Author Posts

December 13, 2016 at 3:11 am

I am writing a script that is going to modify / change NTFS permissions from the domain controller w2k8-dc2 modifying the file server ntfs permissions. I am working / testing the script from a remote session to the domain controller w2k8-dc2 from my local computer.

However, I am trying to Set-Location to the remote server server from the domain controller (w2k8-dc2) and I can't set the location from within my remote session, but I can do it from the local desktop of the Domain Controller (w2k8-dc2) which doesn't make sense since I am authenticated to the server with the same domain admin credentials.

From the Desktop of Server (w2k8-dc2) logged in as a domain admin:

PS C:\Users\administrator.TECHPRO> set-location \\cfs02\Users$

PS Microsoft.PowerShell.Core\FileSystem::\\cfs02\Users$> 

Remote session to the same server and and authenticated with same domain admin credentials:

[Localhost]Enter-PSSession -ComputerName w2k8-dc2 -Credential $credential

[w2k8-dc2]: PS C:\Users\administrator.TECHPRO\Documents> Set-Location \\cfs02\Users$
Set-Location : Access is denied
    + CategoryInfo          : PermissionDenied: (\\cfs02\Users$:String) [Set-Location], UnauthorizedAcces
sException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.SetLocation
Command
 
Set-Location : Cannot find path '\\cfs02\Users$' because it does not exist.
    + CategoryInfo          : ObjectNotFound: (\\cfs02\Users$:String) [Set-Location], ItemNotFoundExcepti
on
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand

December 13, 2016 at 5:52 am

It seems to me that this is a problem called Second Hop. Read more here (page 48-51):
https://www.gitbook.com/book/devopscollective/secrets-of-powershell-remoting/details

The use of CredSSP is considered NOT SAFE.