December 9, 2014 at 3:17 pm #21047
I have a VBS Script located on a Network Share in the same Domain. It's function to uninstall all versions of Java it detects through a WMI Query,
I want every computer in an OU to call the VB Script, so am using invoke-command with the Scriptblock parameter. However after loading cscript, Powershell then reports cscript error loading script "scriptpath" failed (Access is Denied). I have also tried enter-pssession and called the script from the remote computers prompt, with the same result.
I am running the console as Administrator, and when I run the script locally the script runs successfully.
Reading other forums it has been suggested, problem could be the Double Hop in that it is not using the same credentials I open the console with. (ie no permissions to share drive) I have tried running the command with Credentials as well.
Trial and error is failing, I need to be pointed in the right direction......
December 9, 2014 at 3:29 pm #21048
This is a multi-hop authentication issue.
You are on Machine A.
You remote to Machine(s) B, which is one "hop." You tell Machine(s) B to execute a command.
The command requires Machine(s) B to access a file on Machine C. That is a second "hop." The problem is, your credential cannot be delegated further, and so Machine(s) B present a null identifier to the file server. If you can modify the file server to allow anonymous connections, this might work. Otherwise, you would need to enable multi-hop delegation. How you do that depends a lot on your environment – if everything is 2008+ and Vista+, you can enable CredSSP on your machine and on Machine(s) B, although that can be time-consuming to do manually on a lot of machines.
Providing credentials doesn't change the way this works.
December 10, 2014 at 7:29 am #21055
Thanks for your assistance I have successfully run the VBScript using invoke-command to one computer by enabling the Server role with the WSManCredSsp Cmdlet on the Remote Computer. As you inferred in your email the next problem I face, is how the Server role is deployed to the rest of the enterprise.
December 10, 2014 at 3:24 pm #21069
I think it would better if you would invest the time to rewrite the VBScript as PowerShell script. Once it is a PowerShell script you can run the script without enabling CredSSP which is a security risk for an enterprise.
Invoke-Command -ComputerName MachineA, MachineB, MachineC -FilePath \\unc\JavaUninstallScript.ps1
Above Invoke-Command will read the full script from the UNC path using your credentials on the machine where you have the interactive PowerShell window open and the cmdlet will submit it as script block to the remote computers.
You must be logged in to reply to this topic.