invoke-command + CIM question

Welcome Forums General PowerShell Q&A invoke-command + CIM question

Viewing 6 reply threads
  • Author
    Posts
    • #225483
      Participant
      Topics: 8
      Replies: 19
      Points: 163
      Helping Hand
      Rank: Participant

      If I run the below, I get the output I expect:

      If however, I wrap that in an Invoke-Command, the Get-CimAssociatedInstance returns nothing (Meaning, if the New-Object wasn’t wrapped in an if ($LU){...} the object it returned would have ComputerName and LogonSession populated, but LogonUser would be null). Example:

      I cannot reason my way through why this is failing… so even if there is a way to accomplish this task another way, I’d like to understand why this way doesn’t work, in case I hit something like this again in the future.

      • This topic was modified 8 months, 3 weeks ago by mitchvh05.
    • #225507
      Participant
      Topics: 9
      Replies: 707
      Points: 2,848
      Helping Hand
      Rank: Community Hero

      Hi Mitch,

      The reason this is happening is the famous double hop issue. Basically you can use credssp, scheduled task, etc. Check the following links, the first has a nice walk through of automating allowing/configuring credssp. You can confirm this is your issue at least. It’s not allowed for good reasons, you’ll have to consider and decide.

      https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/understanding-and-avoiding-double-hop

      https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7

    • #225783
      Participant
      Topics: 8
      Replies: 19
      Points: 163
      Helping Hand
      Rank: Participant

      Hmm… so the Get-CimInstance doesn’t bump into that restriction, but the Get-CimAssociatedInstance does? Under the hood, is Get-CimAssociatedInstance trying to create a new cim session? Or am I just missing something way simpler? Obviously, I don’t expect you to know, but if you do – that’d be awesome to find out. Thanks regardless!

    • #225804
      Participant
      Topics: 9
      Replies: 707
      Points: 2,848
      Helping Hand
      Rank: Community Hero

      It’s not the command per se. It’s where the information is you’re trying to retrieve. If it’s locally stored on the remote machine, you’ll have access to it. But win32_useraccount in a domain environment comes from the DC. If your remote target is a DC, it should work. If it’s not, double hop issue. Win32_useraccount will still list local accounts over remoting but not the domain accounts without providing additional credentials. See this thread for more info.

      https://powershell.org/forums/topic/unable-to-run-a-powershell-script-on-remote-server-with-additional-parameters/

      Did you confirm it worked when using CredSSP?

    • #225849
      Participant
      Topics: 9
      Replies: 707
      Points: 2,848
      Helping Hand
      Rank: Community Hero

      This is an interesting article too. Sucks it’s “archived” like so many other good ones.

      https://docs.microsoft.com/en-us/archive/blogs/ashleymcglone/powershell-remoting-kerberos-double-hop-solved-securely

    • #226197
      Participant
      Topics: 8
      Replies: 19
      Points: 163
      Helping Hand
      Rank: Participant

      [Beware: Wall of Text]

      For starters – thanks for helping me realize the problem. No idea how long it would have taken for me to realize Win32_UserAccount itself needed to access the DC.

      I skipped trying the CredSSP; since I work for an MSP – most of our clients won’t have that setup, and I’d like this to run without making any configuration changes. I just ended up doing the Win32_UserAccount query from the local machine, then adding fields to the information I pulled from remote. It’s a bit slow, but I can work on that. At least right now, I have the beginnings of a sort-of Super “query user” which lets me poll everything in an environment. Output from my custom class looks like:

      Currently usable, but in my calling function, I’m grabbing Processes, but not using them in my class, which I’ll implement later. If you end up ever having a use for something like this, here’s the code I have so far. Second code block is my custom class.

       

    • #226254
      Participant
      Topics: 9
      Replies: 707
      Points: 2,848
      Helping Hand
      Rank: Community Hero

      Fantastic, thanks for sharing! If you don’t need to interact or get output from the remote script, and just need it to run. You could always use something like this. It wouldn’t be a second hop. I only list the credential part for completeness, I’m certain you can build your own.

Viewing 6 reply threads
  • The topic ‘invoke-command + CIM question’ is closed to new replies.