none
Custom Powershell SCCM Remote Code - Suddenly isnt working as expected.

    Question

  • Let me preface this by saying I know this isnt really a supported thing, BUT this was working 100% no issues as of a week or so ago, and I am trying to figure out what has happened that would make it not work.


    Hoping someone over there can help as I am having a big issue with the latest cmdlet release for sccm 2012.

     

    Below is a snippet from a much much larger application I wrote in PS. It uses XAML, and has a GUI, etc. Long story short what the code does is create a remote session to a server, it is a server running server 2012 and has the 2012 config console installed on it with the latest cmdlets.

     

    $global:cred = Get-Credential

    $SessionOption = New-PSSessionOption -IdleTimeout 28800000

    $global:sess =New-PSSession -ComputerName$ServerName -name"PSSSession"-credential$global:cred-ConfigurationNameMicrosoft.Powershell32-ErrorVariableErr-SessionOption$SessionOption

     

    Function Prime {

        write-host "Entering Prime"

        Invoke-Command -Session $global:sess -ScriptBlock {

            Write-Host "Changing Location To SCCM Folder"

            Set-Location "C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin"

            Start-Sleep -Seconds 1

            Write-Host "Importing SCCM Module"

            Import-Module "C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1"

            start-sleep -Seconds 1

            New-PSDrive -Name GAN -PSProvider CMSite -Root "insert primary sccm server" -Credential $args[0] -ErrorVariable Err

            start-sleep -Seconds 2

            Import-Module ConfigurationManager

            cd GAN:

            get-cmuser -name "us\testuser" <--- here we insert a test user to make sure the above code worked.

        } -ArgumentList $global:cred

    }

     

    Prime

     

     

    Next it sends commands through the session to import the ccm cmdlets. You will notice that there are some extra steps here.

     

    Typically all you need to do is import ConfigurationManager.psd1 and then change drives in powershell to your site code. As you can see in the below code we are setting the location, and then importing the configmanager.psd1 file. We also had to code one additional step. When doing these commands via invoke ( remoting ) cd YourDiteCode: (our site code) never worked. It would always result in this error (

    Cannot find drive. A drive with the name 'GAN' does not exist.

        + CategoryInfo          : ObjectNotFound: (Gan:String) [Set-Location], DriveNotFoundException

        + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.SetLocationCommand

        + PSComputerName        : ent-mocsmsccm05

     

    )

    So what we did instead was to manually create the drive after doing the import of the cmdlets, hence why the set-psdrive command is in the code. And this works 100%.(

    Name           Used (GB)     Free (GB) Provider      Root                                                                                   CurrentLocation PSComputerName                                                  

    ----           ---------     --------- --------      ----                                                                                   --------------- --------------                                                  

    GAN                                                  sccmserver.fqdn.com                                                                                                                      

    What is no longer working, and this is the entire point of this email, is the following. Using the exact code above when I enter in an account with local admin credentails (on the 2012 server we are remoting to) the code executes, the drive is created, the sccm cmdlets are imported and all works. When I use NON local admin credentials everything breaks. And it generates the below error. I have next to 0 clue what “AuthorizationManager check failed” means.

     

    I have double and triple checked that remote wmi \ wsman is setup and configured, that even though the user is not a local admin they are a member of the below groups. This worked beautifully until a couple days ago and now is not working at all. Any ideas? Can we perhaps to a remote session so I can show this quick in real time? And I wanted to get around having to use credssp, since a) its confusing to configure b) it opens security holes and didnt seem necessary.

     

    WinRMRemoteWMIUsers__

    Remote Management Users

    Remote Desktop Users

    The following error occurred while loading the extended type data file:

    , C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.PowerShell.Types.ps1xml: The file was skipped because of the following validation exception:

    AuthorizationManager check failed..

        + CategoryInfo          : InvalidOperation: (:) [Import-Module], RuntimeException

        + FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand

        + PSComputerName        :

     

    Cannot find drive. A drive with the name 'Gan' does not exist.

        + CategoryInfo          : ObjectNotFound: (Gan:String) [Set-Location], DriveNotFoundException

        + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.SetLocationCommand

        + PSComputerName        :

     

    Cannot find a provider with the name 'CMSite'.

