Access denied when running a PS script to retrieve info from a remote computer

Hello,

I thought I’d create a new post regarding this now I have go this far. So this script is running on a Windows server which is on the domain and can retrieve the modified date of the file listed below. The issue I have is trying to get this info from a Windows device not on the domain and on a remote network. I ran it and I could see the firewalls blocking TCP 5985/5986 (WinRM), I go these opened and I get an access denied message now.

Error

[10.7.17.140] Connecting to remote server 10.7.17.140 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (10.7.17.140:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

Script

$user = 'user1'
$file = 'C:\temp\pwd.txt'
$credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString)
$ComputerNameList = Get-Content 'c:\temp\devices.txt'
$Output = 
foreach ($ComputerName in $ComputerNameList) {
    if (Test-Connection -ComputerName $ComputerName -Count 1 -Quiet) {
        Invoke-Command -ComputerName $ComputerName -Credential $credentials -ScriptBlock {
            Get-ChildItem -Path '\\$ComputerName\c$\ProgramData\data.xml' -ErrorAction SilentlyContinue
        } |
            Select-Object -Property PSComputerName, LastWriteTime, Name
    }
}
$Output | 
    Export-Csv -Path 'c:\temp\dataxml123.csv' -NoTypeInformation

I can Telent to 10.7.17.140 on 5985 (not 5986), I had to get someone to enable WinRM on the remote machine, do I need to do anything on the server?

I’ve ran this too:

winrm s winrm/config/client '@{TrustedHosts="10.7.17.140"}

I can browse to the file location too:

image1288×430 27.7 KB

I did get a username and password prompt and as it’s a local username I have to enter as .\user1 but I’m not sure how I do that in the script.

Any ideas/help on the above issue would be great.

Thanks

Update, if I just run this it works though…

Get-ChildItem -Path '\\10.7.17.140\c\ProgramData\\data.xml'

Now I’m confused

Instead of .\user1
computername\user1

This is a SMB share path \\10.7.17.140\c\ProgramData\\data.xml. The fact that it works without credentials means either A) you have entered credentials and they are cached or B) the share has just wide open everyone permissions. Regardless, this share has nothing to do with WinRM. When executing against non domain joined systems, you either need to configure HTTPS for WinRM or add to trusted hosts like you did. As neemobeer said, use the computername as part of the credential. I would avoid using the IP, set your hosts file if you can’t get DNS to properly resolve the name.

I think it might be cached on the SMB method.

These devices are remotely managed I’m not sure I can get them to use HTTPS for WinRM as I’d imagine that uses certs etc which I know they won’t do.

The thing is the computername (computername\user1) will be different for each machine (c:\temp\devices.txt). Are you saying just using computername\user1 will the try the local user account on each machine in that list?

The issue I have there are all named different (computername) in the file, we are using IP addresses too in the list. I guess I can add to a host file, but I need a way to use each computername.

server1\user1
server2\user2

etc

You may rather use a CSV file instead of a plain text file. There you can store easily remote computer name, according user name and even more properties.

That’s sounds very interesting. If I had the CSV then with:

computername1, user1
computername2, user2
computername3, user3

How could I incorporate that into my script to cycle through each as username computername1\user1 the move on to computername2\user1?

I’d try with just one first and see if it works. The remote machines I have to use IP so I’ll but these into the local host file too and give them a name.

Thanks

You are allowed (supposed) to do your own research first before you come here and ask for help. For the vast majority of the cases you are not the very first one. So it is pretty likely that you’ll find some sample code you can adapt to your particular needs.

You may start with the help for the cmdlet

Please read the help completely including the examples top learn how to use it.

Thanks, I’ll do some research and see what I can come up with. If I get stuck am I ok to post back with what I have tried with though showing my attempt?

Of course. That’s what we here for.

Are you still having an issue? I noticed in your script you are using c$, but in your other posts you are just using c, which means you are using a non-hidden share. Is that correct?

I’ve been off today, but when I tried to access the chaps who look after these none domain devices said to just use c. That’s when I get the local username prompt I need to workout and incorporate into my script.

I think I’m getting confused with this. I’m trying again just 1 remote none domain computer from this domained server I’m on. Maybe you can see something.

