none
Executing Batch File that References a Domain Share RRS feed

  • Question

  • I've developed a script with powershell that queries our file share for patches to install on a target computer. The script outputs commands to a blank batch file depending on the computer. It then copies it to the target computer and executes. The only problem is when I execute the batch file locally it works, when I try to execute it remotely it doesn't.

    I know this method works if I also copy what the batch file is trying to execute to the remote computer as well.

    I've been using the following to execute the script remotely within powershell after I copy it to the computers C:\windows\temp folder...

    $Install= [WMICLASS]\\$_\ROOT\CIMV2:win32_process
    $Install.Create("cmd.exe `/c c:\windows\temp\$batch")

    I've also modified my batch file to use PUSHD to map to the share drive. But again, it works locally on the machine I am physically at but does not work remotely.

    I've been thinking that because the batch file was trying to access a domain share that maybe it needed my domain credentials to access the share.

    Lastly, I am trying to avoid the use of WinRM enabled features because of my current network setup.

    Thank you all for any help provided.


    • Edited by Colbasaur Wednesday, March 2, 2016 4:36 PM
    Wednesday, March 2, 2016 7:58 AM

Answers

  • It sounds like your organizational patching policy needs to be addressed.

    I wonder whether anyone will have the time to engineer a custom solution for you when there are already tools available that are designed to do the job you are asking to script.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, March 2, 2016 5:00 PM
    Moderator

All replies

  • It cannot be done. Remote access to a third computer is disallowed by default for security reasons  Consider installing WSUS.

    \_(ツ)_/

    Wednesday, March 2, 2016 8:02 AM
  • Hi. Could you try with PsExec tool?

    PsExec

    You can enable WinRM with this Microsoft app, and then you can copy the files from a share and install the patches.

    I was doing this when I was installing IE11 on multiple servers within my domain.


    Please click on Propose As Answer or to mark this post as and helpful for other people. This posting is provided AS-IS with no warranties, and confers no rights.

    Wednesday, March 2, 2016 8:13 AM
  • Can't be done with PsExec  Cannot be done with WinRM without enabling CredSSP which is not recommended.

    Use WSUS.


    \_(ツ)_/


    • Edited by jrv Wednesday, March 2, 2016 8:17 AM
    Wednesday, March 2, 2016 8:15 AM
  • I remember I was doing this without enabling CredSSP (or maybe it was already enabled, not sure). But the environment where I work is really delicate (something like bank, government etc.).

    I remember that I couldn´t install .MSI and .EXE files due to servers not trusted for a delegation, but after I extracted .CAB files from actual packages, I was able to install everything remotely without any issues.

    Maybe I missed something, really can´t be 100% sure, but I have got the result I wanted :)


    Please click on Propose As Answer or to mark this post as and helpful for other people. This posting is provided AS-IS with no warranties, and confers no rights.

    Wednesday, March 2, 2016 8:23 AM
  • I remember I was doing this without enabling CredSSP (or maybe it was already enabled, not sure). But the environment where I work is really delicate (something like bank, government etc.).

    I remember that I couldn´t install .MSI and .EXE files due to servers not trusted for a delegation, but after I extracted .CAB files from actual packages, I was able to install everything remotely without any issues.

    Maybe I missed something, really can´t be 100% sure, but I have got the result I wanted :)


    Please click on Propose As Answer or to mark this post as and helpful for other people. This posting is provided AS-IS with no warranties, and confers no rights.


    Unfortunately that doesn't make any sense.

    \_(ツ)_/

    Wednesday, March 2, 2016 11:20 AM
  • I've used PsExec for some other scripts but I've been hesitant to use it. I heard that it passes your credentials over the network in clear text.

    Although now after researching it I see that maybe this is fixed?

    Wednesday, March 2, 2016 4:23 PM
  • We do have a WSUS server but our primary patching capacity is SCCM (and unfortunately SCCM 2007). When we use WSUS it messes up our SCCM reporting.

    I may just have to suck it up and use WSUS more often or I will have to copy the patch to the remote computer alongside the batch file...

    Wednesday, March 2, 2016 4:32 PM
  • We do have a WSUS server but our primary patching capacity is SCCM (and unfortunately SCCM 2007). When we use WSUS it messes up our SCCM reporting.

    I may just have to suck it up and use WSUS more often or I will have to copy the patch to the remote computer alongside the batch file...

    If you have ConfigMgr (even 2007, it's certainly not as good as 2012 but it's still quite serviceable) in your environment, why aren't you just using it to handle this?


    Wednesday, March 2, 2016 4:38 PM
  • We do have a WSUS server but our primary patching capacity is SCCM (and unfortunately SCCM 2007). When we use WSUS it messes up our SCCM reporting.

    I may just have to suck it up and use WSUS more often or I will have to copy the patch to the remote computer alongside the batch file...

    If you have ConfigMgr (even 2007, it's certainly not as good as 2012 but it's still quite serviceable) in your environment, why aren't you just using it to handle this?


    Unfortunately I don't have rights to admin SCCM and the packages it sends out. That and we have numerous stubborn SCCM clients (Which I am also trying to resolve). SCCM has been taking care of majority of the patching pretty well but it isn't 100%. I wanted to use scripting and possibly WSUS to hit anything that it missed or is having trouble with.
    Wednesday, March 2, 2016 4:57 PM
  • It sounds like your organizational patching policy needs to be addressed.

    I wonder whether anyone will have the time to engineer a custom solution for you when there are already tools available that are designed to do the job you are asking to script.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, March 2, 2016 5:00 PM
    Moderator
  • I would also add to Bill's statements that your approach appears to be outside of corporate policy.  If I were a security manager in  you company I would end your ad-hoc practice immediately and have SCCM and WSUS resolve their misconfiguration.

    WSUS patches all MS products extremely well.  ConfigMgr is useful for patching non-MS products.  Both are capable of performing both roles is configured to do so.  A policy needs to address this.


    \_(ツ)_/

    Wednesday, March 2, 2016 6:07 PM