Remote PowerShell rights - powershell

I am working on a script that i want to store centrally and run on a few different servers.
I have problems getting kerberos to work so i am using local accounts for now.
The target server is properly configured and a local admin account has been created for my script.
I am able to connect to the server and run local scripts with:
Enter-PSSession -ComputerName server01 -Credential server01\localusername
I am able to do some basic commands like dir.
I logged in on the central repo server and created the exact same username and exact same password.
I am able to browse to that directory from the target server by using:
cd \\server02\folder\
in PowerShell.
Now, i try to connect trough Remote Powershell with:
Enter-PSSession -ComputerName server01 -Credential server01\localusername
cd \\server02\folder\
I get the following error:
cd : Access is denied
+ CategoryInfo : PermissionDenied: [...]
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.SetLocationCommand
How can i get the browsing to external computers working trough remote PowerShell?

Related

Enter-PSSession unable to remote into a remote desktop

I am trying to remote into another desktop using Powershell's Enter-PSSession to run a script automatically, however, i am not even able to connect to the remote desktop.
Enter-PSSession -Computername 172.16.164.14 -credential $cred
But it says access is denied. This is the error message:
Enter-PSSession : Connecting to remote server 172.16.164.14 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
I also tried using:
Invoke-Command -ComputerName 7450-56Z0BP2 -FilePath -C:\user_automation\automate.vbs -credential $cred
where 7450-56Z0BP2 is the hostname, but the error it gave me is:
[7450-56Z0BP2] Connecting to remote server 7450-56Z0BP2 failed with the following error message : WinRM cannot process the request.
I am not sure what could be the cause of me not being able to access the remote computer. I am able to access it via RDP, but I am not able to log in using the powershell script.
PowerShell Remoting is not Remote Desktop, they are both setup differently, use different components and do not really share any commonality.
Permissions are not linked between the two, just because you can RDP to a computer does not mean you have PSRemoting permissions.
You use PSRemoting you need to run Enable-PSRemoting on the remote machine. This sets up all the requirements: settings, firewall rules and services. This command needs to be run as a user with Administrator permissions on the remote machine.
Once this is setup, you will be able to connect using Enter-PSSession / Invoke-Command
Your code to run a vbscript remotely won't work because the FilePath param is for a PowerShell script. To run a vbscript remotely you need to call cscript:
Invoke-Command -ComputerName '7450-56Z0BP2' -ScriptBlock { cscript.exe "C:\user_automation\automate.vbs" } -Credential $cred
This is permissions problem, not powershell remoting problem.
Your error is "access denied"(Your example 1) , not "could not connect".
Essentially being able to log on using remote desktop requires different permissions than being able to use psremoting.
Here is how You check on target servers what security group membership will allow You to use psremoting:
PS C:> (Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllo
wed
While remote desktop is granted by being a member of Remote Desktop Users group or local administrators group.
You need to enable PowerShell Remoting on Remote Server as Follows:
Allowing remote PowerShell Windows Endpoint access
Open a PowerShell session as Administrator.
Execute the following command to open the PowerShell Endpoint security windows:
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force
Click Add.
Select the desired user to include to the list.
Enable Read and Execute permissions.
Click OK to apply your change.

Powershell. Load AD module and perform AD action

Short explanation:
We have more than 1000 PCs (Win7+8+10)
On the PCs, I would like to run a script that can remove a Computer Account from a group. (In the code examples below I'm using Get-AdComputer as it gives the same error)
I need to do this without Domain Admin rights.
The PC's do not have RSAT / Admin Tools installed.
First I tried:
$Session = New-PSSession -ComputerName DomainController1
Import-PSSession -Session $Session -Module ActiveDirectory
Get-Adcomputer TestPC
With Domain Admin account, it works just fine.
With Non Domain Admin account it fails the 1. line with:
New-PSSession : [DomainController1] Connecting to remote server DomainController1 failed with the following error message : Access is denied
Then I installed RSAT/Admin tools on a member server and tried to import AD module from that server:
$Session = New-PSSession -ComputerName MemberServer1
Import-PSSession -Session $Session -Module ActiveDirectory
Get-Adcomputer TestPC
The Import of the ActiveDirectory module is fine, with both Domain Admin account and non-Domain Admin account, but I get an error when running the "Get-Adcomputer TestPC" command:
Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
+ CategoryInfo : ResourceUnavailable: (TestPC:ADComputer) [Get-ADComputer], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
+ PSComputerName : MemberServer1
I notice the PSComputername is the Memberserver1 now, and not the DomainController1.
I guess thats why I get the error: It's trying to perform it on a non Domain Controller
Other information:
The "Get-Adcomputer TestPC" works fine with Non-Domain Admin account on a PC where RSAT / Admin tools are installed.
"Exit-PSSession" and "Remove-PSSession Memberserver1" does not help
So: How can I either :
Import the AD module from a DC, without beeing Domain Admin?
After Import of AD module from MememberServer, change "active" computer to be any DC?
Solve my problem in another way?
Thanks
Build a remote constrained session on one or more of your DCs.
Create a function for removing a computer from that group, and constrain the session to just being able to run that function. You can use a delegated account if the users don't have permission directly (If you have WMF 5 installed on the DC, you can use a virtual account).
The users can use Enter-PSSession to enter that session and run the function manually, or you can give them a local function that will do it using Invoke-Command directed at that session.

