Running Powershell script from command line with domain user credentials issue

Welcome Forums General PowerShell Q&A Running Powershell script from command line with domain user credentials issue

Viewing 10 reply threads
  • Author
    Posts
    • #240614
      Participant
      Topics: 1
      Replies: 5
      Points: 4
      Rank: Member

      I want to run a simple script from cmd using ad user/password, it fails and produces error of AccessDenied,PSSessionStateBroken.

      command: PowerShell -ExecutionPolicy Bypass Invoke-Command -Credential (New-Object -TypeName System.Management.Automation.PSCredential -Argumentlist “domain\user”,($pw= ConvertTo-SecureString “password” -AsPlainText -Force)) -filepath ‘PATH_OF_SCRIPT\SCRIPT.ps1’ -computername “COMPUTER_FQDN”

      if i make this user as member of domain admins(group) the issue fixed but i need to run this script with simple ad user.

    • #240653
      Participant
      Topics: 4
      Replies: 480
      Points: 1,748
      Helping Hand
      Rank: Community Hero

      Is the Path_of_script\script.ps1 a local folder or a shared folder?

    • #240773
      Participant
      Topics: 1
      Replies: 5
      Points: 4
      Rank: Member

      Is the Path_of_script\script.ps1 a local folder or a shared folder?

      Local folder

    • #240830
      Participant
      Topics: 1
      Replies: 5
      Points: 4
      Rank: Member

      if i add this user in ‘domain admin’ group then i can run this script but if this user is simply member of domain user group then it gives error of access denied. so to be more accurate what privileges are needed for this user to be able to run the script?

    • #240845
      Participant
      Topics: 0
      Replies: 2
      Points: 10
      Rank: Member

      Invoke-Command uses WinRM as protocol and only BUILTIN\Administrators Group members can use WinRM, by default
      You should add this user to the BUILTIN\Remote Management Users Group
      Check with this command who can access the server through WinRM
      (Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission

    • #240938
      Participant
      Topics: 4
      Replies: 480
      Points: 1,748
      Helping Hand
      Rank: Community Hero

      Perhaps this will help

      Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
      

      See this link for more info
      http://woshub.com/powershell-remoting-via-winrm-for-non-admin-users/

    • #241004
      Participant
      Topics: 1
      Replies: 5
      Points: 4
      Rank: Member

      e

      Thanks for your response. (Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission returns

      NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllow
      ed

      I added my user to the BUILTIN\Remote Management Users and BUILTIN\Administrators groups but no luck. still facing same error

    • #241007
      Participant
      Topics: 1
      Replies: 5
      Points: 4
      Rank: Member

      Perhaps this will help

      Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI See this link for more info

      http://woshub.com/powershell-remoting-via-winrm-for-non-admin-users/

      Thanks for your response. it worked for me. but is there any way/command so that i do the manual work like (adding user and assign the execute(invoke) rights to the user) automatically through the script or command.

    • #241025
      Participant
      Topics: 4
      Replies: 480
      Points: 1,748
      Helping Hand
      Rank: Community Hero

      Could you not assign a group the rights needed and then just add/remove users to that group?

    • #241130
      Participant
      Topics: 1
      Replies: 5
      Points: 4
      Rank: Member

      Could you not assign a group the rights needed and then just add/remove users to that group?

      i have add this user to a group having all access rights ‘full control’ checked but it didn’t work until i made this user member of ‘domain admins’ group.

    • #241145
      Participant
      Topics: 4
      Replies: 480
      Points: 1,748
      Helping Hand
      Rank: Community Hero

      If you need to make changes to multiple computers, you should use the group policy approach as described in the article I linked previously. If you want to use a group to control access, it needs to be a LOCAL group on each machine. That’s why it’s recommended to use the preconfigured “Remote Management Users” local group. You can even adjust the level of access that group has if you choose. You can replicate those custom permissions using the commands below, also outlined in the article.

      # After making changes manually on a host, capture the custom SDDL
      $SDDL = (Get-PSSessionConfiguration -Name "Microsoft.PowerShell").SecurityDescriptorSDDL
      
      # You can export it if you like
      $SDDL | Export-clixml d:\IT\custom-SDDL.xml
      
      # You could change the permissions remotely from a privileged account
      Invoke-Command -computername computer1,computer2,computer3 -scriptblock {
          Set-PSSessionConfiguration -Name Microsoft.PowerShell -SecurityDescriptorSddl $using:SDDL
      }
      
Viewing 10 reply threads
  • You must be logged in to reply to this topic.