none
Get-SmbOpenFile cmdlet not recognized when invoked on server and run as virtual admin RRS feed

  • Question

  • I have created a new PowerShell Session on my file-server (Win 2016) as follows:

    Register-PSSessionConfiguration -Name mySession -Path C:\lockingEndpoint.pssc


    My pssc file contains the following settings:

    SessionType = 'RestrictedRemoteServer'
    RunAsVirtualAccount = $true
    VisibleExternalCommands = 'C:\myscript.ps1'
    LanguageMode = 'FullLanguage'

    I'm then giving myself Invoke privileges on the session using:

    Set-PSSessionConfiguration -Name mySession -ShowSecurityDescriptorUI

    From my desktop I'm connecting to this session and invoking myscript.ps1 on the server, the serverside script is expecting a string parameter (a UNC path located on the server  something like this:

    Invoke-Command -ComputerName myServer -ScriptBlock {C:\myscript.ps1 \\myServer\Shares\Folder} -ConfigurationName mySession -Credential MYDOMAIN\username

    myscript.ps1 begins executing until it hits this line:

    $sessionObject = Get-SmbOpenFile | Where-Object Path -match "$sessionPath" # Locate any open share sessions to this path
    at this point it tells me it can't recognize the cmdlet:

    The term 'Get-SmbOpenFile' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

    I can work around this by adding the following config to my pssc file/session:

    # Cmdlets visible in this session configuration
    VisibleCmdlets = 'Get-SmbOpenFile' 

    What I don't understand is why this cmdlet won't run as it's being called, does anyone understand what is going on here please?

    Thursday, January 31, 2019 3:22 AM

All replies

  • I think it is not workaround, the cmdlets defined against "VisibleCmdlets" are the only one which the user having permission is allowed to execute.

    If you find this post helpfull, please give “Helpfull” vote. Please remember to mark the replies as answers if they help

    Thursday, January 31, 2019 4:04 AM
  • That command is a restricted command and only exists on W10 and later systems.

    -SessionType <SessionType>
        Specifies the type of session that is created by using the session configuration. The default value is Default. The acceptable values for this
        parameter are:
    
        - Empty. No modules or snap-ins are added to session by default. Use the parameters of this cmdlet to add modules, functions, scripts, and other
          features to the session. This option is designed for you to create custom sessions by adding selected command. If you do not add commands to an
          empty session, the session is limited to expressions and might not be usable.  
        
        - Default. Adds the Microsoft.PowerShell.Core snap-in to the session. This snap-in includes the Import-Module and Add-PSSnapin cmdlets that users
          can use to import other modules and snap-ins unless you
          explicitly prohibit the use of the cmdlets.  
       
        - RestrictedRemoteServer. Includes only the following proxy functions:  
            Exit-PSSession,
            Get-Command, 
            Get-FormatData, 
            Get-Help, 
            Measure-Object, 
            Out-Default,
            Select-Object. 
    
        Required?                    false
        Position?                    named
        Default value                None
        Accept pipeline input?       False
        Accept wildcard characters?  false
    
    
    
    


    \_(ツ)_/

    Thursday, January 31, 2019 4:10 AM
  • Thanks for the answers, but I'm not sure if this has really been explained.

    One of the config options I specified is:

    VisibleExternalCommands = 'C:\myscript.ps1'
    My understanding is that when this script is invoked then everything in this script can be executed without needing to specify individual cmdlets.

    The script also contains these cmdlets which run just fine without needing to declare them in VisibleCmdlets:
    Add-content

    Set-ACL

    Rename-Item




    • Edited by MGADI Friday, February 1, 2019 2:48 AM
    Thursday, January 31, 2019 8:20 PM