Access Denied when calling SharePoint Import-SPWeb cmdlet remotely - powershell

I am currently trying to import a SharePoint 2013 site into a single server farm via the Import-SPWeb PowerShell cmdlet. It is a pretty straightforward process, except the twist is that I need to do it remotely from another machine by using Invoke-Command. This remote machine calls Invoke-Command and invokes the following script on the SharePoint server, which I called SPOINT13SSS.
Below you will find the content of both the call and the script.
CALL (from remote machine to SPOINT13SSS):
Invoke-Command -ComputerName SPOINT13SSS.sandbox.local -Authentication CredSSP -Credential $spusercreds[0] -ArgumentList "SPOINT13SSS" -FilePath C:\Users\rsmith\Desktop\SPScripts\Framework\Create\Create_SPSite.ps1
SCRIPT:
$spserver = $args[0]
Add-PSSnapin Microsoft.SharePoint.Powershell
Write-Host "[INFO] SP Server is $spserver"
Write-Host "[INFO] Beginning Import of the Site Collection into SharePoint for testing..."
try{Import-SPWeb http://$spserver -Path C:\SP13Install\siteexport.cmp -UpdateVersions Overwrite}
catch{Write-Error "[ERROR] Importing the Site Collection failed. Please make sure that the siteexport.cmp file exists and that you have proper access permissions to both the file and the SharePoint database."}
The issue I'm having - When I run
Import-SPWeb http://$spserver -Path C:\SP13Install\siteexport.cmp -UpdateVersions Overwrite
on SPOINT13SSS, the import works just fine, no flaws.
When I run it remotely, however, I get the following error:
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo : InvalidData: (Microsoft.Share...CmdletImportWeb:SPCmdletImportWeb) [Import-SPWeb], UnauthorizedAccessException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletImportWeb
+ PSComputerName : SPOINT13SSS.sandbox.local
I have made sure that the user I am authenticating with via CredSSP has the following privileges:
Farm Administrator
Site Collection Administrator
Local Administrator on SPOINT13SSS
I am also 100% sure that the credentials are correct because I have other scripts called via Invoke-Command with this PSCredential and they work fine.
In addition, I have also tried fiddling with the NTFS Permissions on C:\SP13Install\siteexport.cmp (Everyone - Access Full control) and can't seem to get this to work. I also attempted to share the folder. I can access it from the remote machine, read and write to it, but I just can't Invoke this command from the remote machine to SPOINT13SSS.

I solved the issue by assigning the account as the service account for the web application pool where the site collection resides and resetting IIS via iisreset /noforce

Related

getting error while copying file to remote location using powershell scripts in gitlab runner

I am setting up a GitLab CI/CD pipeline to copy the war file using PowerShell copy-item function. I am getting below error in the pipeline. the user is already an administrator on the gitlab runner computer.
[servername] Connecting to remote server name failed with the
following error message: Access is denied. For more information, see
the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (servername:String) [], PSRemotingT ransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken ERROR: Job failed: exit status 1
Here is my script in .yml file.
GitLab Runner registered in windows server.
Here is my script in .yml file.
envvariable_username - Environment variable configured in gitlab CI/CD settings page
$envvariable_password - Environment variable configured in gitlab CI/CD settings page
- powershell Invoke-Command -ComputerName computer_name -argumentlist $envvariable_username,$envvariable_password -ScriptBlock {
$password = convertto-securestring -String $envvariable_password -AsPlainText -Force
$mycred = new-object -typename System.Management.Automation.PSCredential $envvariable_username, $password
New-PSDrive -Name "s" -PSProvider FileSystem -root "\\\\computer_name\\share" -Credential $mycred
New-PSDrive -Name "z" -PSProvider FileSystem -root "\\\\computer_name\\backup" -Credential $mycred
Copy-Item -Path "s:\\sample.war" -Destination "z:\\sample.war"
}
expected to copy .war file from one server location to another server location
Looking at your script, you try to execute a script block on a remote server without specifying credentials. That means that either the server has no restrictions or you assume that both servers belong to the same domain, so kerberos will be utilized.
In my experience, when the second is the case, most people forget to evaluate on who's behalf is the script executing. Keep in mind that a process inherits the user context of the parent process unless otherwise specified.
That would mean that the user running your script doesn't have the necessary access to the remote server. You can always evaluate this by first doing this $env:USERDOMAIN + "\" + $env:USERNAME
For example a line in your yaml
- powershell $env:USERDOMAIN + "\" + $env:USERNAME
So when you debug something from a console that you launched with your user, then you don't have 100% replication of the conditions as you are forgetting the most important aspect of any process, that is the logon user.
Then, if this works, I've noticed that from the remote server you are trying to access another remote location. I notice that you are specifying credentials for this part if please do note that if from within a remote session, you try to access any remote resource, then you need to be aware of some caveats. Please read more about them hereand especially the one specific to the double hop.
As a word of advice, best way to troubleshoot scripts that utilize remote execution, is to logon on the server with the same user as with the services that runs your scripts, thus replication the conditions 100%. It is also possible to launch only the console with the credentials of another user.

