I have Powershell script that makes backups of all Event logs on current localhost.
It runs from Task Scheduler with "Run with highest privileges" under restricted account (this account only has Backup Operator rights). Script itself can be found here
OS: Windows Server 2008 R2, UAC is turned off.
The problem appears in the following line:
$Eventlogs = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $computer
In returned collection of Event logs Security log is missing and as result isn`t backuped. All other are present.
If the same script is run directly from Powershell using the same account - Security log is present.
Granting local Admin rights to account solves the issue but isn`t applicable.
Do you have any ideas what may be causing such behaviour? Appreciate any help!
I have not done a lot of research on this but I once encountered a similar problem. Using the switch -EnableAllPrivileges in the first call of get-WmiObject solved it for me.
Related
I am attempting to automate the Skype for Business Server installation process in Powershell, I have a script that remotes into specified machines and begins preparing them as Front-End servers. The problem lies when certain SfB cmdlets (SfB commands are all of the form "verb-Cs...", ex. Get-CsUser or Get-CsPool) are run in remote sessions, they throw the double-hop error:
Exception: Active Directory error "-2147016672" occurred while searching for domain controllers in domain...
This is after running Enable-CsComputer, which enables the computer's role-based off its definition in the topology (topology was published successfully). The user object is in all required groups (RTCUniversalServerAdmins, Schema Admins, CsAdministrators & Local Admin rights on all SfB Servers). Oddly enough, the command 'Import-CsConfiguration -localstore" does not throw errors, and it's in the same remote session. There may be other local or domain groups that I need to be in, but I cannot pinpoint exactly which and have not seen them documented in the Skype build guides. Skype commands that have parameters to specify targets or just pull data, such as Get-CsPool or Get-CsAdForest, do not have errors because they are run in the local scope. The Enable-CsComputer has no parameter for the computer name, it has to be executed from that machine itself.
Enabling CredSSP delegation on each server is not an option, and I'm not understanding why there is a "second hop" in this command! If the second hop was a resource on a file server or database, that would make sense, and be easy to solve, but in this case, I can't track it. Can anyone tell me what I may be missing?
Here's a code sample to try and illustrate. From the jumbox I get the pool data to create an array, and a session is opened to each machine:
$ServerArray =get-cspool -identity $poolName
$i=0
$SessionArray = #{}
foreach($server in $ServerArray.Computers){$SessionArray[$i] = new-PsSession -ComputerName $server}
foreach($session in $SessionArray.values){
invoke-Command -session $session -scriptBlock {
#remote commands:
import-csConfiguration -<config file path> -localstore; #no errors
enable-CsReplica; #no errors
enable-cscomputer; #double hop error here
}}
If I log into that machine and run the same command, it executes fine but the intention of the project is to automate it on an arbitrary number of machines.
It looks like it's just trying to authenticate to a domain controller, which is reasonable. You'll have to approach this like any other double-hop issue.
Microsoft has an article dedicated to the double hop issue, and has a few solutions other than CredSSP that you can look at: Making the second hop in PowerShell Remoting
I want to collect performance data from a Windows 2008 R2 Server with PowerShell.
For this task, I want to use a non admin account.
My problem is now, that I´m getting back a empty object ($WMIService).
There is no error message when I´m executing my script.
When I´m using a account with admin rights, everything is perfect.
So I think, permissions are missing for the non admin account.
How can I fix my problem?
My configuration for the WMIService account:
Enable remote WMI requests technet
Enable DCOM calls msdn
My script:
$ServiceCred = Get-Credential
$AdminCred= Get-Credential
$WMIService = Get-WmiObject -Class Win32_PerfFormattedData_PerfOS_Memory -ComputerName servername -Credential $ServiceCred
$WMIAdmin = Get-WmiObject -Class Win32_PerfFormattedData_PerfOS_Memory -ComputerName servername -Credential $AdminCred
$WMIService (Empty)
$WMIAdmin (Perfect)
You should set the appropriate permissions for your non admin account.
Solved! The user must also be in the Performance Monitor Users group.
My working configuartion:
Enable remote WMI requests technet
Enable DCOM calls msdn
Added account to the Performance Monitor Users group
Take a look a this guide, it may help. Make sure you enabled Remote Enable on your user configuration.
I am trying to start a service on a remote computer using the following command on the cmdlet:
(Get-WmiObject -computer atl-fs-01 Win32_Service -Filter "Name='Alerter'").InvokeMethod("StartService",$null)
When I run the command I get the error Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). After some research it appears I need to set my username and password, but I cannot find anything that allows me to set these prior to accessing the remote computer. I also plan on making a script for this so I don't have to type out everything on the command line. PowerShell code for setting user and password would be helpful as well. Thanks.
You need to pass in the credential object (created with Get-Credential) using the "-Credential" switch.
See this MSDN article for more information and an example.
