none
GPO - allow remote server management trhough winrm

    Question

  • Hello all,

    I am setting up powershell so I can remote into another computer with the invoke command.
    When I set the computer policy "allow remote server management trhough winrm" I can specify a range of IP addresses or a single IP.

    When I set * as range my dc with the ip 172.16.40.100 is able to do the remote commands
    When I set 172.16.40.100 as range I am unable to do the commands...

    I also tried to enter the ip of the user which I am trying to connect to however it doesn't work.

    As soon as I switch it back to * everything works as planned ( also disabled IP v6 on client side to rule that out ).

    In short, if the requests comes from 172.16.40.100 why doesn't it work if I specify the ip and does it work if I enter *?


    Andre

    Sunday, May 24, 2015 10:58 AM

Answers

  • Hi Andre,

    Basiclly,  if you just add “*” in the field as this can potentially allow incoming connection form all network locations. That's why you get it works with the *. But as well, you can specify a specific ip address and remotely connected to it.

    Please be aware that WinRM is enabled by default on Windows Server 2012 to enable the Server Manager tool but it is not enabled for Windows client OS’s by default.As it is turned off by default on client OS’s the following describes how you can enable it using Group Policy.

    >>Firstly,“Allow remote server management through WinRM” policy setting found under Computer > Policies > Windows Components > Windows Remote Management (WinRM) > WinRM Service.

    >>Next enable the “Windows Remote Management (WS-Management)” Service via the Group Policy Preferences Services

    >>And finally open up the firewall rules to allow the incoming TCP connection on the Domain Network profile.

    Go to Computer Configurations > Policies > Security Settings > Windows Firewall and Advanced Security > Windows Firewall and Advanced Security then right click on “Inbound Rules” and click on the “New Rule…” option.

    >>Check the “Predefined” option and select “Windows Remote Management” from the pop-down list and Click “Next”

    >>Then uncheck the top “Public” rule to again reduce the exposure of this services to the internet and then click “Next”

    >> Finish.

    You can check the below links for more details and reference:

    http://www.grouppolicy.biz/2014/05/enable-winrm-via-group-policy/

    https://4sysops.com/archives/enable-powershell-remoting/

    Hope it helps.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 26, 2015 8:10 AM
    Moderator