Access denied in PSSession/Invoke-Command

This topic contains 8 replies, has 5 voices, and was last updated by  Jim Bendtsen 6 months, 2 weeks ago.

  • Author
    Posts
  • #68497

    Ronny Peperoni
    Participant

    Hi,

    I have two servers: SERVER_A (scripting server, with custom PS-Modules) and SERVER_B (file server, no custom PS-Modules). Now, I'd like to run a Script on SERVER_B. Since some custom PS-Modules are only installed on SERVER_A, the Script should run as if it is started on SERVER_A – I use a PSSession for this. The Script should then list the files from both c$-Shares. This is what I have now:

    $Session = New-PSSession "SERVER_A" -Credential (Get-Credential)
    Invoke-Command -Session $Session -ScriptBlock {
        Run-CustomModule -Parameter
        Get-ChildItem "\\SERVER_A\c$"
        Get-ChildItem "\\SERVER_B\c$"
        }

    The CustomModule works fine. The first Get-ChildItem works fine, too. But I get an access denied error on the second one. What do I need to do to make this thing working?

    Thank you! 🙂

  • #68502

    Aaron Hardy
    Participant

    The credential that is used to connect to SERVER_A, can they be used on SERVER_B as well? When you're connecting to SERVER_B from SERVER_A, the same security principal is used. Could there be a GPO causing this?

    • #68509

      Ronny Peperoni
      Participant

      Oh, I forgot to mention that, thanks. I have access to both c$-shares from both of the servers with my credentials. When I remove the -credential paremeter to login with my current login credentials it also does not work.

      There is no GPO that blocks anything like this.

      By the way, connecting to SERVER_B with PSSession causes an access problem for the Get-Childitem "\\SERVER_A\c$". The second one, Get-Childitem "\\SERVER_B\c$", works fine in this case. And obviously the custom module won't work that way. 🙂

  • #68512

    Kristopher Gross
    Participant

    IF you are able to connect to server B Out side of the script There could be a File or Folder you do not have access to on the C$ share of Server B. Im not really sure what the best way solve that would be fore you but hopefully that give you an idea of what to look for

    • #68541

      Ronny Peperoni
      Participant

      To make sure that it's not a Problem with access rights, I created a new Share called \\SERVER_B\Test. The group "Everyone" is the owner of that folder and has FullAccess on NTFS level and on the Share itself. Get-ChildItem "\\SERVER_B\Test" still throws a permission denied error inside Invoke-Command.

  • #68544

    Albert van Boerum
    Participant
    • #68550

      Ronny Peperoni
      Participant

      Thank you. If I understood correctly all I had to do was to run Enable-WSManCredSSP -Role Server on SERVER_A and Enable-WSManCredSSP -Role Client -DelegateComputer x on SERVER_B. Both ran without any error messages. But I still get that permission denied error in my Invoke-Command.. 🙁

  • #68562

    Albert van Boerum
    Participant

    Correct but, you still have to tell powershell to use credssp.

    you command should now be:

    $cred = Get-Credential
    $Session = New-PSSession "SERVER_A"  -Authentication Credssp -Credential $cred
    Invoke-Command -Session $Session -ScriptBlock {
        Run-CustomModule -Parameter
        Get-ChildItem "\\SERVER_A\c$"
        Get-ChildItem "\\SERVER_B\c$"
        }
    
  • #72020

    Jim Bendtsen
    Participant

    I have a question about another scenario: This example script works when I'm executing it on my workstation in domain1, the server where the pssession is started and script is executing is in domain2, and so is the source for the installation files I want to copy from the source server smb share to the destination/execution server.

    $cred = Get-Credential -message "Enter Admin credentials for Dev Domain"
    $Session = New-PSSession "SE12345"  -Authentication Credssp -Credential $cred
    $scriptblock = 
    {
        copy-Item -path "\\SE54321\f$\msiname2install.msi" -destination "F:\Apps\Install\Files\"
        start-process msiexec.exe -argumentlist "/i f:\Apps\Install\Files\msi2install.msi /qn /le msiname2install.log"
    }
    Invoke-Command -Session $Session -ScriptBlock $scriptblock
    

    My new scenario is that the server where I want to execute the script is in a different domain from the source server, and I need to pass one set of credentials to the server I want to configure and another to the smb source server, so I can perform the copy from the source server to the destination server while "ON" the destination server.

    I do have a solution now, which is to connect to the source smb server and server I want to run the script on from my workstation, prior to running my invoke-command on the server I'm configuring:

    $computers = (get-content "iis_securitylayering.txt")
    $source_server_userid = read-host "Enter Admin Domain\Userid for Source Server "
    $source_server_password = read-host -assecurestring "Enter Password for that UserID"
    new-smbmapping -remotepath \\se12345\ipc$ -username $source_server_userid -password $source_server_password
    $source_server_userid = ""
    $source_server_password = ""
    
    foreach  ($computer in $computers)
    {
    	$destination_credential = get-credential -message "Enter Administrative credentials for Server you're configuring"
    	$destination_server_userid = read-host "Enter Admin Domain\UserID for Destination Server"
    	$destination_server_password = read-host -assecurestring "Enter Password for that UserID"
    	new-smbmapping -remotepath \\$computer\ipc$ -username $destination_server_userid -password $destination_server_password
    	copy-item -path "\\se12345\f$\Apps\Install\Files\module.msi" -destination "\\$computer\F$\Apps\Install\Files\"
    	$destination_server_userid = ""
    	$destination_server_password = ""
    	Invoke-Command -ComputerName $Computer -credential $destination_credential -ScriptBlock $scriptblock
    }	
    
    

You must be logged in to reply to this topic.