Enter-PSSession unable to remote into a remote desktop

I am trying to remote into another desktop using Powershell's Enter-PSSession to run a script automatically, however, i am not even able to connect to the remote desktop.
Enter-PSSession -Computername 172.16.164.14 -credential $cred
But it says access is denied. This is the error message:
Enter-PSSession : Connecting to remote server 172.16.164.14 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
I also tried using:
Invoke-Command -ComputerName 7450-56Z0BP2 -FilePath -C:\user_automation\automate.vbs -credential $cred
where 7450-56Z0BP2 is the hostname, but the error it gave me is:
[7450-56Z0BP2] Connecting to remote server 7450-56Z0BP2 failed with the following error message : WinRM cannot process the request.
I am not sure what could be the cause of me not being able to access the remote computer. I am able to access it via RDP, but I am not able to log in using the powershell script.
PowerShell Remoting is not Remote Desktop, they are both setup differently, use different components and do not really share any commonality.
Permissions are not linked between the two, just because you can RDP to a computer does not mean you have PSRemoting permissions.
You use PSRemoting you need to run Enable-PSRemoting on the remote machine. This sets up all the requirements: settings, firewall rules and services. This command needs to be run as a user with Administrator permissions on the remote machine.
Once this is setup, you will be able to connect using Enter-PSSession / Invoke-Command
Your code to run a vbscript remotely won't work because the FilePath param is for a PowerShell script. To run a vbscript remotely you need to call cscript:
Invoke-Command -ComputerName '7450-56Z0BP2' -ScriptBlock { cscript.exe "C:\user_automation\automate.vbs" } -Credential $cred
This is permissions problem, not powershell remoting problem.
Your error is "access denied"(Your example 1) , not "could not connect".
Essentially being able to log on using remote desktop requires different permissions than being able to use psremoting.
Here is how You check on target servers what security group membership will allow You to use psremoting:
PS C:> (Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllo
wed
While remote desktop is granted by being a member of Remote Desktop Users group or local administrators group.
You need to enable PowerShell Remoting on Remote Server as Follows:
Allowing remote PowerShell Windows Endpoint access
Open a PowerShell session as Administrator.
Execute the following command to open the PowerShell Endpoint security windows:
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force
Click Add.
Select the desired user to include to the list.
Enable Read and Execute permissions.
Click OK to apply your change.

Powershell. Load AD module and perform AD action

Short explanation:
We have more than 1000 PCs (Win7+8+10)
On the PCs, I would like to run a script that can remove a Computer Account from a group. (In the code examples below I'm using Get-AdComputer as it gives the same error)
I need to do this without Domain Admin rights.
The PC's do not have RSAT / Admin Tools installed.
First I tried:
$Session = New-PSSession -ComputerName DomainController1
Import-PSSession -Session $Session -Module ActiveDirectory
Get-Adcomputer TestPC
With Domain Admin account, it works just fine.
With Non Domain Admin account it fails the 1. line with:
New-PSSession : [DomainController1] Connecting to remote server DomainController1 failed with the following error message : Access is denied
Then I installed RSAT/Admin tools on a member server and tried to import AD module from that server:
$Session = New-PSSession -ComputerName MemberServer1
Import-PSSession -Session $Session -Module ActiveDirectory
Get-Adcomputer TestPC
The Import of the ActiveDirectory module is fine, with both Domain Admin account and non-Domain Admin account, but I get an error when running the "Get-Adcomputer TestPC" command:
Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
+ CategoryInfo : ResourceUnavailable: (TestPC:ADComputer) [Get-ADComputer], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
+ PSComputerName : MemberServer1
I notice the PSComputername is the Memberserver1 now, and not the DomainController1.
I guess thats why I get the error: It's trying to perform it on a non Domain Controller
Other information:
The "Get-Adcomputer TestPC" works fine with Non-Domain Admin account on a PC where RSAT / Admin tools are installed.
"Exit-PSSession" and "Remove-PSSession Memberserver1" does not help
So: How can I either :
Import the AD module from a DC, without beeing Domain Admin?
After Import of AD module from MememberServer, change "active" computer to be any DC?
Solve my problem in another way?
Thanks
Build a remote constrained session on one or more of your DCs.
Create a function for removing a computer from that group, and constrain the session to just being able to run that function. You can use a delegated account if the users don't have permission directly (If you have WMF 5 installed on the DC, you can use a virtual account).
The users can use Enter-PSSession to enter that session and run the function manually, or you can give them a local function that will do it using Invoke-Command directed at that session.

Powershell remoting does not have the correct permissions

On the non-domain server SERVER I have a local administrator account USER.
On the domain client machine I am running as a domain user.
Using the following code I attempt to view all services on SERVER
$cred = Get-Credential "SERVER\USER"
Invoke-Command -ComputerName SERVER -ScriptBlock {Get-Service} -Credential $cred
However, I receive the following error
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
Yet, if I RDP to SERVER as USER, I can manually open a Powershell window and run Get-Service without any issues. What's going on?
When remoting cross-domain, the remote command/session will not run with administrative rights. Even though you're connecting as a local admin, the resulting PSSession will not be elevated.
To fix this, you need to set the registry key LocalAccountTokenFilterPolicy located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to 1. See Microsoft for more details

Remote PowerShell rights

I am working on a script that i want to store centrally and run on a few different servers.
I have problems getting kerberos to work so i am using local accounts for now.
The target server is properly configured and a local admin account has been created for my script.
I am able to connect to the server and run local scripts with:
Enter-PSSession -ComputerName server01 -Credential server01\localusername
I am able to do some basic commands like dir.
I logged in on the central repo server and created the exact same username and exact same password.
I am able to browse to that directory from the target server by using:
cd \\server02\folder\
in PowerShell.
Now, i try to connect trough Remote Powershell with:
Enter-PSSession -ComputerName server01 -Credential server01\localusername
cd \\server02\folder\
I get the following error:
cd : Access is denied
+ CategoryInfo : PermissionDenied: [...]
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.SetLocationCommand
How can i get the browsing to external computers working trough remote PowerShell?