
When you use New-PSSession and then RDP into that same computer, you're actually using two separate and distinct user login sessions. Therefore, the Notepad.exe process you started in the PSSession isn't visible to your RDP session (except as another running process via Task Manager or get-process).
Once you've RDP'd into the server (after doing what you wrote in your post), start another Notepad instance from there. Then drop to PowerShell & run this: get-process -name notepad |select name,processid
Note that there are two instances, each in a different session.
Now open up Task Manager and look at the user sessions. Your RDP session will probably be listed as session 1.
Now quit Notepad and run get-process again. You'll see one instance, but for session 0. That's the one you created in your remote PSSession.
There are only 2 workarounds that I know of that can make this happen.
Create a task schedule as the logged in user, with no trigger and trigger it manually.
Create a service that starts the process with a duplicated token of the logged in user.
For the task schedule way I will say that new-scheduledtask is only available in Windows 8+. For windows 7 you need to connect to the Schedule Service to create the task like this (this example also starts the task at logon);
$sched = new-object -ComObject("Schedule.Service")
$sched.connect()
$schedpath = $sched.getFolder("\")
$domain = "myDomain"
$user="myuser"
$domuser= "${domain}\${user}"
$task = $sched.newTask(0) # 0 - reserved for future use
$task.RegistrationInfo.Description = "Start My Application"
$task.Settings.DisallowStartIfOnBatteries=$false
$task.Settings.ExecutionTimeLimit="PT0S" # there's no limit
$task.settings.priority=0 # highest
$task.Settings.IdleSettings.StopOnIdleEnd=$false
$task.settings.StopIfGoingOnBatteries=$false
$trigger=$task.Triggers.create(9) # 9 - at logon
$trigger.userid="$domuser" # at logon
$action=$task.actions.create(0) # 0 - execute a command
$action.path="C:\windows\system32\cmd.exe"
$action.arguments='/c "c:\program files\vendor\product\executable.exe"'
$action.WorkingDirectory="c:\program files\vendor\product\"
$task.principal.Id="Author"
$task.principal.UserId="$domuser"
$task.principal.LogonType=3 # 3 - run only when logged on
$task.principal.runlevel=1 # with elevated privs
# 6 - TASK_CREATE_OR_UPDATE
$schedpath.RegisterTaskDefinition("MyApplication",$viztask,6,$null,$null,$null)
Creating a service is way more complicated, so I'll only outline the calls needed to make it happen. The easy way is to use the invoke-asservice script on powershell gallery: https://www.powershellgallery.com/packages/InvokeAsSystem/1.0.0.0/Content/Invoke-AsService.ps1
Use WTSOpenServer and WTSEnumerateSessions to get the list of sessions on the machine. You also need to use WTSQuerySessionInformation on each session to get additional information like username. Remember to free your resources using WTSFreeMemory and WTSCloseServer You'll end up with some data which looks like this (this is from the qwinsta command);
SESSIONNAME USERNAME ID STATE
services 0 Disc
>rdp-tcp#2 mheath 1 Active
console 2 Conn
rdp-tcp 65536 Listen
Here's an SO post about getting this data; How do you retrieve a list of logged-in/connected users in .NET?
This is where you implement your logic to determine which session to target, do you want to display it on the Active desktop regardless of how it's being presented, over RDP or on the local console? And also what will you do if there is no one logged on? (I've setup auto logon and call a lock desktop command at logon so that a logged in user is available.)
You need to find the process id of a process that is running on the desktop as that user. You could go for explorer, but your machine might be Server Core, which explorer isn't running by default. Also not a good idea to target winlogon because it's running as system, or dwm as it's running as an unprivileged user.
The following commands need to run in a service as they require privileges that only system services have. Use OpenProcess to get the process handle, use OpenProcessToken to get the security token of the process, duplicate the token using DuplicateTokenEx then call ``CreateProcessAsUser``` and finally Close your handles.
The second half of this code is implemented in invoke-asservice powershell script.
You can also use the sysinternals tool psexec, I didn't list it as a 3rd way because it just automates the process of creating a service.
I have a question regarding multihopping in a windows environment.
Let's say I have a schedule running on Server A (Central Scheduler) which executes a command on Server B. This script contains a call to save files on a remote filer (UNC path, Server C). Hop 1 (from A to B) works well, hop 2 (from B to C) fails.
I already tested to save the files locally on server B, that works flawlessly.
I think there's a problem with the second hop. I remember reading something like this on a forum a while ago, but can't remember a solution.
