Author Posts

May 15, 2017 at 3:33 pm

I am trying to execute a scriptblock from within a parent script using a different set of credentials. Both the
Parent script and Called scriptBlock are using non-Local Admin accounts. Currently I am attempting to use Invoke-Command
to accomplish this.

Test Setup:
I logged on to the local server (Win 2012R2. UAC disabled. ) as a local admin
I then Open a command prompt as the same ID (Non-Admin) as I will use for the Invoke-Command

Test script: I am attempting the same steps inside and outside of the Invoke-Command to
demonstrate the difference in results. If the RunAs account is added to the local Administrators group this runs
as desired. I do not want to use an admin account as the RunAs account.

#
  WhoAmi
  "Check ExecutionPolicy"
  Get-executionPolicy
  "Import Module"
  Import-Module WFTFS  
  "Ready to Invoke-Command (RunAs)"
   invoke-command -scriptblock {
        WhoAmi
        Try
            {"Check ExecutionPolicy"
            get-executionPolicy -ErrorAction Stop}
        Catch {"ERROR : $($Error[0].exception)."}
        Try
            {"import Module"
            import-module WFTFS -Force -ErrorAction Stop}
        Catch {"ERROR : $($Error[0].exception)"}
        } -computername ECS-I-AUTD-01 -Credential $TFSCred
#

Test Results:
I do not understand how/why I am getting the Access Denied CIM Exception. The ecs-auto-tfs-svc account has full control
granted via Set-PSSessionConfiguration for microsoft.Powershell

PS > .\RunAs-Demo.ps1

    ad-ent\ecs-auto-tfs-svc
Check ExecutionPolicy
    Unrestricted
Import Module
Ready to Invoke-Command (RunAs)
    ad-ent\ecs-auto-tfs-svc
Check ExecutionPolicy
    ERROR : Microsoft.Management.Infrastructure.CimException: Access denied
       at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase`1.MoveNext()
import Module
    ERROR : System.Management.Automation.PSSecurityException: AuthorizationManager check failed. --->         
    Microsoft.Management.Infrastructure.CimException: Access denied
    at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase`1.MoveNext()

Thoughts, suggestions, solutions all greatly appreciated. Or alternative methods of executing a scriptblock
within a script, under a different set of non-admin credentials than the parent script.

Thanks

May 16, 2017 at 1:05 pm

The default configuration on the WMI repository (which is what CIM uses) is to only allow remote queries by members of the Administrators group. Similarly, the default configuration on the default Remoting endpoint only allows connections by members of the local Administrators or Remote Administrators groups.

Additionally, you're mixing some metaphors. While CIM uses WS-MAN, it does not use Remoting. Setting permissions on session configurations doesn't impact CIM in any way.

I don't see your code using CIM at all – is it being used by that WFTFS module? Without knowing exactly what that is trying to do, I'd guess that the WMI repository isn't liking its permissions. You could also be running into a double-hop issue. You've "used up" your first hop with Invoke-Command, and your delegated credential can't, by default, be passed along any other remote connections – which would include a query via CIM, even if to the local box.