Invoke Script...Access Denied

This topic contains 2 replies, has 3 voices, and was last updated by  Ben Camareno 4 weeks, 1 day ago.

  • Author
    Posts
  • #75202

    Brian Clanton
    Participant

    I composed a simple script that will export Printer shares (settings and drives) to a remote repository. This script works when I run it locally, however ideally I would like to invoke this script from a central server. My central server is logged in with domain admin credentials. The script runs with domain admin privileges and both servers (central server and print servers) are in the same domain.

    Here is the script that runs without issue on each server.

    #Export Printer migration files
    set-location C:\Windows\System32\spool\tools
    $TimeStamp = (Get-Date).tostring("yyyyMMdd")
    $PrintServer = '\\' + $env:COMPUTERNAME
    $Repository = '\\cfs02\utility$\updates\PrinterMigrationFiles\' + $env:COMPUTERNAME + '\'
    $FilePath = $Repository + $TimeStamp + '_' + $env:COMPUTERNAME + '.printerExport'
    
    #Launch Export Copmmand
    .\PrintBrm.exe -b -s $PrintServer -f $FilePath
    
    [array]$sortedRepo = Get-ChildItem $Repository | Sort-Object -Descending LastAccessTime
    
    #Clean up Repository to keep the last two latest files
    if ($sortedRepo.Length -gt 3){
        
            for($i=2; $i -lt $sortedRepo.Length; $i++){    
            Remove-Item $sortedRepo[$i].FullName 
            }
    }

    I place the above script on the central server and run this command

    $session = New-PSSession -ComputerName P5
    Invoke-Command -Session $session   -FilePath .\Export-TP_printers.ps1 

    I receive this output. The last entry indicates a failed access violation. I removed a portion of the printer queues for brevity. The last entry is a lie since I am running this as a domain admin.

    Operation mode: backup
    Target server: \\P5
    Target file path: \\cfs02\utility$\updates\PrinterMigrationFiles\P5\20170718_P5.printerExport.
    Queue publish mode: none
    Overwrite mode: keep existing settings
    
    LISTING PRINT QUEUES
    EMI-HPAcct2
    Donnelly-Front-Desk
    ...
    ...
    ..
    
    172.26.179.24, TCP
    172.26.179.25, TCP
    172.26.180.20, TCP
    172.26.198.20, TCP
    172.26.9.20, TCP
    
    
    
    The following error occurred: 0x80070005.
    Access is denied.
    
    Check if you are an administrator or member of the administrators group.
    Check if you executed the tool with elevated permission.
    Check the eventlog for detailed information about the error which occurred.
    
    
  • #75205

    Rob Simmers
    Participant

    Take a look at Secrets of Powershell Remoting in the eBooks section. The issue you are seeing is most likely a double-hop issue when you are trying to write to the remote share. If you just save the data to a local file (on server that is called), does the Invoke work?

  • #75209

    Ben Camareno
    Participant

    You need to allow delegation of credentials from server A to server B using the Enable-WSManCredSSP cmdlet with the right parameters for your environment.
    Then when creating a new PSSession, use -Authentication Credssp.

    Double-hop issue as Rob mentioned.

You must be logged in to reply to this topic.