Access Denied: Invoke-Command with Alternate Credentials

Welcome Forums General PowerShell Q&A Access Denied: Invoke-Command with Alternate Credentials

This topic contains 1 reply, has 2 voices, and was last updated by

1 year, 9 months ago.

  • Author
  • #70681

    Points: 1
    Rank: Member

    I am trying to execute a scriptblock from within a parent script using a different set of credentials. Both the
    Parent script and Called scriptBlock are using non-Local Admin accounts. Currently I am attempting to use Invoke-Command
    to accomplish this.

    Test Setup:
    I logged on to the local server (Win 2012R2. UAC disabled. ) as a local admin
    I then Open a command prompt as the same ID (Non-Admin) as I will use for the Invoke-Command

    Test script: I am attempting the same steps inside and outside of the Invoke-Command to
    demonstrate the difference in results. If the RunAs account is added to the local Administrators group this runs
    as desired. I do not want to use an admin account as the RunAs account.

      "Check ExecutionPolicy"
      "Import Module"
      Import-Module WFTFS  
      "Ready to Invoke-Command (RunAs)"
       invoke-command -scriptblock {
                {"Check ExecutionPolicy"
                get-executionPolicy -ErrorAction Stop}
            Catch {"ERROR : $($Error[0].exception)."}
                {"import Module"
                import-module WFTFS -Force -ErrorAction Stop}
            Catch {"ERROR : $($Error[0].exception)"}
            } -computername ECS-I-AUTD-01 -Credential $TFSCred

    Test Results:
    I do not understand how/why I am getting the Access Denied CIM Exception. The ecs-auto-tfs-svc account has full control
    granted via Set-PSSessionConfiguration for microsoft.Powershell

    PS > .\RunAs-Demo.ps1
    Check ExecutionPolicy
    Import Module
    Ready to Invoke-Command (RunAs)
    Check ExecutionPolicy
        ERROR : Microsoft.Management.Infrastructure.CimException: Access denied
           at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase`1.MoveNext()
    import Module
        ERROR : System.Management.Automation.PSSecurityException: AuthorizationManager check failed. --->         
        Microsoft.Management.Infrastructure.CimException: Access denied
        at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase`1.MoveNext()

    Thoughts, suggestions, solutions all greatly appreciated. Or alternative methods of executing a scriptblock
    within a script, under a different set of non-admin credentials than the parent script.


  • #70747

    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    The default configuration on the WMI repository (which is what CIM uses) is to only allow remote queries by members of the Administrators group. Similarly, the default configuration on the default Remoting endpoint only allows connections by members of the local Administrators or Remote Administrators groups.

    Additionally, you're mixing some metaphors. While CIM uses WS-MAN, it does not use Remoting. Setting permissions on session configurations doesn't impact CIM in any way.

    I don't see your code using CIM at all – is it being used by that WFTFS module? Without knowing exactly what that is trying to do, I'd guess that the WMI repository isn't liking its permissions. You could also be running into a double-hop issue. You've "used up" your first hop with Invoke-Command, and your delegated credential can't, by default, be passed along any other remote connections – which would include a query via CIM, even if to the local box.

The topic ‘Access Denied: Invoke-Command with Alternate Credentials’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort