Author Posts

March 12, 2018 at 7:30 pm

I have setup powershell remoting on two servers. I can confirm this by being able to access ServerB from ServerA with enter-pssession. When attempting to run scripts from ServerA to ServerB using Invoke-command I come across these two roadblocks:

1) When attempting to recycle app pool on ServerB from ServerA-
Error: Process should have elevated status to access IIS configuration data.

2) When attempting to access a file on ServerB from ServerA-
Error: Access to the path denied.

Two things I think may be happening- seems as though the script is not running as admin on ServerB, or I have not given proper rights to ServerB.

Any help on how to resolve this would be appreciated.

Thanks!

March 12, 2018 at 7:36 pm

It's more likely a double-hop problem. The remote machine has to connect to a "remote service" (even if that's running on the same machine), and so you lose your credential delegation. "Secrets of PowerShell Remoting" discusses the double-hop problem and some of the major solutions. IIS is particularly challenging because of how it's built, and the fact that nobody at Microsoft really seems to really "own" IIS anymore in terms of moving its architecture forward.

March 12, 2018 at 8:26 pm

Thanks for your quick response.

I am actually not making a second-hop. I am RDP'ing to ServerA, running a script on ServerA and attempting to run that same script on ServerB using invoke-command. These two servers are on the same subnet. I am able to do this with no errors with the built in administrator account but with other admin accounts is where I run into the issue.

This part of your documentation is what I think is my answer besides that fact that my servers are on the same domain.

Administrators from Other Domains

There's a quirk in Windows that tends to strip the Administrator account token for
administrator accounts coming in from other domains, meaning they end up running under
standard user privileges – which often isn't sufficient. In the target domain, you need to
change that behavior.

To do so, run this on the target computer (type this all in one line and then hit Enter):

New-ItemProperty -Name LocalAccountTokenFilterPolicy
-Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\System -PropertyType Dword -Value 1

That should fix the problem. Note that this does disable User Account Control (

March 12, 2018 at 8:34 pm

So... let's be specific.

RDP to ServerA.
ServerA uses Invoke-Command to run script on ServerB
World explodes.

Is that the pattern?

March 12, 2018 at 8:58 pm

RDP to ServerA.
ServerA uses Invoke-Command to run script on ServerB
World explodes.

The pattern isn't quite that destructive, but close.

I appreciate your help, I think you gave me enough to proceed.

March 12, 2018 at 9:00 pm

Yup!

Just so you know, that last pre-explosion step _is_ a second hop. When the script runs on ServerB, it actually has to connect to the IISAdmin service, which goes out over the network regardless of whether it's actually running on the same machine or not. It's like running Get-ADUser on a domain controller – it's still a network call, and that's where the double hop can bite you.

Good luck!