Access denied in PSSession/Invoke-Command


I have two servers: SERVER_A (scripting server, with custom PS-Modules) and SERVER_B (file server, no custom PS-Modules). Now, I’d like to run a Script on SERVER_B. Since some custom PS-Modules are only installed on SERVER_A, the Script should run as if it is started on SERVER_A - I use a PSSession for this. The Script should then list the files from both c$-Shares. This is what I have now:

$Session = New-PSSession "SERVER_A" -Credential (Get-Credential)
Invoke-Command -Session $Session -ScriptBlock {
    Run-CustomModule -Parameter
    Get-ChildItem "\\SERVER_A\c$"
    Get-ChildItem "\\SERVER_B\c$"

The CustomModule works fine. The first Get-ChildItem works fine, too. But I get an access denied error on the second one. What do I need to do to make this thing working?

Thank you! :slight_smile:

The credential that is used to connect to SERVER_A, can they be used on SERVER_B as well? When you’re connecting to SERVER_B from SERVER_A, the same security principal is used. Could there be a GPO causing this?

Oh, I forgot to mention that, thanks. I have access to both c$-shares from both of the servers with my credentials. When I remove the -credential paremeter to login with my current login credentials it also does not work.

There is no GPO that blocks anything like this.

By the way, connecting to SERVER_B with PSSession causes an access problem for the Get-Childitem “\SERVER_A\c$”. The second one, Get-Childitem “\SERVER_B\c$”, works fine in this case. And obviously the custom module won’t work that way. :slight_smile:

IF you are able to connect to server B Out side of the script There could be a File or Folder you do not have access to on the C$ share of Server B. Im not really sure what the best way solve that would be fore you but hopefully that give you an idea of what to look for

To make sure that it’s not a Problem with access rights, I created a new Share called \SERVER_B\Test. The group “Everyone” is the owner of that folder and has FullAccess on NTFS level and on the Share itself. Get-ChildItem “\SERVER_B\Test” still throws a permission denied error inside Invoke-Command.

Thank you. If I understood correctly all I had to do was to run Enable-WSManCredSSP -Role Server on SERVER_A and Enable-WSManCredSSP -Role Client -DelegateComputer x on SERVER_B. Both ran without any error messages. But I still get that permission denied error in my Invoke-Command… :frowning:

Correct but, you still have to tell powershell to use credssp.

you command should now be:

$cred = Get-Credential
$Session = New-PSSession "SERVER_A"  -Authentication Credssp -Credential $cred
Invoke-Command -Session $Session -ScriptBlock {
    Run-CustomModule -Parameter
    Get-ChildItem "\\SERVER_A\c$"
    Get-ChildItem "\\SERVER_B\c$"

I have a question about another scenario: This example script works when I’m executing it on my workstation in domain1, the server where the pssession is started and script is executing is in domain2, and so is the source for the installation files I want to copy from the source server smb share to the destination/execution server.

$cred = Get-Credential -message "Enter Admin credentials for Dev Domain"
$Session = New-PSSession "SE12345"  -Authentication Credssp -Credential $cred
$scriptblock = 
    copy-Item -path "\\SE54321\f$\msiname2install.msi" -destination "F:\Apps\Install\Files\"
    start-process msiexec.exe -argumentlist "/i f:\Apps\Install\Files\msi2install.msi /qn /le msiname2install.log"
Invoke-Command -Session $Session -ScriptBlock $scriptblock

My new scenario is that the server where I want to execute the script is in a different domain from the source server, and I need to pass one set of credentials to the server I want to configure and another to the smb source server, so I can perform the copy from the source server to the destination server while “ON” the destination server.

I do have a solution now, which is to connect to the source smb server and server I want to run the script on from my workstation, prior to running my invoke-command on the server I’m configuring:

$computers = (get-content "iis_securitylayering.txt")
$source_server_userid = read-host "Enter Admin Domain\Userid for Source Server "
$source_server_password = read-host -assecurestring "Enter Password for that UserID"
new-smbmapping -remotepath \\se12345\ipc$ -username $source_server_userid -password $source_server_password
$source_server_userid = ""
$source_server_password = ""

foreach  ($computer in $computers)
	$destination_credential = get-credential -message "Enter Administrative credentials for Server you're configuring"
	$destination_server_userid = read-host "Enter Admin Domain\UserID for Destination Server"
	$destination_server_password = read-host -assecurestring "Enter Password for that UserID"
	new-smbmapping -remotepath \\$computer\ipc$ -username $destination_server_userid -password $destination_server_password
	copy-item -path "\\se12345\f$\Apps\Install\Files\module.msi" -destination "\\$computer\F$\Apps\Install\Files\"
	$destination_server_userid = ""
	$destination_server_password = ""
	Invoke-Command -ComputerName $Computer -credential $destination_credential -ScriptBlock $scriptblock