Author Posts

November 8, 2013 at 1:41 pm

hello all and thank you for your time. My goal is deploy a java installation via power shell i have the following script, see below. when I run the script, for computers that are online I receive the following error:

This command cannot be executed due to the error: Access is denied.
+ CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException
+ FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
+ PSComputerName : ARRIS-2

is this due to using the UNC path ? all users have access to the share so im a bit lost on where to go from here.

$comp=Get-ADComputer -Filter {(name -like "arris*") -and (name -notlike "*exchange")} | Select-Object -ExpandProperty name |
ForEach-Object {
$computer = $_

$pingme = Test-Connection -ComputerName $computer -Quiet -count 1

if ($pingme -eq $true)
{
Invoke-Command -ComputerName $computer -ScriptBlock { Start-Process -FilePath '\\severname\software deployment\java7_45\jre1.7.0_45.msi' -LoadUserProfile }
}
else
{
Write-Host "computer '$computer' is offline"
}
} | ft

November 8, 2013 at 9:01 pm

You're running into the "second hop" scenario here. By default, when you use PowerShell Remoting, you can only access resources local to the machine you've connected to. In order to access that UNC path, you'll need to use CredSSP as your connection type. This requires some configuration changes both on the computer where you're running this script, and on the computers you're connecting to with Invoke-Command.

Check out the "Secrets of PowerShell Remoting" free eBook from this site. It has all of the details on how to set this up, including screenshots, starting on page 42.

November 11, 2013 at 12:45 pm

i am still running into an issue even after reading a couple of articles related to this including the recommended article above. I am receiving this error message (see below) i have set this in group policy and have updated the test computers and restarted several times. this configuration is set and the parameters within it is set to WSMAN/*.domain.com, domain.com being my domain. am I missing something obvious ?

"A computer policy does not allow the
delegation of the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System ->
Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target
computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com."

November 12, 2013 at 12:24 pm

can anyone assist ?