Unable to run a powershell script on remote server with additional Parameters

Welcome Forums General PowerShell Q&A Unable to run a powershell script on remote server with additional Parameters

Viewing 24 reply threads
  • Author
    Posts
    • #217542
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      Hello Expert,

      we have Winrm script (provided by OEM: SIEM) and works fine. We need to run the script on our 500+ servers and i am using below to code to execute it. We have also discussed with the OEM and they have denied a way to  apply this via GPO or via SCCM as well. So the only way is to do via PS. Below is the code i am using:

      $argsArray = @()
      $data  =Invoke-Command -ComputerName 1GOTVASW020-SQL -ScriptBlock {
      Param(
              [ValidateNotNullOrEmpty()]
              [string]$User
              )
      $result = c:\winrmconfig.ps1 -Action enable -ListenerType http -User [email protected]
      Return $result
      }
      This fails to identify the User name Parameter. It gives below error:
      User User [email protected] was not found, cannot continue!
      However if i go to the server and run the powershell manually it works. So from remote powershell it does not handle the Parameter well. I have tried other way as well like: Using Psexec and run the script but it still fails.
      If I dont mention the user parameter, it works fine but we need to mention the User parameter to get it into affect.
      The WINRM script is huge and couldn’t paste it here so i apologize  in advance.
    • #217551
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      You have a parameter of [string]$User but you aren’t passing in any arguments. Try this

      I hope this helps

    • #217563
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      Hello Doug,

      Thank you for your response. I tried the exact same code but it still errors for the username parameter.  :(. It says it couldnt find the mentioned user name.

      I have tried using Psexec as well but doesnt work either. I also tried to manually place the username into the code but still it doesnt work. All these methods fails with the same error. So i am totally confused as how to run this code on 500+ servers.

    • #217566
      Participant
      Topics: 13
      Replies: 1758
      Points: 3,153
      Helping Hand
      Rank: Community Hero

      What exactly is the -User param doing? Are you troubleshooting a NULL parameter or is the winrmconfig.ps1 doing a lookup for ‘[email protected]’ and cannot actually find it? The error would be more along the lines “User cannot be NULL” or “Cannot find user ”” if it’s param issue. When you explain it above, it sounds like it’s getting passed and the script is doing a lookup that is failing. Provide the exact error message.

      • This reply was modified 5 months, 2 weeks ago by Rob Simmers.
    • #217572
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      Hi Rob,

      Thanks for pitching in. I am getting following error message

       

      “User [email protected] was not found, cannot continue!”

      basically the user param is being used as below:

      $win32account = (Get-WmiObject -Class Win32_UserAccount -Filter "Domain = '$domain' and Name = '$accountname'")

      if ($win32account -eq $null)
      {
      log "User $User was not found, cannot continue!" "error"
      }

      Even if i feed the user name to $Win32account, it still doesnt work. I have also tried removing the Param mentioned in the script and feel the $user = ”Username” it still gives the same error.

    • #217587
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      Good call Rob. The question should be, what is the winrmconfig.ps1 expecting to be passed in. Is it expecting an email? Once you confirm that, then you can move on to why it’s unable to find that user. Perhaps the email is incorrect? Perhaps it is needing to query a remote machine to resolve the user? If it is needing to reach out to another host then you’re likely dealing with double hop issue. Thanks for pointing out my error, Rob. Good luck maxwell

    • #217590
      Participant
      Topics: 13
      Replies: 1758
      Points: 3,153
      Helping Hand
      Rank: Community Hero

      Where in the script are $domain and $accountname defined? That block is producing the error and it shows the user, so it’s getting the parameter but the WMI lookup is failing. $User is in the error, so I would imagine it’s doing a split on @ and setting $domain and $accountname, but does this work:

    • #217593
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      Here these Parameters are defined: Yes, it is splitting it in username and domain. And then from WMI it is getting

      if ($User.Contains(‘@’))
      {
      $domainaccount = $User.Split(‘@’)
      $domain = $domainaccount[1].Split(‘.’)[0]
      $accountname = $domainaccount[0]

      Answering your last part: Get-WmiObject -Class Win32_UserAccount -Filter “Domain = ‘contoso.com’ and Name = ‘xyz'”

      If i run the above code on the server, it works. It returns the user information which was provided.

       

    • #217596
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      I really appreciate everyone’s involvement in it and respect their time as well. I have uploaded the script on this below location. Would really appreciate if anyone can take a look 🙂

      https://www.mediafire.com/file/3mty8d19ndgsayc/winrmconfig.ps1/file

    • #217605
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      It stands to reason that WMI remote is not allowed. Try to run the command that @Rob gave you, remotely against the server in question and provide the results.

       

    • #217608
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      okay – Thats interesting. So when i run the wmi command from remote server, it doesnt return anything.

      used below code:

      Invoke-Command -ComputerName 'MyServerName' -ScriptBlock {

      Get-WmiObject -Class Win32_UserAccount -Filter "Domain = 'Contoso.com' and Name = 'AccountName'"
      }

       

      So if this is the root cause how do i workaround this issue? 🙁

    • #217611
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      But no error was returned? Well I think i’m mistaken again anyways. If you’re running this through invoke-command, you’re connecting fine to the server over winRM. It’s having the issue running the local c:\winrmconfig.ps1. Let’s see what others think. Do you know how to use powershell interactively remotely? I’d be curious just to see what happens if you enter-pssession to that server and try running

    • #217614
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      Hello Doug,

      Correct, i didnt get any error message. It just completed without any error. Yes, my WINRM connectivity is just fine. I can run other PS cmds remotely and it works fine too.

