What are the permissions required for CIMSessions - powershell

I need to query some WMI classes on Servers that I do not have permissions.
Here is the error I get when I run it.
PS> get-ciminstance -ComputerName test.mydomain.com -ClassName Win32_OperatingSystem
get-ciminstance : Access is denied.
At line:1 char:1
+ get-ciminstance -ComputerName test.mydomain.com -ClassName Win32_Operating ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (root\cimv2:Win32_OperatingSystem:String) [Get-CimInstance], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070005,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
+ PSComputerName : test.mydomain.com
Right now server has PowerShell 2, so it uses DCOM but I will get the PowerShell upgraded and configured to allow WSMAN connections.
But what are the permissions that need to be granted to the account?

By default, Administrators (local) and Authenticated Users (domain) have at least read rights to the namespace. You need to ensure you can login/authenticate to the server. It's worth mentioning that the Authenticated Users group does not have Remote Enable permission by default.
The Windows OS uses WinRM for CIM cmdlets and the user account needs to be an administrator. WinRM makes a local group called WinRMRemoteWMIUsers_ and gives access to just the Administrators group and WinRMRemoteWMIUsers_. To add a user to that group use the following command:
net localgroup WinRMRemoteWMIUsers__ /add "domain\user"
The abstract answer is simply that you need to be granted Enable Account and Remote Enable permissions to the Namespace to have WMI read rights remotely.
Process to Verify WMI Permissions
Login to the server and launch mmc.exe. Add the WMI snapin and once it loads, right click on WMI Control. When the Properties window opens, click security, expand root and select cimv2. Click the security button and view who is granted access and what access is granted.
Script to Test w/ DCOM
If you want to test using DCOM, or need to because the server OS is too old, use this script:
$Computer = thisbox.domain.com
$CimOption = New-CimSessionOption -Protocol Dcom
$CimSession = New-CimSession -ComputerName $Computer -SessionOption $CimOption
Get-CimInstance -ClassName win32_operatingsystem -CimSession $CimSession

Related

How to get CDROMDrive info from VMware Windows guest VM without enabling WinRM?

I need to get CDDrive info and execute setup file on remote guest VM in vmware without enabling winrm service in remote machine. I have tried to access using powercli command invoke-VMScript too. I doesn't work
PowerCLI D:\Program Files\PowerCli> Get-WmiObject -Query "select * From WIn32_CDROMDrive" -ComputerName "nalb00cava1" | Format-List
Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005(E_ACCESSDENIED))
At line:1 char:1
+ Get-WmiObject -Query "select * From WIn32_CDROMDrive" -ComputerName "VM1 ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
PowerCLI D:\Program Files\PowerCli> Get-WmiObject -Query "select * From WIn32_CDROMDrive" -ComputerName "VM1.xxx.com" | Format-List
Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005(E_ACCESSDENIED))
At line:1 char:1
+ Get-WmiObject -Query "select * From WIn32_CDROMDrive" -ComputerName "VM1 ...
+ CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
help would be appreciated.....
It looks like you are taking this approach for your use case.
Tip: Work Remotely with Windows PowerShell without using Remoting or WinRM
Some cmdlets have a –ComputerName parameter that lets you work with a
remote computer without using Windows PowerShell remoting. This means
you can use the cmdlet on any computer that is running Windows
PowerShell, even if the computer is not configured for Windows
PowerShell remoting. These cmdlets include the following:
Get-WinEvent
Get-Counter
Get-EventLog
Clear-EventLog
Write-EventLog
Limit-EventLog
Show-EventLog
New-EventLog
Remove-EventLog
Get-WmiObject
Get-Process
Get-Service
Set-Service
Get-HotFix
Restart-Computer
Stop-Computer
Add-Computer
Remove-Computer
Rename-Computer
Reset-ComputerMachinePassword
Because these cmdlets don’t use remoting, you can run any of these
cmdlets on a remote computer in a domain simply by specifying the name
of one or more remote computers in the –ComputerName parameter.
However, Windows policies and configuration settings must allow remote
connections, and you must still have the appropriate credentials.
However, relative to WMI, additional setup is needed for success.
Access is denied.
Which permissions/rights does a user need to have WMI access on remote machines?
The following works on Window 2003 R2 SP 2, Windows Server 2012 R2
Add the user(s) in question to the Performance Monitor Users group
Under Services and Applications, bring up the properties dialog of
WMI Control (or run wmimgmt.msc). In the Security tab, highlight
Root/CIMV2, click Security; add Performance Monitor Users and enable
the options : Enable Account and Remote Enable
Run dcomcnfg. At Component Services > Computers > My Computer, in
the COM security tab of the Properties dialog click "Edit Limits"
for both Access Permissions and Launch and Activation Permissions.
Add Performance Monitor Users and allow remote access, remote
launch, and remote activation.
Select Windows Management Instrumentation under Component Services > Computers > My Computer > DCOM Config and give Remote Launch and Remote Activation privileges to Performance Monitor Users Group.
Notes:
As an alternatively to step 3 and 4, one can assign the user to the group Distributed COM Users (Tested on Windows Server 2012 R2)
If the user needs access to all the namespaces, you can set the settings in 2. at the Root level, and recurse the permissions to the
sub-namespaces via the Advanced window in Security
Lastly, you don't say what your environment is, domain, where your machine and VM are in the same domain or if you are in workgroup mode. If it is the latter, then that is a different can of worms to deal with.

