Running Script via PSsession - Access Denied

This topic contains 1 reply, has 2 voices, and was last updated by  Don Jones 2 years, 7 months ago.

  • Author
    Posts
  • #24601

    TechGismo
    Participant

    Here is my problem:

    Before any one asks the obvious question if the prompt is elevated and run as administrator, the answer is....yes.

    I have a server called Server-A, where all of my scripts are located in D:\testfolder. So I do a pssession to the server and go to the directory where I have my ps1 file, if I try to execute the script, I get the error below when I try that.

    What the script does is a very simple copy-item command from Server-B\testfolder to Server-C\test-folder. I have no problems with access to the folders from a normal Windows server GUI or even my own client as long as the administrator credentials are correct.

    This server runs Server 2012 R2, if I run the script directly from the server every thing works perfect, but not if I do a pssession from my client machine with elevated administrator rights. How can this be fixed?

    Copy-Item : Access is denied
    At D:\testfolder\ps1.ps1:1 char:1
    + Copy-Item \\Server-B\test-folder -Recurse -Destination \\Server-C\testfolder
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (\\Server-B\test-folder:String) [Copy-Item], UnauthorizedAccessException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.CopyItemCommand

    Thank you all for the help in advance.

  • #24607

    Don Jones
    Keymaster

    You're may be running into what's called the "Second Hop" problem. Review "Secrets of PowerShell Remoting" (free ebook) for details. Basically, once you remote to Server-A, it can't access non-local resources, including a path on Server-B or Server-C.

    This wouldn't be the same through the File Explorer GUI, since it handles credentials entirely differently. And this has nothing to do with admin rights; it has to do with the ability to delegate your credential across multiple hops.

You must be logged in to reply to this topic.