Chapter 13 (page 502) of Bruce Payette's (UTTERLY AWESOME) "Windows Powershell in Action, Second Edition" comprehensively covers configuration of remote Powershell admin. If you've not already asked Santa for a copy of this wonderful book, DO SO NOW! :)
In case you are in a hurry:
MSDN (and other sources) have some good documentation on how to
Enable remoting to a remote server
Connect from your local server to your remote server & execute commands
HTH.
New to PowerShell, but loving the fact that I can do so much so quickly so far :)
Anyways, I am starting a remote process in a PowerShell script thusly:
$compname = "MY-PC"
$myinstallcmd = "c:\install\myprog.exe /s"
$proc = Invoke-WmiMethod -class Win32_Process -name Create -ArgumentList ($myinstallcmd) -ComputerName $compname
On most of the PCs I've tried, the Invoke-WmiMethod cmdlet works fine, but on one PC, it's hanging. What I'm now looking to do is get the status of the running process, and if it's hung up, kill it and log the kill, and then move on.
I did find a possible method to do this in the post
Starting a process remotely in Powershell, getting %ERRORLEVEL% in Windows - however, when I try to do the Register-WmiEvent on the process $proc.ProcessId, I'm getting the dreaded 0x80070005 (E_ACCESSDENIED) error... I am running the PowerShell host as domain admin.
Can anyone please suggest a way that I can get a status on the process I've started, and be able to take an action based on the status?
Thanks!
Update: I guess you are missing remote system credentials:
Try passing the credentials to remote system using -Credential parameter. This takes a PSCredential Object and hence you can do something like:
$cred = Get-Credential
Register-WMIEvent -Credential $cred <and other parameters here>
See if any of the following resolves the access denied error:
0x80070005 (DCOM ACCESS_DENIED)
This error occurs when the connected user is not recognized or is restricted in some fashion by the remote server (for example, the user might be locked out). This happens most often when accounts are in different domains. Recent changes to WMI security can also cause this error to occur:
Blank passwords, formerly permitted, are not allowed in Windows XP and Windows Server 2003.
WMI does not allow asynchronous callbacks to a Windows 98 client. A call like SWbemServices.ExecNotificationQueryAsync from a Windows 98 computer to a Windows XP computer will result in an Access Denied error returned to the Windows 98 machine.
The DCOM configuration access setting might have been changed.
If the target computer is running Windows XP, the Forceguest value under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa might be set to force the Guest account off (value is zero).
Source: http://technet.microsoft.com/en-us/library/ee692772.aspx
OK here is my issue:
I am trying to run a script remotely on a server.
I am an administrator on both boxes, firewall exceptions are in place, remote admin is enabled, and everything else looks good that i can see.
invoke-command -ComputerName $ComputerName -ScriptBlock `
{
cd C:\Windows\System32\inetsrv\;
./appcmd.exe ADD vdir /app.name:<SiteName>/ /path:/<VDir Name> /physicalPath:<Path to files>
}
I keep getting the following error in return
ERROR ( hresult:80070005, message:Failed to commit configuration changes. Access is denied.
The server it is trying to run on is a server 2k8 R2 box and I am thinking the issue is a UAC problem. Is there anyway to get this to run as administrator without having to click yes on a UAC box?
This piece of code will eventually become a script that will have to be completely automated.
Any help would be greatly appreciated.
OK. After some research and testing I figured out the issue. After disabling UAC and the firewall and the script still not working I dug a little deeper and discovered that the main issue was the way invoke-command runs the commands. it uses the credentials of the person running the script to authenticate to the server then tries to use another account to run the permissions or lowers the privileges of the user so that certain commands cannot be run.
I added the -Credentials switch to the invoke command and everything is working great now. Corrected code sample below:
$user = New-Object Management.Automation.PSCredential("$UserName", $securePassword)
invoke-command -ComputerName $ComputerName -Credential $user -ScriptBlock `
{
cd C:\Windows\System32\inetsrv\;
./appcmd.exe ADD vdir /app.name:<SiteName>/ /path:/<VDir Name> /physicalPath:<Path to files>
}
This seems to indicate that you need to ensure you are a local admin on the remote machine (although admittedly this is for WMI specifically). According to this you can change a registry key to stop UAC applying to remote logons for administrators (search for LocalAccountTokenFilterPolicy). That shouldn't disable UAC just not filter the token if you use powershell/WMI remotely with an administrator account.
Set the option "EnableLUA" (DWORD value) found in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to 0 and reboot.
This will disable UAC without a problem, I would do it for all your users, whether with or without permission is up to you.
This trick works in Windows Vista and Windows 7 too.
Is there anyway to get this to run as administrator without having to click yes on a UAC box?
If this were possible it would entirely defeat the point of UAC.
Thus, it would appear your only real solution is to disable UAC on the box.