find service account on remote hosts

Could you please advise how to find all servers where a specific service account is being used to start Windows services?
I am trying this in PowerShell with these code:
Clear-Host
$address = Get-Content '.\asg connections.csv'
$serviceName = "startname='NT AUTHORITY\\LocalService'"
gwmi Win32_Service -Filter $serviceName -Computer $address
Above piece of code works for "localhost", but gives below error for the remote hosts:
gwmi : Access is denied. (Exception from HRESULT: 0x80070005
(E_ACCESSDENIED))
At F:\Temp\powershell\play.ps1:30 char:1
+ gwmi win32_service -filter $serviceName -computer $address
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
When you use PowerShell remoting you implicitly trying to use the credentials your current Windows session is logged into your machine with on the target machines.
It looks like you do not have any rights with your current set of credentials on those machines.
Are the target machines joined into the same domain as your current user credentials?
If you have a set of working credentials you can log onto those machines with, you can add it in your command with:
Clear-Host
#Promts you for the username and password you wish to save to a credential object
$Cred = Get-Credential
$address = Get-Content '.\asg connections.csv'
$serviceName = "startname='NT AUTHORITY\\LocalService'"
gwmi Win32_Service -Filter $serviceName -Computer $address -Credential $Cred
If the script needs to run automated there are a few different ways to save credential passwords either into an encrypted textfile that can only be decrypted by the user account that encrypted it, or using the build in Windows Credential Vault.

PowerShell Remote Access Configuration

Trying to configure remote PowerShell access on a server but cannot avoid access denied errors.
What I have done:
Register-PSSessionConfiguration
-Name EngrStudentAdmin
-RunAsCredential domain\delegatedAdmin
-StartupScript 'C:\Scripts\Students\Welcome.ps1'
-ShowSecurityDescriptorUI
(on a single line - displaying above for readability)
Using the permissions GUI, I granted the group DelegatedAdmins Read and Execute permissions. The startup script is just filler.
$welcome = 'Welcome to ' + $env:COMPUTERNAME
Write-Host $welcome
Attempting to connect to the endpoint with
Invoke-Command
-ComputerName $server
-ConfigurationName EngrStudentAdmin
-ScriptBlock { hostname }
fails with the error
AuthorizationManager check failed.
+ CategoryInfo : OpenError: (engr-mgr1.domain.edu:String) [], RemoteException
+ FullyQualifiedErrorId : PSSessionStateBroken
The execution policy on the server is RemoteSigned and the startup script is signed.
The account used to access the server is a member of the DelegatedAdmins group.
Opening a local shell as delegatedAdmin shows that the account has permission to run the startup script.
Using a member of the local admins group, the Invoke-Command, without the ConfiguationName switch (i.e. connecting to the default endpoint), executes so the winrm service is running and PSRemoting enabled.
The delegatedAdmin account has no profile.
What am I missing?
Check that the WMI service is enabled and running, if it's disabled try starting it and then retrying.
Also check the properties of the actual file, it might have been blocked.
are both Domain joined? If not you might take several further steps.
In general: Try this on the remote system: Enable-PSRemoting -Force -Verbose If you see nothing, it was already applied. If not, this will make alle necessary changes for you.
Just in case: Check your Firewall settings :-)
As Dewi mentioned: Check the WMI Service.
Here is a quick hack to enable it (if you want to enforce it):
# Configure WMI
Set-Item -Path wsman:\localhost\client\trustedhosts -Value * -Force -Confirm:$False
# Restart
Restart-Service -Name WinRM -Force
Last but not least: Use the -verbose switch to see more details.
Like this:
New-PSSession -ComputerName $ComputerName -Credential $credencial -Verbose
Cheers
Josh

