locked
Remote Powershell scripting RRS feed

  • Question

  • Hi,

    I have to do some task with powershell scripts in my organization. I have the scripts, which works well when executing locally. For the scripts to work, they have to be executed with elevated rights.

    Those scripts, leave a file output. 

    Those scripts, executes in several servers. Now, the customer has asked to put all those scripts in an UNC path, and call them from a centralized server. So for example, a script which gives a list of virtual machines in an Hyper-v server called Hyperv1 has to be invoked as follows:

    In a central machine, an scheduled task has to call the Hyperv1 server powershell remotely, and that server has to execute the script placed in the UNC path with elevated rights.

    I am doing tests without the scheduled task. Only from an elevated powershell prompt in central machine. I have tried with this:

    Invoke-Command -ComputerName Hyperv1 -Filepath \\fileserver\share\script.ps1 and I get two errors: first, access denied when Get-VM and second access denied when trying to write the output file to \\fileserver\share\reports

    If I add the -Credential parameter with my user account, I get the same errors. But if I open an elevated powershell in Hyperv1 server and run \\fileserver\share\script.ps1 it works ok.

    I have also tried Enter-PSSession -ComputerName Hyperv1, but then, if I type \\fileserver\share\script.ps1 I get an error unknown cmdlet. And if I type Start-Process Powershell.exr \\fileserver\share\script.ps1, I get no errors but nothing happens (no output file). 

    The scripts are signed and the certificate exists in all servers. I don't know how to make it work.

    Wednesday, February 15, 2017 11:18 AM

Answers

  • You can configure CredSSP between the systems and that will allow you to run the commands.  You can also set up a constrained endpoint that uses credentials to remote which will also give you what you want and can be made more secure.


    \_(ツ)_/

    Wednesday, February 15, 2017 12:46 PM

All replies

  • You cannot run a remote session that accesses a third system.

    See: https://blogs.technet.microsoft.com/heyscriptingguy/2013/04/04/enabling-multihop-remoting/


    \_(ツ)_/

    Wednesday, February 15, 2017 11:48 AM
  • Thank you but in my opinion, is not a third system access.

    From central server I want to run a remote script in Hyperv1 server. Just two systems.

    Thanks.

    Wednesday, February 15, 2017 12:08 PM
  • Are the scripts stored on that server?  Is that server only accessing one other server.  Is the task running as a full administrator?

    What you described is a second hop.  Read the article carefully to understand what a second hop is.

    The following should work if you are an admin on the remote system and can authenticate with your default credentials.

    Invoke-Command -ComputerName Hyperv1 -Filepath \\fileserver\share\script.ps1


    \_(ツ)_/



    • Edited by jrv Wednesday, February 15, 2017 12:19 PM
    Wednesday, February 15, 2017 12:17 PM
  • Note that the script cannot access any modules or functions that are not installed on the remote machine and cannot use any commands that access a third system.


    \_(ツ)_/

    Wednesday, February 15, 2017 12:20 PM
  • Suggestion.  Start with this script ot be sure your remoting is working correctly:

    Invoke-Command -ComputerName Hyperv1 -ScriptBlock {Write-Host 'Hello from:'  $env:COMPUTERNAME}


    \_(ツ)_/

    Wednesday, February 15, 2017 12:23 PM
  • Thanks for the answers. The script runs in a hyperv cluster, so, yes, it uses commands which ask another computers. That has to be the reason for not working.

    Wednesday, February 15, 2017 12:39 PM
  • You can configure CredSSP between the systems and that will allow you to run the commands.  You can also set up a constrained endpoint that uses credentials to remote which will also give you what you want and can be made more secure.


    \_(ツ)_/

    Wednesday, February 15, 2017 12:46 PM