I have the following batch script on a Windows 2008 R2 server:
#echo off
djoin.exe /provision /domain my.domain.com /machine test /savefile savefile.txt
echo %ERRORLEVEL%
If I run the script on the server itself, either through command prompt or PowerShell, it works perfectly fine and returns "0".
The problem is that I need to execute it from a remote computer, so I do the following (an example just for testing):
Invoke-Command -ComputerName remotehost -ScriptBlock {.\script.cmd}
The output is "-1073740940", which is probably error code C0000374, which could have something to do with heap corruption.
This seems to be a problem with the djoin command itself. I can comment out djoin and run other binaries, like ping, with no issues using the same Invoke-Command.
Keeping in mind that the script works perfectly fine when executed from PowerShell on the target computer, what issues could the act of remoting be introducing?
In both cases, the script is executed with the same privileges using my account, which is a member of Domain Admins. I doubt that it's a permissions issue and have no idea where else to look.
[edit]
Gave up on the whole thing. This is either a bug in djoin or some obscure problem in the interaction between djoin and PS remoting.
I managed to run djoin directly on the client, using 'runas /netonly ...' to provide domain credentials. It's a very messy solution (and I have yet to figure out how to get the exit status of a process started by runas), but gets the job done.
This is almost certainly a classic "double-hop" authentication issue. Remember that when you use PowerShell Remoting you're using up one of those hops. Anything you execute on that remote machine that accesses a third remote machine is unlikely to work if it requires authentication.
To get around that, you can use an authentication method which allows you to Delegate Credentials such as CredSSP. It's a bit more involved than simply changing your authentication type as you have to make changes on the client side and the server side of the transaction. Refer to this blog post on MSDN, PowerShell Remoting and the “Double-Hop” Problem and this "Hey, Scripting Guy!" post, Enable PowerShell "Second-Hop" Functionality with CredSSP.
Related
I do know about the double hop issue. My scenario is: I have a script I want to run remotely that calls another script located on a network share that calls a third script located on a second network share in a different domain.
Currently what I am doing is using Credssp (I've read there can be security issues but this environment is not public facing) to pass credentials for the 1st network share that has script2. I do not have access to the computer with the second domain so I cannot setup credssp on it. In order to work around that, inside of the script2 I am using "net use" command on the third script in order for the script to be able to find the path. I am then using "Copy-Item" to copy the third script on to the machine running script2 (the remote machine).
Up to this step, everything is working when I run script1. I can see script3 is copied over onto the remote machine. When script3 is called, it should make a web request that sends text to stdout (which I pipe to Out-File in script2). However, whenever I try to run the copy of script3 (located on the remote machine) from script2 (running on the remote machine) it does not seem to do anything. If I run script2 locally on the remote machine then it works fine (file is generated from script3's output).
Any idea's on why this won't work? I've tried running script 3 using several variations of invoke-expression, invoke-command, start-process, and even trying to run with cmd. I'm also having trouble getting output on what exactly is causing the issue (stdout and stderr are many times empty when using the different commands). Am I missing some command or tool that may make this easier to troubleshoot? It almost seems like script3 is still running into a double hop issue despite it only making a web request? And if it was running into that, I thought it would have had an error returned.
There my be a better design for doing what I'm trying to do. I'm fairly new to PowerShell and may be over complicating this.
Edit: Rewrote my scripts in python and got it working.
In my workplace, we administer hospital intensive care PCs (Windows 7 desktop clients) that are meant to be on and running a particular program in near-perpetuity. To that end we've developed a few powershell scripts that run every 5 minutes and alert us whenever the PCs drop off the network or the processes / programs we require crash.
Our program monitoring script relies on the powershell cmdlet "get-process" run remotely by an admin-credentialed account. The script works on all of our PCs except one and we haven't been able to determine what's causing the failure.
At its most basic, the command looks something like
get-process -computername [hostname]
When pointing toward our problem PC we get the error
Get-Process : Couldn't connect to remote machine
Our research indicates that this is likely caused by permissions, firewall, or remote registry service problems. We've triple-checked and on this PC and
the monitoring account has admin privileges, no firewall is active, and remote registry service is on and set to start automatically. The code works when run on the local machine but not when run remotely.
