Secure Remote Execution of PoSh Code RRS feed

  • Question

  • I have a need to execute a script on a remote machine (let's call it REMOTEUTILSRV) that is a member of domain that my main AD domain doesn't have a trust with.

    The script needs to make changes to the untrusted domain - creation of new Group Policy objects and linking of same.

    I have another script residing on a host in my main AD domain that passes required credentials and other parameters to REMOTEUTILSRV by way of an INVOKE-COMMAND.

    This works fine if I set "trusted for delegation" on the computer account of REMOTEUTILSRV in the untrusted domain - i.e. the script runs on REMOTEUTILSRV and makes the required changes on the untrusted domain.

    Without this setting, the key commands in the script all fail out like this (I include this only for a bit of context):

    System.Management.Automation.CmdletInvocationException: An operations error occurred. (Exception from HRESULT: 0x80072020) ---> System.Runtime.InteropServices.COMException: An operations error occurred. (Exception from HRESULT: 0x80072020)
       at Microsoft.GroupPolicy.GPMClass.GetDomain(String bstrDomain, String bstrDomainController, Int32 lDCFlags)
       at Microsoft.GroupPolicy.GPDomain..ctor(String domainName, String domainController)
       at Microsoft.GroupPolicy.Commands.Common.GetGPDomainObject(String domainName, String server)
       at Microsoft.GroupPolicy.Commands.NewGpoCommand.ProcessRecord()
       at System.Management.Automation.CommandProcessor.ProcessRecord()
       --- End of inner exception stack trace ---
       at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
       at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
       at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
       at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)

    FWIW, I am explicitly passing the domain controller name & domain name in the calls.

    For better security, I would prefer not to trust the REMOTEUTILSRV in a "blanket" fashion.

    I know that using ServicePrincipalName you can trust a specific service on that host but I don't believe that Powershell is implemented as a service?

    So the net of it:  Is there a way to allow the PoSh script to run successfully without having to trust-for-delegation the "whole" REMOTEUTILSRV host?

    Just spitballing but since the above error makes reference to COM, I wonder if there is something one could do on the DCOM launch permissions side perhaps?

    Wednesday, February 21, 2018 7:30 PM

All replies

  • We would use CredSSP to allow secure passing of credentials.  This is more secure then using "TrustedForDelegation" as it applies to only the CredSSP session and can be restricted to specific originating systems.

    help Enable-WSManCredSSP -online


    Wednesday, February 21, 2018 7:43 PM