Author Posts

June 19, 2017 at 8:29 pm

I will be converting this snip to two separate functions. One to test for general access to a remote computer and the other to test a WsMan connection. To test if access is granted on a remote computer I'm just doing Get-WMIObject just to see if I can access the remote computer. If I can't access it I know the specific user group is not added to the local administrators group and I can just exit here.

My question: is there a better way to test remote administrator access on a computer?

Write-Verbose -Message "testing remote administrator access and WinRM on $ComputerName" -Verbose
try{
  $test = Get-WmiObject -Class win32_operatingsystem -ComputerName $ComputerName -ErrorAction Stop
  $access = $true
}
catch{
  $access = $false
}
if($access -eq $false){
  Write-Warning -Message 'Access denied: Please ensure that a required user group is added to the Local Administrators group. (domain\AD group)'
  Exit
}

if([bool](Test-WSMan -ComputerName $ComputerName -ErrorAction SilentlyContinue) -eq $false){
  Write-Warning -Message "WinRM might not be configured on $ComputerName. Please correct this then run script again"
  Exit
}
Write-Verbose -Message 'Remote administrator access passed and WinRM access passed' -Verbose

June 20, 2017 at 1:15 pm

Yes and no. WMI is just testing WMI; it'll fail against any new version of Windows (e.g., Win2016) with WMI disabled. Ping just tests the ICMP protocol. Remoting just tests Remoting, which could be disabled. None of those would verify Remote Registry access, for example. You just kind of have to decide for yourself if it's sufficient.

June 20, 2017 at 1:39 pm

If I have WMI access does that mean I have admin rights on the remote computer? I could do a try CIM Catch WMI to solve the problem where WMI is going away.