In detail, the command looks like this:
$session = New-PSSession -computer ComputerName
$templatepath = "\\filerpath\"
Invoke-Command -Session $session -Scriptblock { powershell ovpmutil cfg pol dnl $Using:templatepath /p \BSH }
To clarify: Powershell gives me an "Access denied" when performing the second hop. I already enabled Credential delegation as described here:
Enabling Multihop Remoting
Any help is appreciated. Thanks in advance
The solution is a real pain in the backside if you ask me but here it is...
On the originating server (A):
Set-Item WSMAN:\localhost\client\auth\credssp -value $true
On the intermediate server (B):
Set-Item WSMAN:\localhost\client\auth\credssp -value $true
Open Group Policy editor on server A, navigate to:
Computer Configuration > Administrative Templates > System > Credentials Delegation
Enable these options:
Allow delegating fresh credentials
Allow delegating fresh credentials with NTLM-only server authentication
Both policies need to have server B added to the allowed list, wildcards are allowed. Note that if you use RDP from server A you'll also need to add TERMSRV/*
When running Invoke-Command from server A, include the -Authentication CredSSP param.
Note that if saving SecureStrings somewhere for the credential to connect to server C, you'll want to either use a fixed encryption (specify byte array) or plain text and convert it.
Hi does anyone have any experience of how to get the Active Directory module to work in a remote ps session?
Nothing I'm trying seems to work.
My remoting between the computers are fine and working and they are joined to a domain.
Lets say I do this
$Session = New-PSSession -ComputerName DC01
Invoke-Command -Session $Session {Import-Module Active Directory}
WARNING: Error initializing default drive: 'Unable to contact the server. This
may be because this server does not exist, it is currently down, or it does not
have the Active Directory Web Services running.'.
If I logon to the server directly it works fine. Tried creating a SessionConfiguration also and told it to load the AD module but no luck there either.
May be the dreaded "double hop authentication" problem. Since you already have a Session Configuration set up, you can try adding -RunAs to that and see if it starts working:
http://www.vinithmenon.com/2012/11/delegated-administration-in-windows.html
I found the solution to my problem. I enabled CredSSP on the server again from scratch and on my client and now it's working :)
How do I use a function in my profile on the remote machine when using Enter-PSSession on my local machine to open a remote PowerShell session.
By JonZ and x0n:
When you use pssessions with the default session configurations, no profile scripts run.
When starting a remote interactive session with Enter-PSSession, a remote profile is loaded. Additionally, only the machine-level profile in $pshome is loaded.
If you want a session to be preconfigured (to load custom functions, snap-ins, modules, etc.), add a profile script to a new sessionconfiguration (for initialize them in the startup script of the remote session configuration).
The Register-PSSessionConfiguration cmdlet creates and registers a new session configuration on the local computer. Use Get-PSSessionConfiguration to view existing session configurations. Both Get-PSSessionConfiguration and Register-PSSessionConfiguration require elevated rights (start PowerShell with the “Run as Administrator” option).
In the target computer, where profile.ps1 contains all your functions:
Register-PSSessionConfiguration -Name WithProfile -StartupScript $PsHome\Profile.ps1
To use this preconfigured session you would type, from the local computer:
Enter-PSSession -ComputerName $computername -ConfigurationName WithProfile
or
Enter-PSSession -ComputerName $computername -ConfigurationName WithProfile -Credential youradminuser#yourtargetdomain
(where $computername is the hostname of the remote server where you registered the pssessionconfiguration).
A good source on PowerShell remoting is the Administrator's Guide to Powershell Remoting.
References:
Powershell Remoting: Use Functions loaded in Powershell remote Profile?
http://jrich523.wordpress.com/2010/07/21/update-creating-a-profile-for-a-remote-session/
Understanding and Using PowerShell Profiles
http://blogs.technet.com/b/heyscriptingguy/archive/2013/01/04/understanding-and-using-powershell-profiles.aspx
About_Profiles (Microsoft Docs)
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles
The six different Windows PowerShell profile paths and use
Current User, Current Host - console
$Home[My ]Documents\WindowsPowerShell\Profile.ps1
Current User, All Hosts
$Home[My ]Documents\Profile.ps1
All Users, Current Host - console
$PsHome\Microsoft.PowerShell_profile.ps1
All Users, All Hosts
$PsHome\Profile.ps1
Current user, Current Host - ISE
$Home[My ]Documents\WindowsPowerShell\Microsoft.PowerShellISE_profile.ps1
All users, Current Host - ISE
$PsHome\Microsoft.PowerShellISE_profile.ps1
Windows PowerShell Profiles
http://msdn.microsoft.com/en-us/library/bb613488%28VS.85%29.aspx
This profile applies to all users and all shells.
