get-ciminstance on remote computers

This topic contains 4 replies, has 2 voices, and was last updated by  Don Jones 3 weeks, 6 days ago.

  • Author
    Posts
  • #92129

    js
    Participant

    Speaking of the first Iron Scripter puzzle, how do you get get-ciminstance to work on remote computers with the -computername option? I have the winrm service running and the firewall open, and trustedhosts set on the source, but it says "access denied".
    How does it know what username and password to use? The same as the source computer? That is a local administrators account (same name on both), so I would think it would work. Is there some other rights I have to enable? I'm not in a domain.

  • #92131

    Don Jones
    Keymaster

    If WinRM is enabled and the remote has PowerShell 3 or later, and if you're connecting as an account the remote machine recognizes as an admin, then it should just work. It uses whatever account you've logged into Windows with. Logging in as a local admin on YOUR machine, will not translate to local admin on the OTHER machine, though. Local accounts don't cross to other machines. That's why they're
    "local."

  • #92132

    Don Jones
    Keymaster

    If you're not in a domain, then basically the usual Remoting rules apply (even though CIM is not Remoting, they're both using WS-MAN). You could read "Secrets of PowerShell Remoting." But essentially since the default Kerberos authentication isn't going to work, you'll have to (a) use Basic, (b) specify credentials explicitly when running the command, and (c) make sure the remote machine can listen for HTTPS – meaning it needs a certificate, and (d) specify the connection be made over SSL.

    Yes, it's a PITA. That's why domains are a thing :). But simply having the accounts named the same on both machines won't work; outside of a domain, Kerberos isn't a thing.

    • #92134

      js
      Participant

      The thing is, I can get psremoting to work. It will even automatically try the same username and password. But get-ciminstance -computername still says access denied.

  • #92135

    Don Jones
    Keymaster

    CIM and Remoting are a bit different, even though they use the same underlying WS-MAN protocol. They both authenticate in their own way.

    But if Remoting works, you may be good. Run Invoke-Command and just send your Get-CimInstance or whatever across that to run locally on the other box.

You must be logged in to reply to this topic.