locked
Invoke-Command against RODC require other privileges RRS feed

  • Question

  • Hello,

    I am trying to execute below command from a member server logged in a domain admin:

    Invoke-Command -ComputerName "mydomaincontroller" {get-service -ComputerName "myrodc"} 

    and i get the below error.

    Cannot open Service Control Manager on computer 'myrdoc'. This operation might require other privileges.
        + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
        + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
        + PSComputerName        : mydomaincontroller

    I get error only if i execute command against RODC, but again any member server or domain controllers returns desire output.

    Member server to "mydomaincontroller" uses WinRM

    "mydomaincontroller" to "MyRODC"uses DCOM/RPC

    looks like some DCOM permission issue but not able to figure out.

    Invoke-Command -ComputerName "mydomaincontroller" {Get-WmiObject -Class Win32_Service -ComputerName "myrodc"}  returns desire output because it uses winrm?

    Monday, March 11, 2019 12:11 PM

All replies

  • Your code will not allow this on an RODC.  It will on a DC.  The remote requires delegation authority and an RODC does not have that.

    You do not want to do what you are doing.  Why remote to a server only to remote to another server?

    "Get-Service" does its own remoting just use it:

    get-service -ComputerName "myrodc"

    THIs is a security restriction called "second hop restriction".  Look it up for more information.


    \_(ツ)_/

    Monday, March 11, 2019 1:25 PM
  • It is just an example, but I have schedule task running on member server (since on DCs cannot have Schedule task running on user context with password)  for AD health check which invokes local script on a remote machine. (another DC).

    Bit confused, if second hope restriction is causing the issue.

    1. How Get-WmiObject works?

    2. How rest of the DCs and member server allows second hope?

    Monday, March 11, 2019 2:42 PM
  • DCs allow second hop for some accounts because a DC has to be able to delegate credentials.  No member server allows this by default and must be enabled for delegation.

    From what you have posted I am pretty sure that your analysis is faulty although someone may have enabled member servers for delegation.  RODCs do not need to delegate as they only receive data pushed from a DC.  Also they need to be protected and secured to prevent malware issues.

    Using a scheduled task does not require delegation.  It all depends on what the script is doing.

    Unfortunately this forum is not scoped to teach you networking so you will need to find some training materials to fully understand how all of this works and how to determine if your script requires a remote system to delegate.


    \_(ツ)_/

    Monday, March 11, 2019 2:49 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Wednesday, March 13, 2019 6:56 AM
  • Hi,

    Sorry but this was specific to my setup.

    My RODC is in branch site and there is WAN optimization solution between Main Site and the branch site, we use Riverbed solution for WAN optimization. SMB optimization was enabled but it force to use NTLM. connection was failing since NTLM does not support double hop. I asked to bypass the optimization between domain controllers. 

    Powershell was misleading with error output, it gives the same output even if remote server not reachable.




    Wednesday, March 13, 2019 7:58 AM
  • You cannot use NTLM with PS remoting if the systems are not configured for NTLM.  Remoting defaults to NTLM in a domain.  Contact the vendor of your third party solution for assistance.

    DO not post images of code or errors as they are unreadable in almost all browsers.


    \_(ツ)_/


    • Edited by jrv Wednesday, March 13, 2019 8:05 AM
    Wednesday, March 13, 2019 8:04 AM