%windir%\system32\WindowsPowerShell\v1.0\profile.ps1
This profile applies to all users, but only to the Microsoft.PowerShell shell.
%windir%\system32\WindowsPowerShell\v1.0\ Microsoft.PowerShell_profile.ps1
This profile applies only to the current user, but affects all shells.
%UserProfile%\My Documents\WindowsPowerShell\profile.ps1
This profile applies only to the current user and the Microsoft.PowerShell shell.
%UserProfile%\My Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
PowerShell Core Profiles
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles
This profile applies to all users and all hosts.
$env:ProgramFiles\PowerShell\6\profile.ps1
This profile applies to all users, but only to the current host.
$env:ProgramFiles\PowerShell\6\Microsoft.PowerShell_profile.ps1
This profile applies only to the current user, but affects all hosts.
$env:USERPROFILE\Documents\PowerShell\profile.ps1
This profile applies only to the current user and the Microsoft.PowerShell shell.
$env:USERPROFILE\Documents\PowerShell\Microsoft.PowerShell_profile.ps1
Jason,
In my case, I wanted to have my Powershell Profile follow me when I remoted into another computer.
I have created a wrapper function Remote that takes a computername, creates a session, loads your profile into the session, and uses enter-pssession.
Here is the code below:
function Remote($computername){
if(!$Global:credential){
$Global:credential = Get-Credential
}
$session = New-PSSession -ComputerName $computername -Credential $credential
Invoke-Command -FilePath $profile -Session $session
Enter-PSSession -Session $session
}
You could modify the Invoke-Command -FilePath parameter to take any file of your liking.
take a look at this
http://jrich523.wordpress.com/2010/07/08/creating-a-profile-for-a-remote-session/
its a work around for creating a remote profile.
You can't. When starting a remote interactive session with enter-pssession, a remote profile is loaded. Additionally, only the machine-level profile in $pshome is loaded. If you want remote functions available you'll have to initialize them in the startup script of the remote session configuration. Have a look at get/set-pssessionconfiguration on the remote server.
There is another way to use a profile on a remote session:
Copy the chosen profile to the remote server(s) in your documents folder. For example:
Copy-Item -Path $profile.CurrentUserAllHosts -Destination \\computername\C$\Users\MyAccountName\Documents
Enter the PSSession
Enter-PSSession -ComputerName ComputerName
Dot source your profile
. .\Profile.ps1
Drawbacks of this solution:
you must copy once your profile to all the computers where you want to have a profile
you must dot source the profile every time you enter a PSSession
Advantages of this solution:
There is no need of function and you just enter a PSSession like you always do
You do not alter all users' profile by changing the default session configuration
(Thanks to Jeffery Hicks for the tip about the dot sourcing)
I am having trouble accessing a shared network location while within a PowerShell remote session.
From the PowerShell prompt, I enter a new session:
Enter-PSSession server1
The session is properly created and entered. I then attempt to list the contents of the share:
dir \\server2\share1
The response is this error:
Get-ChildItem : Cannot find path '\\server2\share1' because it does not exist.
However, if I remote desktop into server1, bring up PowerShell, and execute the very same dir command, the contents are correctly listed.
I've tried various things using credentials, but that doesn't seem to fix it. I've also confirmed via the "whoami" command that I have the same identity in both examples.
What would cause this?
If you can't use credential delegation as mentioned above, you can mount (or just authenticate as below) the remote share in the remote session using explicit credentials, e.g.
[server1] ps> net use \\server2\share * /user:username
(prompts for password)
[server1] ps> dir \\server2\share
(listing)
This problem has nothing to do with powershell per-se; you are trying to replay your local credentials in a remote session to a third location and falling foul of the NTLM "double hop" limitation.
Read the section "Credential Delegation"
Here - Credit to Keith Hill
and perform the steps if you have not already done so.
Another option is kerberos resource delegation
eg:
$server_name = "my-server" $servers = #(get-adcomputer -identity $server_name)
$target = "target-server" $tgt_srv = get-adcomputer -identity $target
Set-ADComputer -Identity $to_delegate -PrincipalsAllowedToDelegateToAccount $servers