Author Posts

July 5, 2016 at 4:12 pm

Hi,

I've been asked to create a tool so that "regular" users can see and logoff an RDS user session. I'm trying to create an endpoint for which a group of users can connect to and then run a specific set of commands under the credentials of another account.

This is my lab:
DC01
BG01 (broker/gateway)
SH01 (session host)
all of them running Windows Server 2012 R2.

I begin with creating the sesssionconfigurationfile with the follwing command:
New-PSSessionConfigurationFile -Path C:\admin.pssc -SessionType RestrictedRemoteServer -VisibleFunctions 'Get-NetIPAddress' -ModulesToImport 'NetTCPIP'

Then I register it:
Register-PSSessionConfiguration -Path .\admin.pssc -Name admin -RunAsCredential $cred -Force -Confirm:$false -SecurityDescriptorSddl "O:NSG:BAD:P(A;;GA;;;BA)(A;;GXGWGR;;;S-1-5-21-3029544977-3128121203-2081689124-1107)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)"

And finally I connect to that endpoint with a user that is part of the group specified in the SDDL. Up until this point I don't experience any problems at all. I cannot import any other modules and except from a few basic cmdlets I can only run "Get-NetIPAddress".

But when I try to change the ModulesToImport parameter to 'RemoteDesktop' and the VisibleFunctions to 'Get-RDUserSession', 'Invoke-RDUserLogOff' it stops working.

Then, when I try to connect to the endpoint, which worked perfectly before I get the following error:

Enter-PSSession : Processing data from remote server robama-bg01 failed with the following error message: The request f
or the Windows Remote Shell with ShellId 55B8749F-561E-4D4A-9BE1-1F615F01281F failed because the shell was not found on
the server. Possible causes are: the specified ShellId is incorrect or the shell no longer exists on the server. Provi
de the correct ShellId or create a new shell and retry the operation. For more information, see the about_Remote_Troubl
eshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName BG01 -ConfigurationName admin
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (BG01:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

I remove the PSSessionConfiguration and then tried again but the problem persists. I even repeated the process with the NetTCPIP module and a couple of other modules and everything worked fine. I tried the same thing in a colleagues LAB and it was the same thing.

Any ideas? Thanks..

July 5, 2016 at 4:15 pm

As a troubleshooting step, try changing SessionType RestrictedRemoteServer to something less restrictive. It's possible that the module you're trying to load won't operate under that restriction, meaning it's exploding when PowerShell tries to spin up the instance, and so the endpoint winds up "not existing."

Because RestrictedRemoteServer is _so_ restrictive, if the RemoteDesktop module is trying to do anything unusual, the runspace won't allow it.

July 5, 2016 at 4:25 pm

Ok, So when I changed the SessionType to 'Default' it was the same thing but when I set it to 'Empty' I got this:

Enter-PSSession : One or more errors occurred processing the module 'RemoteDesktop' specified in the InitialSessionStat
e object used to create this runspace. See the ErrorRecords property for a complete list of errors. The first error was
: The term 'Add-Type' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.

however.. If I set the SessionType to Default and comment out "VisibleFunctions" and "ModulesToImport" I can connect to that endpoint, manually import the module and then run the cmd (functions). Is it possible that the module "RemoteDesktop" has dependencies in form of other modules?

July 5, 2016 at 4:37 pm

It's entirely possible, and difficult to tell. But the fact that it's erroring on Add-Type is weird, because that's core. You might try explicitly including the core modules in the endpoint to see if that helps.

July 5, 2016 at 6:18 pm

Here's what I've tried so far (with errors):

SessionType = Empty
ModulesToImport = 'RemoteDesktop'
Everything else = Comented out

Enter-PSSession : One or more errors occurred processing the module 'RemoteDesktop' specified in the InitialSessionStat
e object used to create this runspace. See the ErrorRecords property for a complete list of errors. The first error was
: The term 'Import-Module' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
———————————————————————-

SessionType = Empty
ModulesToImport = 'RemoteDesktop', 'Microsoft.PowerShell.Core'
Everything else = Comented out

? : The term '?' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spell
ing of the name, or if a path was included, verify that the path is correct and try again.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Utility.psm1:27 char:42
+ $ParameterName | ?{$BoundParameters.ContainsKey($_)} | % ...
+ ~
+ CategoryInfo : ObjectNotFound: (?:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

? : The term '?' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spell
ing of the name, or if a path was included, verify that the path is correct and try again.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Utility.psm1:27 char:42
+ $ParameterName | ?{$BoundParameters.ContainsKey($_)} | % ...
+ ~
+ CategoryInfo : ObjectNotFound: (?:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

This actually gives me the output I'm looking for but first it prints these errors.
The problem is that allthough I only specified the Core module it loads every module available (I think, there's a lot of them anyway)

So obviously.. running the module in an endpoint isn't the problem but running it without importing and showing everything else is..

————————–

SessionType = Empty
ModulesToImport = 'RemoteDesktop', 'Microsoft.PowerShell.Core'
VisibleFunctions = 'Get-RDUserSession'
Everything else = Comented out

Now I'm back on the first errormessage again but instead of "Import-Module" it's back to "Add-Type".

I'm running out of ideas.
and I'm not sure that I understand the "Empty" sessiontype anymore.. It doesn't appear to do what the help says it should.

July 5, 2016 at 6:26 pm

This really threw me off:

? : The term '?' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spell
ing of the name, or if a path was included, verify that the path is correct and try again.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Utility.psm1:27

Added the fullpath (C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Utility.psm1) to modulestoimport without any luck. That file really exists there.

July 5, 2016 at 6:33 pm

Yeah, oy. It looks like they're using aliases like ? in the module, instead of cmdlet names (Where-Object), and with a stripped-down runspace, you might not have the alias. You may simply have run across a badly-made module that isn't going to run in anything less than a full runspace. If that's the case, all you can do is file it as a bug with the product team that made it. If it's a script module, you could in theory open it up and fix it – but that could be a long slog.

July 5, 2016 at 7:00 pm

hmm... here's the line 27-28 in that script module.

$ParameterName | ?{$BoundParameters.ContainsKey($_)} | %{$params[$_] = $BoundParameters[$_]}
break

they're using aliases for both where-object and foreach-object..

Even if this isn't the only thing that makes this so difficult it sure seems like it's a part of the problem and they should have a look at it anyway. I'll report this as a bug!

It didn't help to put ? and % into visiblealiases either!

Thank you Don!