Invoke-Command as a "Protected User"

This topic contains 2 replies, has 2 voices, and was last updated by  sponsen 1 month, 2 weeks ago.

  • Author
    Posts
  • #81466

    sponsen
    Participant

    In my dev env I'm trying out protected users and their admin abilities.
    I know that Protected Users put some restrictions on accounts ex. in terms of logon protocols, but I'm a bit confused with this behavior:

    So if I Invoke-Command against "localhost" i get Access denied. If I do it against a remote system, I'm getting in. What is the technical reason for this to happen?

  • #81527

    Don Jones
    Keymaster

    One reason might be Remoting not being enabled on your local system. It isn't enabled on client operating systems by default.

    • #85237

      sponsen
      Participant

      We did some more testing with 2 computers:

      PC1 is able to run "invoke-command PC2 {hostname}", but not "invoke-command PC1 {hostname}"

      PC2 is able to run "invoke-command PC1 {hostname}", but not "invoke-command PC2 {hostname}"

      Both machines are running PS with accounts that have local admin permissions on both systems.

      However, when doing the same with an administrator that is NOT in the protected users group – both commands work.

      So it seems there is something fishy going on here.

      We have PS remoting enabled via GPO on all related endpoints and use it daily for mgmt.

      UPDATE: It also work with the protected users when adding "-Credential" to the command.

You must be logged in to reply to this topic.