"get-wmiobject win32_process -computername" gets error "Access denied , code 0x80070005"

i'm trying to find processes on 3 terminal servers which have certain words in its $_.commandline property. Under my domain admin account, it worked OK. But I want this script to be usable for domain users, and doamin users get an error when runing this script.
What should i do, so that domain users can run this script just like domain admins? Thanks in advance!
Error:
Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESS DENIED))
At N:\FindWhoIsUsing\FindWhoIsUsing.ps1:7 char:18
get-wmiobject <<<< win32_process -computername $server -EnableAllPrivileges|
CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
Powershell Code:
Write-host "Who is using this profile?"
$profile = Read-host "specify profile name"
$servers = #("server-01","server-02","server-03")
Foreach($server in $servers)
{
Write-host $server
get-wmiobject win32_process -computername $server -EnableAllPrivileges|
where{$_.name -like "*Processname*" -and
$_.CommandLine -like "*$profile*"}|
select #{n="Server";e={$server}},#{n="User";e={$_.getowner().user}},#{n="ProcessID";e= {$_.ProcessID}},{$_.CommandLine}|fl
}
Write-host "DONE Searching!"
Ok here are the steps:
Launch "wmimgmt.msc"
Right-click on "WMI Control (Local)" then select Properties
Go to the "Security" tab and select "Security" then "Advanced" then "Add"
Select the user name(s) or group(s) you want to grant access to the WMI and click ok
Grant the required permissions, I recommend starting off by granting all permissions to ensure that access is given, then remove permissions later as necessary.
Ensure the "Apply to" option is set to "This namespace and subnamespaces"
Save and exit all prompts
Add the user(s) or group(s) to the Local "Distributed COM Users" group. Note: The "Authenticated Users" and "Everyone" groups cannot be added here, so you can alternatively use the "Domain Users" group.
In my case, I was connecting from a Domain server to a Workgroup server and needed to set a registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy=1

Get-WmiObject credentials not working when scheduled

I have a Powershell script to detect disk space on a network server that requires a user/password to access it.
I followed this: http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/440ab7ed-7727-4ff7-a34a-6e69e2dff251/
To get this code:
$password = get-content C:\creds.txt | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "username",$password
Get-WmiObject -ErrorAction Stop Win32_LogicalDisk -ComputerName $deviceName -credential $cred -Filter "DeviceID='$darg'"
$deviceName and $darg are already correctly defined.
This works just fine when running the Powershell script manually. But when I set it up as a Windows schedule task, it fails thinking the user/pass is incorrect:
Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESS
DENIED))
$disks = Get-WmiObject <<<< -ErrorAction Stop Win32_LogicalDisk -ComputerName $deviceName -credential $cred -Filter
"DeviceID='$darg'"
+ CategoryInfo : NotSpecified: (:) [Get-WmiObject], Unauthorized AccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
Why is this? (The account is a local user on the remote server. I've tried entering the credentials on the Schedule interface but it doesn't let me save it, saying invalid login; maybe due to being a local account) ServerName\LocalUser does not work in the Windows Schedule UI, still gives the incorrect login error.
Here is my comment, re-worded as an answer.
The convertto/from-securestring functions work on a per-user basis (if you don't provide a specific key value). IOW, one user can't read another user's data.
This pre-existing SO question seems relevant. There is also relevant discussion at Powershellcommunity.org.
why dont you set the task to run under the user account and run the wmi request without credential ?