Running Script via PSsession - Access Denied

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Don Jones Don Jones 1 year, 6 months ago.

  • Author
  • #24601
    Profile photo of TechGismo

    Here is my problem:

    Before any one asks the obvious question if the prompt is elevated and run as administrator, the answer is....yes.

    I have a server called Server-A, where all of my scripts are located in D:\testfolder. So I do a pssession to the server and go to the directory where I have my ps1 file, if I try to execute the script, I get the error below when I try that.

    What the script does is a very simple copy-item command from Server-B\testfolder to Server-C\test-folder. I have no problems with access to the folders from a normal Windows server GUI or even my own client as long as the administrator credentials are correct.

    This server runs Server 2012 R2, if I run the script directly from the server every thing works perfect, but not if I do a pssession from my client machine with elevated administrator rights. How can this be fixed?

    Copy-Item : Access is denied
    At D:\testfolder\ps1.ps1:1 char:1
    + Copy-Item \\Server-B\test-folder -Recurse -Destination \\Server-C\testfolder
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (\\Server-B\test-folder:String) [Copy-Item], UnauthorizedAccessException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.CopyItemCommand

    Thank you all for the help in advance.

  • #24607
    Profile photo of Don Jones
    Don Jones

    You're may be running into what's called the "Second Hop" problem. Review "Secrets of PowerShell Remoting" (free ebook) for details. Basically, once you remote to Server-A, it can't access non-local resources, including a path on Server-B or Server-C.

    This wouldn't be the same through the File Explorer GUI, since it handles credentials entirely differently. And this has nothing to do with admin rights; it has to do with the ability to delegate your credential across multiple hops.

You must be logged in to reply to this topic.