Powershell remoting does not have the correct permissions

On the non-domain server SERVER I have a local administrator account USER.
On the domain client machine I am running as a domain user.
Using the following code I attempt to view all services on SERVER
$cred = Get-Credential "SERVER\USER"
Invoke-Command -ComputerName SERVER -ScriptBlock {Get-Service} -Credential $cred
However, I receive the following error
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
Yet, if I RDP to SERVER as USER, I can manually open a Powershell window and run Get-Service without any issues. What's going on?
When remoting cross-domain, the remote command/session will not run with administrative rights. Even though you're connecting as a local admin, the resulting PSSession will not be elevated.
To fix this, you need to set the registry key LocalAccountTokenFilterPolicy located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to 1. See Microsoft for more details

Access Denied when calling SharePoint Import-SPWeb cmdlet remotely

I am currently trying to import a SharePoint 2013 site into a single server farm via the Import-SPWeb PowerShell cmdlet. It is a pretty straightforward process, except the twist is that I need to do it remotely from another machine by using Invoke-Command. This remote machine calls Invoke-Command and invokes the following script on the SharePoint server, which I called SPOINT13SSS.
Below you will find the content of both the call and the script.
CALL (from remote machine to SPOINT13SSS):
Invoke-Command -ComputerName SPOINT13SSS.sandbox.local -Authentication CredSSP -Credential $spusercreds[0] -ArgumentList "SPOINT13SSS" -FilePath C:\Users\rsmith\Desktop\SPScripts\Framework\Create\Create_SPSite.ps1
SCRIPT:
$spserver = $args[0]
Add-PSSnapin Microsoft.SharePoint.Powershell
Write-Host "[INFO] SP Server is $spserver"
Write-Host "[INFO] Beginning Import of the Site Collection into SharePoint for testing..."
try{Import-SPWeb http://$spserver -Path C:\SP13Install\siteexport.cmp -UpdateVersions Overwrite}
catch{Write-Error "[ERROR] Importing the Site Collection failed. Please make sure that the siteexport.cmp file exists and that you have proper access permissions to both the file and the SharePoint database."}
The issue I'm having - When I run
Import-SPWeb http://$spserver -Path C:\SP13Install\siteexport.cmp -UpdateVersions Overwrite
on SPOINT13SSS, the import works just fine, no flaws.
When I run it remotely, however, I get the following error:
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo : InvalidData: (Microsoft.Share...CmdletImportWeb:SPCmdletImportWeb) [Import-SPWeb], UnauthorizedAccessException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletImportWeb
+ PSComputerName : SPOINT13SSS.sandbox.local
I have made sure that the user I am authenticating with via CredSSP has the following privileges:
Farm Administrator
Site Collection Administrator
Local Administrator on SPOINT13SSS
I am also 100% sure that the credentials are correct because I have other scripts called via Invoke-Command with this PSCredential and they work fine.
In addition, I have also tried fiddling with the NTFS Permissions on C:\SP13Install\siteexport.cmp (Everyone - Access Full control) and can't seem to get this to work. I also attempted to share the folder. I can access it from the remote machine, read and write to it, but I just can't Invoke this command from the remote machine to SPOINT13SSS.
I solved the issue by assigning the account as the service account for the web application pool where the site collection resides and resetting IIS via iisreset /noforce

Enable PowerShell remoting on new Azure VM

I've created a new VM in Windows Azure to use to act as a host to learn a bit of Powershell Remoting. After the VM was created I RDP'd onto the box and enabled remoting via the following command:
Enable-PSRemoting
I confirmed both prompts with 'a' replies and it finished without errors. If I run
Get-PSSessionConfiguration
I can see that three endpoints (?) have been set up. In the Azure portal I can see that the Powershell port is open - both 5986 is open as a public and private port.
I've added the public IP address of the machine to my hosts file, but when I try the following:
Enter-PSSession -ComputerName AZURESERVERNAME
I get an error:
Enter-PSSession : Connecting to remote server AZURESERVERNAME failed
with the following error message : A specified logon session does not
exist. It may already have been terminated. For more information, see
the about_Remote_Troubleshooting Help topic. At line:1 char:1
+ Enter-PSSession -ComputerName AZURESERVERNAME
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (AZURESERVERNAME:String) [Enter-PSSession],
PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
I've also tried setting all hosts as trused as follows:
cd wsman::localhost\client
Set-Item .\TrustedHosts *
Restart-Service WinRM
But that doesn't seemed to have helped either.
Is there anything else I need to do to get this working?
Thanks
OK, figured this out thanks to the awesome Secrets of Powershell Remoting ebook. Looks like you must add the machine directly to the TrustedHosts via IP address:
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value '11.22.33.44'
Then use that IP address and specify credentials in the Enter-PSSession:
Enter-PSSession -ComputerName 11.22.33.44 -Credential 11.22.33.44\username
You should then get a prompt for your password and voila! :)
I've successfully created a SharePoint farm in Azure using the scripts from Automated-Deployment-of-SharePoint-2013-with-Windows-Azure-PowerShell
On that page there are steps that configure PowerShell to work with Azure
Set-ExecutionPolicy ByPass
Enable-PSRemoting
Enable-WSManCredSSP -role client -delegatecomputer "*.cloudapp.net"
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsDomain"
Set-ItemProperty $regKey -Name WSMan -Value "WSMAN/*.cloudapp.net"
Get-AzureSubscription -ExtendedDetails
You may also need to do this
Run GPEdit.msc You must also enable delegating of fresh credentials
using group policy editor on your client machine. Computer
Configuration -> Administrative Templates -> System -> Credentials
Delegation and then change the state of "Allow Delegating Fresh
Credentials with NTLM-only server authentication" to "Enabled." Its
default state will say, "Not configured."
In the Add Servers sections add the following.
WSMAN/*.cloudapp.net