none
New-PSSession Access is denied for only one account RRS feed

  • General discussion

  • Hi ladies and gentlemen,

    I have a problem with my script. When I execute the script with my account, everything work.
    But I run it in the task scheduler (on computer1) with a specific account (script-account), it cannot connect to the server (computer2).
    Script-account can execute scripts on computer1 and computer2 without any problem. 

    This is the error:
    New-PSSession : [computer2] Connecting to remote server computer2 failed with the 
    following error message : Access is denied. For more information, see the 
    about_Remote_Troubleshooting Help topic.

    After seeing different answers, I added the account in the "Remote Management Users" group.
    But it doesn't change anything.
    So I need your help to solve this problem.
    So what are the rights to connect remotely that "Remote Management Users" does not cover?


    Wednesday, August 7, 2019 8:14 AM

All replies

  • To create a PSSesssion you ideally you should have admin access over the system. Or you need to manually provide the user the delegate access to run scripts over the machine.

    Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell

    Try above and add the user, once added provide the required permissions and try to PSRemote to the same.

    Wednesday, August 7, 2019 9:20 AM
  • It's maybe ideally to have admin access, but I can't give this rights for the script-account.

    Why put the script-account on "permissions for http://schemas.microsot.com/powershell/Microsoft.Powershell"?
    If we can see the group "Remote Management Users" inside? By inheritance he is therefore supposed to have it.

    Wednesday, August 7, 2019 12:36 PM
  • It's maybe ideally to have admin access, but I can't give this rights for the script-account.

    Why put the script-account on "permissions for http://schemas.microsot.com/powershell/Microsoft.Powershell"?
    If we can see the group "Remote Management Users" inside? By inheritance he is therefore supposed to have it.

    You can create a constrained endpoint to give limited access to non-admin accounts.


    \_(ツ)_/

    Wednesday, August 7, 2019 12:55 PM
  • You can create a constrained endpoint to give limited access to non-admin accounts.

    But isn't there another way to solve my problem?
    Wednesday, August 7, 2019 1:45 PM
  • Consider the following:

    What is Remote Management Users Group?
    "The WinRMRemoteWMIUsers_ group allows running Windows PowerShell commands remotely whereas the Remote Management Users group is generally used to allow users to manage servers by using the Server Manager console."

    By default only members of the local "Administrators" group have WinRM access.


    \_(ツ)_/

    Wednesday, August 7, 2019 1:50 PM
  • Ok, I understand. 

    To don't give administrator rights on script-account,

    I open  "lusrmgr - [Local Users and Groups (Local)\Groups]"

    And Add my user on the group : "Remote Management Users"

    Thanks to all of you

    Wednesday, August 7, 2019 3:23 PM
  • Ok, I understand. 

    To don't give administrator rights on script-account,

    I open  "lusrmgr - [Local Users and Groups (Local)\Groups]"

    And Add my user on the group : "Remote Management Users"

    Thanks to all of you

    That does not apply to WinRM.  It only applies to the GUI management tools lie Server Manager.


    \_(ツ)_/

    Wednesday, August 7, 2019 3:36 PM