Similar powershell cmdlets run remotely, like "get-service", work with no issues. As noted above "get-process" runs successfully on our other PCs. Any insight into this strange issue would be appreciated.
One thing to note is that the Invoke-Command workaround that has been offered in answer to other, similar questions doesn't work on this PC or any of our others.
Have you tried validating the all RPC services are up?
1.Remote Procedure Call(RPC)
2.Remote Procecure Call(RPC) Locator
3.Remote Registry (You said it's up though)
Scenario: Windows service with Powershell host embedded into it. Single runspace is allocated at startup. Multi-dll solution.
Requirement: Need to access .NET classes inside running service. From a local Powershell instance using
Enter-PSHostProcess -Name MyService
...gives me exactly what I want since I can access the .NET classes.
[MyNameSpace.MyClass]::CallStaticFunction()
Question: How can this Powershell behavior be made available to remote endpoints using Enter-PSSession to a custom endpoint? From the Register-PSSessionConfiguration we can specify a dll but this will spawn up a process and won't connect to a running instance. Not interested in writing proxy via HTTPS, or named pipes, but using the native functionality offered in Powershell for .NET support.
Is it possible to extend this via PSSessions? Or would we just have to first do Enter-PSSession or Invoke-Command?
Reviewing the sources it appears that Enter-PSHostProcess and Enter-PSSession are very independent mechanisms. Enter-PSHostProcess communicates via named pipes, while Enter-PSSession uses WinRM (which is effectively uses http(s) over ports 5985/5986. I don't think you need either Enter-PSSession or Invoke-Command if you want interactive access to a local service process through Enter-PSHostProcess.
You may have already done this, but to try this out I started up both Powershell.exe and Powershell_ise.exe, then from the former used this command to connect to the later:
get-process Powershell_ise | Enter-PSHostProcess
and the prompt changed to include the PID of the ISE. Just to be sure static methods worked as you are expecting, I killed the ISE from the Powershell.exe command line using the command:
[System.Environment]::exit(0)
Powershell creates the named pipe this connects to using the default security descriptor for the thread, which typically allows access only to LocalSystem, Administrators, and the account the process is running under. My test worked because both processes were running under the same account (I didn't need administrator priv.)
To be clear however, Enter-PSHostProcess makes no provision for connecting to processes on another machine. It might be possible to double-hop, connecting to the machine first using Enter-PSSession, then connecting to the process using Enter-PSHostProcess.
I am working on a mid-size Windows 2012 R2 domain right now, and slapped together a PowerShell login script.
But I can't figure out how to allow regular users to run it!
By default, PowerShell script execution is disabled in a Windows domain.
I am trying to enable script execution using group policies.
I found several sets on instructions, but none have yet yielded the result desired. Here is an example of the instructions I have found:
https://blogs.technet.microsoft.com/poshchap/2015/01/02/execution-policy-and-group-policy/
So far no amount of gpupdate /force or rebooting seems to work.
Does anyone have first hand experience at enabling script execution using group policies?
I have set-executionpolicy unrestricted. I was able to run scripts previously. After I got an error running a powershell script, I started getting the following error:
File C:..\test.ps1 cannot be loaded because its operation is blocked by
software restriction policies, such as those created by using Group Policy.
It doesn't matter what is in the script file I am trying to run.
From what I can tell nothing else has changed. I was doing something with a remote powershell session to a remote machine, got an error. Then was unable to run scripts locally unless I run powershell.exe as administrator.
Software Restriction Policies (SRP) have nothing to do with Powershell directly.
Someone has set a restriction on what can be run and/or from where it can be run.
This isn't related to Powershell Execution Policy, Powershell Remoting, nor administrative rights/privileges.
Typically SRP is set through Group Policy and pushed out (I'm guessing you're on a domain).
You could use rsop.msc on your machine to try to determine what the settings are and maybe which policy is applying them.
If you want more information on SRP you should probably post on ServerFault.