Link to home
Create AccountLog in
Avatar of qvfps
qvfps

asked on

Powershell permissions for remote computers

I wrote a powershell script using the following command to gather information about our servers

$os = Get-Ciminstance Win32_OperatingSystem -ComputerName $server

When I run this command as my admin account everything works and I get the information for all of our servers.   I wanted this to run on a schedule so I created a task and set it to run using a service account on our network.   When I run it this way it fails for most of the servers.  

I tried logging on to the server with the service account and manually running the script with the same results.   I checked the permissions on one of the remote servers and as far as I can tell the service account has more privileges than my admin account.   It is in every group that my admin account is plus the backup operators group and a couple more I added when trying to get this to work.  

The server running the script runs Windows 2008r2 and  Windows PowerShell ISE Host  Version          : 5.1.14409.1005.
The servers I am trying to pull the information from run a mix of Windows 2008, 2008r2 and 2012r2.  

Is there an additional permission or setting I need on the service account?   It works for some of the 2008r2 and 2012r2 servers but not all of them and I don't see why.

I know I can get the information I am looking for using Get-WmiObject instead.  I just want to know why the above doesn't work.
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Fallback option first.

Get-CimInstance preferentially uses WS-Management connections (remoting), therefore it derives rights from that. You can force Get-CimInstance to use DCOM (as Get-WmiObject does), which gives you one fewer service to consider.
$os  = Get-Ciminstance Win32_OperatingSystem -CimSession (New-CimSession $server -SessionOption (New-CimSessionOption -Protocol DCOM))

Open in new window

Moving on, you can review the rights granted to remoting. Either by using:
Get-PSSessionConfiguration Microsoft.PowerShell

Open in new window

Or:
Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI

Open in new window

Whether or not that's to blame depends on exactly what kind of error you're getting. People never share error messages, it's very frustrating :)
Yes, error messages are frustrating :p.
Avatar of qvfps
qvfps

ASKER

Sorry about that.   I complain about not getting the error message as well.  And I .....

Well here it is.

Get-Ciminstance : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a
firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to
remote computers within the same local subnet.
At line:1 char:15
+ ...       $os = Get-Ciminstance Win32_OperatingSystem -ComputerName Server
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ConnectionError: (root\cimv2:Win32_OperatingSystem:String) [Get-CimInstance], CimException
    + FullyQualifiedErrorId : HRESULT 0x80338126,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
    + PSComputerName        : Server
Avatar of qvfps

ASKER

Both accounts are members of the administrators security group.

PS C:\Users\a-stucky-1> Get-PSSessionConfiguration Microsoft.PowerShell


Name          : microsoft.powershell
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : BUILTIN\Administrators AccessAllowed
Test-WSMan is likely to show you the same result for that server, can you confirm?
Test-WSMan -ComputerName Server

Open in new window

You might also just go for "telnet" and see if you can hit the port.
(New-Object System.Net.Sockets.TcpClient).Connect('Server', 5985)

Open in new window

Nothing means it worked, and error... well you know.

The DCOM approach at the top should work in this scenario, it'd be good to test this is really so as well.
Sorry, a note on the port above. For a while WS-Management used 80, the port used depends on your PowerShell version. You can review your listener configuration to make sure:
Get-ChildItem WSMan:\localhost\Listener | ForEach-Object {
    $listener = $_ | Select-Object Name
    Get-ChildItem $_.PSPath | ForEach-Object {
        $listener | Add-Member $_.Name $_.Value
    }
    $listener
}

Open in new window

Avatar of qvfps

ASKER

PS C:\Users\> Test-WSMan -ComputerNameserver

Test-WSMan : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046" Machine="server1t"><f:Message>WinRM cannot
complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM
service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same
local subnet. </f:Message></f:WSManFault>
At line:1 char:1
+ Test-WSMan -ComputerName server
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (us06s-slx02:String) [Test-WSMan], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand
Avatar of qvfps

ASKER

PS C:\Users\> (New-Object System.Net.Sockets.TcpClient).Connect('server', 5985)
Exception calling "Connect" with "2" argument(s): "A connection attempt failed because the connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond 192.168.1.5:5985"
At line:1 char:1
+ (New-Object System.Net.Sockets.TcpClient).Connect('server', 5985 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SocketException
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of qvfps

ASKER

Thanks.  After seeing port 5985 blocked I checked the firewall and on the server I am having problems with it is allowed only for certain accounts.
Avatar of qvfps

ASKER

No.  I didn't consider the firewall.