Access denied in PSSession/Invoke-Command

Tagged: 

This topic contains 7 replies, has 4 voices, and was last updated by Profile photo of Albert van Boerum Albert van Boerum 1 week, 4 days ago.

  • Author
    Posts
  • #68497
    Profile photo of Ronny Peperoni
    Ronny Peperoni
    Participant

    Hi,

    I have two servers: SERVER_A (scripting server, with custom PS-Modules) and SERVER_B (file server, no custom PS-Modules). Now, I'd like to run a Script on SERVER_B. Since some custom PS-Modules are only installed on SERVER_A, the Script should run as if it is started on SERVER_A – I use a PSSession for this. The Script should then list the files from both c$-Shares. This is what I have now:

    $Session = New-PSSession "SERVER_A" -Credential (Get-Credential)
    Invoke-Command -Session $Session -ScriptBlock {
        Run-CustomModule -Parameter
        Get-ChildItem "\\SERVER_A\c$"
        Get-ChildItem "\\SERVER_B\c$"
        }

    The CustomModule works fine. The first Get-ChildItem works fine, too. But I get an access denied error on the second one. What do I need to do to make this thing working?

    Thank you! 🙂

  • #68502
    Profile photo of Aaron Hardy
    Aaron Hardy
    Participant

    The credential that is used to connect to SERVER_A, can they be used on SERVER_B as well? When you're connecting to SERVER_B from SERVER_A, the same security principal is used. Could there be a GPO causing this?

    • #68509
      Profile photo of Ronny Peperoni
      Ronny Peperoni
      Participant

      Oh, I forgot to mention that, thanks. I have access to both c$-shares from both of the servers with my credentials. When I remove the -credential paremeter to login with my current login credentials it also does not work.

      There is no GPO that blocks anything like this.

      By the way, connecting to SERVER_B with PSSession causes an access problem for the Get-Childitem "\\SERVER_A\c$". The second one, Get-Childitem "\\SERVER_B\c$", works fine in this case. And obviously the custom module won't work that way. 🙂

  • #68512
    Profile photo of Kristopher Gross
    Kristopher Gross
    Participant

    IF you are able to connect to server B Out side of the script There could be a File or Folder you do not have access to on the C$ share of Server B. Im not really sure what the best way solve that would be fore you but hopefully that give you an idea of what to look for

    • #68541
      Profile photo of Ronny Peperoni
      Ronny Peperoni
      Participant

      To make sure that it's not a Problem with access rights, I created a new Share called \\SERVER_B\Test. The group "Everyone" is the owner of that folder and has FullAccess on NTFS level and on the Share itself. Get-ChildItem "\\SERVER_B\Test" still throws a permission denied error inside Invoke-Command.

  • #68544
    Profile photo of Albert van Boerum
    Albert van Boerum
    Participant
    • #68550
      Profile photo of Ronny Peperoni
      Ronny Peperoni
      Participant

      Thank you. If I understood correctly all I had to do was to run Enable-WSManCredSSP -Role Server on SERVER_A and Enable-WSManCredSSP -Role Client -DelegateComputer x on SERVER_B. Both ran without any error messages. But I still get that permission denied error in my Invoke-Command.. 🙁

  • #68562
    Profile photo of Albert van Boerum
    Albert van Boerum
    Participant

    Correct but, you still have to tell powershell to use credssp.

    you command should now be:

    $cred = Get-Credential
    $Session = New-PSSession "SERVER_A"  -Authentication Credssp -Credential $cred
    Invoke-Command -Session $Session -ScriptBlock {
        Run-CustomModule -Parameter
        Get-ChildItem "\\SERVER_A\c$"
        Get-ChildItem "\\SERVER_B\c$"
        }
    

You must be logged in to reply to this topic.