        + CategoryInfo          : ObjectNotFound: (CMSite:String) [New-PSDrive], ProviderNotFoundException

        + FullyQualifiedErrorId : ProviderNotFound,Microsoft.PowerShell.Commands.NewPSDriveCommand

        + PSComputerName        :

     

    The following error occurred while loading the extended type data file:

    , C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\Bin\Microsoft.ConfigurationManagement.PowerShell.Types.ps1xml: The file was skipped because of the following validation exception:

    AuthorizationManager check failed..

        + CategoryInfo          : InvalidOperation: (:) [Import-Module], RuntimeException

        + FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand

        + PSComputerName        :

     

    Cannot find drive. A drive with the name 'GAN' does not exist.

        + CategoryInfo          : ObjectNotFound: (GAN:String) [Set-Location], DriveNotFoundException

        + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.SetLocationCommand

        + PSComputerName        :

     

    The 'get-cmuser' command was found in the module 'ConfigurationManager', but the module could not be loaded. For more information, run 'Import-Module ConfigurationManager'.

        + CategoryInfo          : ObjectNotFound: (get-cmuser:String) [], CommandNotFoundException

        + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule

        + PSComputerName        :





    • Edited by lbarone Thursday, June 09, 2016 1:21 PM remove internal server address from ps computer name attribute.
    Thursday, June 09, 2016 1:12 PM

All replies

  • PS C:\Windows\system32> Get-ExecutionPolicy -list

                                                                     Scope                                                       ExecutionPolicy
                                                                     -----                                                       ---------------
                                                             MachinePolicy                                                          Unrestricted
                                                                UserPolicy                                                             Undefined
                                                                   Process                                                          Unrestricted
                                                               CurrentUser                                                                Bypass
                                                              LocalMachine                                                          Unrestricted

    Also the above is the execution policy on the server that is set when I log in as the non local admin account.

    Thursday, June 09, 2016 1:20 PM
  • We have been unable to reproduce internally even using your repro script. What happens if you run those steps interactively using Enter-PSSession? That may provide more details as to what's going on.


    Check out my Configuration Manager blog at http://aka.ms/ameltzer


    Thursday, June 16, 2016 6:49 PM
  • Hi Adam,

    First off, thanks for the reply.

    Second, I am now even more stumped than previously ha.

    Running these exact same commands via enter-pssession with the non local admin account worked beautifully and magically. Not a single error... Which doesnt make much sense what so ever.

    the problem with using enter-pss instead of new is that I cant pass things in other functions in the code when using enter-pss. As an example of what I mean see below. There are options in the ui of the code to pull info out of AD. So if the user selects that option we call a function that fires the below snippet of code. Which is nice because we only call functions based on what the user selects. Using new-pss I am able to store the session in a global variable and then use that in other functions to invoke commands against the remote server in the pre-existing session.

    Using enter-pss I have no way of doing this. I get an active session and then when does that active session end?

    If I was to recode my app and get rid of all the functions that utilize invoke command and instead of invoking just passed them all through the existing interactive session perhaps that would be an option. The other issue with this is if I am passing everything through enter-pss I cant capture errors in variables properly, and I likely wont be able to get the results to display in my app due to scope. This is why I ultimately had to call invoke-command and store its result in a variable, so I would be able to access that within the scope of the app and actually get things to display in the UI. Otherwise if you declare variables and store things while in the session, the local machine cant access those, least in my experience using invoke-command, not sure if it would behave differently in an interactive(enter-pss) session.

    I opened a pss case on this, not sure if you are directly involved at all, but multiple people have called you out specifically in regards to this case. 

    If you have 10-15 min free at some point perhaps I can share screens over skype with you and show you the rest of the code. I think after you see the overall design of it, what Im asking above may make more sense.

    Thank you.   


            
            $res2 = Invoke-Command -Session $global:sess -ScriptBlock {
                Import-Module ActiveDirectory
                try{
                    Get-ADUser -Identity $args[0] -Properties * -Server "our domain controller" -Credential $args[1] 
                }catch{
                    return $_
                            
                }
                    
            } -ArgumentList $split, $global:cred         

        



    Thursday, June 16, 2016 7:19 PM
  • Did you ever find a solution to this? I have exactly the same issue when trying to import the cmdlets from a pssession launched by orchestrator.

    Using Enter-PSSession interactively gives me the same authorization error.

    I raised a case with Premier Support but they couldn't repro it, so closed with no solution. the workaround I used was to permission the account but it's not ideal.

     
    Friday, June 08, 2018 8:32 AM