qvfps
asked on
Powershell permissions for remote computers
I wrote a powershell script using the following command to gather information about our servers
$os = Get-Ciminstance Win32_OperatingSystem -ComputerName $server
When I run this command as my admin account everything works and I get the information for all of our servers. I wanted this to run on a schedule so I created a task and set it to run using a service account on our network. When I run it this way it fails for most of the servers.
I tried logging on to the server with the service account and manually running the script with the same results. I checked the permissions on one of the remote servers and as far as I can tell the service account has more privileges than my admin account. It is in every group that my admin account is plus the backup operators group and a couple more I added when trying to get this to work.
The server running the script runs Windows 2008r2 and Windows PowerShell ISE Host Version : 5.1.14409.1005.
The servers I am trying to pull the information from run a mix of Windows 2008, 2008r2 and 2012r2.
Is there an additional permission or setting I need on the service account? It works for some of the 2008r2 and 2012r2 servers but not all of them and I don't see why.
I know I can get the information I am looking for using Get-WmiObject instead. I just want to know why the above doesn't work.
$os = Get-Ciminstance Win32_OperatingSystem -ComputerName $server
When I run this command as my admin account everything works and I get the information for all of our servers. I wanted this to run on a schedule so I created a task and set it to run using a service account on our network. When I run it this way it fails for most of the servers.
I tried logging on to the server with the service account and manually running the script with the same results. I checked the permissions on one of the remote servers and as far as I can tell the service account has more privileges than my admin account. It is in every group that my admin account is plus the backup operators group and a couple more I added when trying to get this to work.
The server running the script runs Windows 2008r2 and Windows PowerShell ISE Host Version : 5.1.14409.1005.
The servers I am trying to pull the information from run a mix of Windows 2008, 2008r2 and 2012r2.
Is there an additional permission or setting I need on the service account? It works for some of the 2008r2 and 2012r2 servers but not all of them and I don't see why.
I know I can get the information I am looking for using Get-WmiObject instead. I just want to know why the above doesn't work.
Moving on, you can review the rights granted to remoting. Either by using:
Get-PSSessionConfiguration Microsoft.PowerShell
Or:Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI
Whether or not that's to blame depends on exactly what kind of error you're getting. People never share error messages, it's very frustrating :)
Yes, error messages are frustrating :p.
ASKER
Sorry about that. I complain about not getting the error message as well. And I .....
Well here it is.
Get-Ciminstance : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a
firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to
remote computers within the same local subnet.
At line:1 char:15
+ ... $os = Get-Ciminstance Win32_OperatingSystem -ComputerName Server
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~
+ CategoryInfo : ConnectionError: (root\cimv2:Win32_Operatin gSystem:St ring) [Get-CimInstance], CimException
+ FullyQualifiedErrorId : HRESULT 0x80338126,Microsoft.Manag ement.Infr astructure .CimCmdlet s.GetCimIn stanceComm and
+ PSComputerName : Server
Well here it is.
Get-Ciminstance : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a
firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to
remote computers within the same local subnet.
At line:1 char:15
+ ... $os = Get-Ciminstance Win32_OperatingSystem -ComputerName Server
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ConnectionError: (root\cimv2:Win32_Operatin
+ FullyQualifiedErrorId : HRESULT 0x80338126,Microsoft.Manag
+ PSComputerName : Server
ASKER
Both accounts are members of the administrators security group.
PS C:\Users\a-stucky-1> Get-PSSessionConfiguration Microsoft.PowerShell
Name : microsoft.powershell
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : BUILTIN\Administrators AccessAllowed
PS C:\Users\a-stucky-1> Get-PSSessionConfiguration
Name : microsoft.powershell
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : BUILTIN\Administrators AccessAllowed
Test-WSMan is likely to show you the same result for that server, can you confirm?
The DCOM approach at the top should work in this scenario, it'd be good to test this is really so as well.
Test-WSMan -ComputerName Server
You might also just go for "telnet" and see if you can hit the port.(New-Object System.Net.Sockets.TcpClient).Connect('Server', 5985)
Nothing means it worked, and error... well you know.The DCOM approach at the top should work in this scenario, it'd be good to test this is really so as well.
Sorry, a note on the port above. For a while WS-Management used 80, the port used depends on your PowerShell version. You can review your listener configuration to make sure:
Get-ChildItem WSMan:\localhost\Listener | ForEach-Object {
$listener = $_ | Select-Object Name
Get-ChildItem $_.PSPath | ForEach-Object {
$listener | Add-Member $_.Name $_.Value
}
$listener
}
ASKER
PS C:\Users\> Test-WSMan -ComputerNameserver
Test-WSMan : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046" Machine="server1t"><f:Mess age>WinRM cannot
complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM
service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same
local subnet. </f:Message></f:WSManFault >
At line:1 char:1
+ Test-WSMan -ComputerName server
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (us06s-slx02:String) [Test-WSMan], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan .Managemen t.TestWSMa nCommand
Test-WSMan : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046" Machine="server1t"><f:Mess
complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM
service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same
local subnet. </f:Message></f:WSManFault
At line:1 char:1
+ Test-WSMan -ComputerName server
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (us06s-slx02:String) [Test-WSMan], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan
ASKER
PS C:\Users\> (New-Object System.Net.Sockets.TcpClie nt).Connec t('server' , 5985)
Exception calling "Connect" with "2" argument(s): "A connection attempt failed because the connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond 192.168.1.5:5985"
At line:1 char:1
+ (New-Object System.Net.Sockets.TcpClie nt).Connec t('server' , 5985 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : SocketException
Exception calling "Connect" with "2" argument(s): "A connection attempt failed because the connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond 192.168.1.5:5985"
At line:1 char:1
+ (New-Object System.Net.Sockets.TcpClie
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : SocketException
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks. After seeing port 5985 blocked I checked the firewall and on the server I am having problems with it is allowed only for certain accounts.
ASKER
No. I didn't consider the firewall.
Get-CimInstance preferentially uses WS-Management connections (remoting), therefore it derives rights from that. You can force Get-CimInstance to use DCOM (as Get-WmiObject does), which gives you one fewer service to consider.
Open in new window