Invoke Command Calling a remote VBScript

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Daniel Krebs Daniel Krebs 2 years ago.

  • Author
    Posts
  • #21047
    Profile photo of Andy Feetenby
    Andy Feetenby
    Participant

    I have a VBS Script located on a Network Share in the same Domain. It's function to uninstall all versions of Java it detects through a WMI Query,

    I want every computer in an OU to call the VB Script, so am using invoke-command with the Scriptblock parameter. However after loading cscript, Powershell then reports cscript error loading script "scriptpath" failed (Access is Denied). I have also tried enter-pssession and called the script from the remote computers prompt, with the same result.

    I am running the console as Administrator, and when I run the script locally the script runs successfully.

    Reading other forums it has been suggested, problem could be the Double Hop in that it is not using the same credentials I open the console with. (ie no permissions to share drive) I have tried running the command with Credentials as well.

    Trial and error is failing, I need to be pointed in the right direction......

  • #21048
    Profile photo of Don Jones
    Don Jones
    Keymaster

    This is a multi-hop authentication issue.

    You are on Machine A.

    You remote to Machine(s) B, which is one "hop." You tell Machine(s) B to execute a command.

    The command requires Machine(s) B to access a file on Machine C. That is a second "hop." The problem is, your credential cannot be delegated further, and so Machine(s) B present a null identifier to the file server. If you can modify the file server to allow anonymous connections, this might work. Otherwise, you would need to enable multi-hop delegation. How you do that depends a lot on your environment – if everything is 2008+ and Vista+, you can enable CredSSP on your machine and on Machine(s) B, although that can be time-consuming to do manually on a lot of machines.

    Providing credentials doesn't change the way this works.

  • #21055
    Profile photo of Andy Feetenby
    Andy Feetenby
    Participant

    Don,

    Thanks for your assistance I have successfully run the VBScript using invoke-command to one computer by enabling the Server role with the WSManCredSsp Cmdlet on the Remote Computer. As you inferred in your email the next problem I face, is how the Server role is deployed to the rest of the enterprise.

    Andy

  • #21069
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Hi Andy,

    I think it would better if you would invest the time to rewrite the VBScript as PowerShell script. Once it is a PowerShell script you can run the script without enabling CredSSP which is a security risk for an enterprise.

    Invoke-Command -ComputerName MachineA, MachineB, MachineC -FilePath \\unc\JavaUninstallScript.ps1

    Above Invoke-Command will read the full script from the UNC path using your credentials on the machine where you have the interactive PowerShell window open and the cmdlet will submit it as script block to the remote computers.

    Best,
    Daniel

You must be logged in to reply to this topic.