Avatar of qvfps
qvfps
 asked on

Powershell permissions for remote computers

I wrote a powershell script using the following command to gather information about our servers

$os = Get-Ciminstance Win32_OperatingSystem -ComputerName $server

When I run this command as my admin account everything works and I get the information for all of our servers.   I wanted this to run on a schedule so I created a task and set it to run using a service account on our network.   When I run it this way it fails for most of the servers.  

I tried logging on to the server with the service account and manually running the script with the same results.   I checked the permissions on one of the remote servers and as far as I can tell the service account has more privileges than my admin account.   It is in every group that my admin account is plus the backup operators group and a couple more I added when trying to get this to work.  

The server running the script runs Windows 2008r2 and  Windows PowerShell ISE Host  Version          : 5.1.14409.1005.
The servers I am trying to pull the information from run a mix of Windows 2008, 2008r2 and 2012r2.  

Is there an additional permission or setting I need on the service account?   It works for some of the 2008r2 and 2012r2 servers but not all of them and I don't see why.

I know I can get the information I am looking for using Get-WmiObject instead.  I just want to know why the above doesn't work.
PowershellMicrosoft Server OS

Avatar of undefined
Last Comment
qvfps

8/22/2022 - Mon
Chris Dent

Fallback option first.

Get-CimInstance preferentially uses WS-Management connections (remoting), therefore it derives rights from that. You can force Get-CimInstance to use DCOM (as Get-WmiObject does), which gives you one fewer service to consider.
$os  = Get-Ciminstance Win32_OperatingSystem -CimSession (New-CimSession $server -SessionOption (New-CimSessionOption -Protocol DCOM))

Open in new window

Chris Dent

Moving on, you can review the rights granted to remoting. Either by using:
Get-PSSessionConfiguration Microsoft.PowerShell

Open in new window

Or:
Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI

Open in new window

Whether or not that's to blame depends on exactly what kind of error you're getting. People never share error messages, it's very frustrating :)
Qlemo

Yes, error messages are frustrating :p.
Your help has saved me hundreds of hours of internet surfing.
fblack61
qvfps

ASKER
Sorry about that.   I complain about not getting the error message as well.  And I .....

Well here it is.

Get-Ciminstance : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a
firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to
remote computers within the same local subnet.
At line:1 char:15
+ ...       $os = Get-Ciminstance Win32_OperatingSystem -ComputerName Server
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ConnectionError: (root\cimv2:Win32_OperatingSystem:String) [Get-CimInstance], CimException
    + FullyQualifiedErrorId : HRESULT 0x80338126,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
    + PSComputerName        : Server
qvfps

ASKER
Both accounts are members of the administrators security group.

PS C:\Users\a-stucky-1> Get-PSSessionConfiguration Microsoft.PowerShell


Name          : microsoft.powershell
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : BUILTIN\Administrators AccessAllowed
Chris Dent

Test-WSMan is likely to show you the same result for that server, can you confirm?
Test-WSMan -ComputerName Server

Open in new window

You might also just go for "telnet" and see if you can hit the port.
(New-Object System.Net.Sockets.TcpClient).Connect('Server', 5985)

Open in new window

Nothing means it worked, and error... well you know.

The DCOM approach at the top should work in this scenario, it'd be good to test this is really so as well.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Chris Dent

Sorry, a note on the port above. For a while WS-Management used 80, the port used depends on your PowerShell version. You can review your listener configuration to make sure:
Get-ChildItem WSMan:\localhost\Listener | ForEach-Object {
    $listener = $_ | Select-Object Name
    Get-ChildItem $_.PSPath | ForEach-Object {
        $listener | Add-Member $_.Name $_.Value
    }
    $listener
}

Open in new window

qvfps

ASKER
PS C:\Users\> Test-WSMan -ComputerNameserver

Test-WSMan : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046" Machine="server1t"><f:Message>WinRM cannot
complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM
service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same
local subnet. </f:Message></f:WSManFault>
At line:1 char:1
+ Test-WSMan -ComputerName server
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (us06s-slx02:String) [Test-WSMan], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand
qvfps

ASKER
PS C:\Users\> (New-Object System.Net.Sockets.TcpClient).Connect('server', 5985)
Exception calling "Connect" with "2" argument(s): "A connection attempt failed because the connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond 192.168.1.5:5985"
At line:1 char:1
+ (New-Object System.Net.Sockets.TcpClient).Connect('server', 5985 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SocketException
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
Chris Dent

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
qvfps

ASKER
Thanks.  After seeing port 5985 blocked I checked the firewall and on the server I am having problems with it is allowed only for certain accounts.
qvfps

ASKER
No.  I didn't consider the firewall.