      I have also tried using Enter-pssession from Powershell ISE and then put the command you pasted but it still errors the same thing.

      But when i login locally to the server and open Powershell ISE and run the same command, it works fine. So i have no clue what is the difference when we run it remotely vs locally. 🙁

       

    • #217623
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      It’s the same user that you’re invoking the command and logging in locally?

    • #217626
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      Correct. Using the same account.

      Interestingly, if i do invoke-command on the local server itself and run the command inside scriptblock, it fails with the exact same message.

    • #217635
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      OK so it seems the winrm config on the server doesn’t allow wmi access. That’s my best guess at this point in time. Do you know if it’s a custom winrm config on 1GOTVASW020-SQL?

    • #217641
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      Nothing is configured manually for any server for that matter. I have also tested it with some newly built servers but result is the same. So we need to check how to get that WMI info using remote server. If we get that working, we may find a solution. But right now I am clueless

    • #217650
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      OK I’m not the best WMI guy around, so bear with me. Unless your SQL server is a domain controller, then I believe this is the issue.

      The query is splitting the user up based on what you pass in. If it has an @ sign, it will get the first part of the domain. So [email protected] would get

      In my testing on my SQL servers, Get-WmiObject -Class win32_useraccount only lists local accounts. the domain for those accounts are the local computer name. Only on the DC did I see the domain be the same as the actual domain. What I don’t understand is if you run this locally on that machine with the same user/format passed in, you should get the same results.

      Unless the SQL server is a DC, I would try the command with either passing in just a local user name like ‘user’ or the local user name ‘[email protected]

      Based on the way they split you could even put ‘[email protected]’ but that’s just silly. I hope i’m not wrong but that’s what my testing shows.

      I hope this helps.

      • This reply was modified 5 months, 2 weeks ago by Doug Maurer.
    • #217764
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      Hello Doug,

      Appreciate your time on this. I tried your suggestion by putting the local user in mentioned format: ‘[email protected]’ but it failed with the same error.

      I also tried to feed the User Variable manually in the script, so that it takes the username without asking from the end user but it still fails. I am not understanding why it works when we give it as a additional parameter but fails when we feed the same user account in the original script it self.

      This is beyond my capacity to debunk this behavior 🙂

       

      Note: I am not running it on DC. this behavior is common for 100+ servers.

    • #217773
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      This script seems to be dated. I only get passed the user check with a local account but the script errors out just after with the error below. What exactly are your requirements? Perhaps there are other solutions.

      [computername] Processing data from remote server computername failed with the following error message: The I/O operation has been aborted because of either a thread exit or an application request. For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo : OpenError: (computername:String) [], PSRemotingTransportException
      + FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken

    • #217872
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      Hello Maxwell,

      I really appreciate you asking this question, I’ve learned quite a bit. I feel a bit ignorant for not identifying this sooner. This is 100% a double-hop issue. This article explains it exactly. Win32_useraccount cannot enumerate the domain user objects without either having stored credentials or credSSP. If you run the command again like this, you should see success.

       

    • #217971
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      Hello Doug,

      Good News! – It worked. 🙂

      I ran this script for a remote server and it worked just fine.

      However i noticed that it asks for my Credentials before running, so how do i make it run for 500 servers in a loop without asking me for the cred over and over again? Can we take Server lists in $server and Credentials in $cred and run it through loop. What is your recommendation,

      Special Note: I truly appreciate your time in this matter. Not many out there take forum queries that seriously unless its Powershell.org forum and a person like you.

      This is a great community 🙂

    • #217998
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      This is a still ongoing problem/discussion. How to store credentials for automated scripts. You have a few choices. If you have Azure, they’ve recently enhanced the credential handling there. Otherwise you can save credentials to a file, or a scheduled task. There are security concerns no matter which way you go. There are several articles that discuss this topic right here on powershell.org. I’ve linked a couple below. If the script is going to be ran from the same profile/computer than you can use the windows DPAPI. If you need to decrypt many places then use a custom key for encryption. Check the links below to find out more about storing your credentials.

      https://powershell.org/forums/topic/credentials/

      https://powershell.org/forums/topic/powershell-script-to-login-in-remote-machine/

      https://powershell.org/forums/topic/passing-specific-credentials-to-remote-session/

      https://powershell.org/2013/11/saving-passwords-and-preventing-other-processes-from-decrypting-them/

      https://powershell.org/2014/02/revisited-powershell-and-encryption/

    • #218373
      Participant
      Topics: 7
      Replies: 21
      Points: 111
      Rank: Participant

      Hello Doug,

      Thank you for all your suggestions 🙂 I was able to modify the script as per my need. Now its working for multiple remote servers. It wouldnt have been possible without your help. Thank you soooo much 🙂

      Good day and Stay safe 🙂

    • #218490
      Participant
      Topics: 8
      Replies: 562
      Points: 2,149
      Helping Hand
      Rank: Community Hero

      I’m glad I was able to help. Thanks for the kind words, I hope you all stay safe as well.

Viewing 24 reply threads
  • The topic ‘Unable to run a powershell script on remote server with additional Parameters’ is closed to new replies.