I’ve added the IP and computer name to the local host file and I can access the computer via name using Windows explorer - \COMPUTER1\c\ProgramData\BroadSign\bsp\share\bsp\sync. I got a logon prompt so I just used .\user1 and the password and can get in. I think COMPUTER1\user1 would also work.

I’ve added the IP and computer name to the trusted list. Obviously COMPUTER1 is not the real name.

Ran this, devices.txt has the real computer name.

$user = 'computer1\user1'
$file = 'C:\temp\pwd.txt'
$credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString)
$ComputerNameList = Get-Content 'c:\temp\devices.txt'
$Output = 
foreach ($ComputerName in $ComputerNameList) {
    if (Test-Connection -ComputerName $ComputerName -Count 1 -Quiet) {
        Invoke-Command -ComputerName $ComputerName -Credential $credentials -ScriptBlock {
            Get-ChildItem -Path '\\$ComputerName\c\ProgramData\sync\data.xml'
        } |
            Select-Object -Property PSComputerName, LastWriteTime, Name
    }
}
$Output | 
    Export-Csv -Path 'c:\temp\dataxml123.csv' -NoTypeInformation

Error

[COMPUTER1] Connecting to remote server COMPUTER1 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (COMPUTER1:String) , PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

Error 2 - I got this before adding the computer name to the trusted list

[COMPUTER1] Connecting to remote server COMPUTER1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon
servers available to service the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (COMPUTER1:String) , PSRemotingTransportException
+ FullyQualifiedErrorId : AuthenticationFailed,PSSessionStateBroken

If I run this basic command it runs as I think it’s caching the creds

Get-ChildItem -Path '\\10.76.17.14\c\ProgramData\BroadSign\bsp\share\bsp\sync\data.xml'

It works, but with the computer name it doesn not even though it’s on the host file and pings

Get-ChildItem -Path '\\COPUTER1\c\ProgramData\BroadSign\bsp\share\bsp\sync\data.xml'

Get-ChildItem : Cannot find path ‘\COMPUTER1\c\ProgramData\BroadSign\bsp\share\bsp\sync\data.xml’ because it does not exist.
At line:1 char:1

• Get-ChildItem -Path '\COMPUTER1\c\ProgramData\BroadSign\bsp\share\ …

•   + CategoryInfo          : ObjectNotFound: (\\COMPUTER1\c...p\sync\data.xml:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

This right here is incorrect. You are invoking the command on the remote computer, so you need to query the local path rather than the network path.

Invoke-Command -ComputerName $ComputerName -Credential $credentials -ScriptBlock {
    # this scriptblock will be running on the remote computer already, so the path should be local
    Get-ChildItem -Path 'c:\ProgramData\sync\data.xml'
}

Just to mention two issues with that example if this was correct.

• Variables defined locally (calling computer) are not automatically available on the remote computer. You’d want to use $using:variable or pass the value in through -ArgumentList
• You’d hit a double-hop issue. When you make the first remote hop (Invoke-Command) any subsequent hop (querying UNC, AD lookup, etc) would fail without configuration (delegated credentials, CredSSP, passing alternate credentials, etc)

To be frank, it appears you are trying to learn to high jump before learning to run, let alone walk. You should get familiarized with the nuances of remoting itself before adding complexity of credentials/workgroup computers.

I’ll try this tomorrow and thanks for the info.

You are exactly right, I’m being pushed at work to get something done where I don’t have enough knowledge and time to read up, I’d love to just get this done and working then it will give be the time and space to learn this properly, which I will.

The goal is to get this info from 10 remote machines that are on different environments into CSV, luckily they use the same local username and password, it’s just the computer name I need to loop round to somehow. I’ll see if this one user example works first.

Cheers

I’m going back to basics now, I tried just this:

Enter-PSSession -ComputerName COMPUTER1 -Credential (Get-Credential)

COMPUTER1 is not the real name, but I have this in the local hosts file on the domained server. I get the GUI logon prompt pop up and enter the local username and password and I get an access denied and I get the same if I try COMPUTER1\username & password.

On the server I have COMPUTER1 and it’s IP as a trusted device too for WinRM, I wonder if I need to do it at the other end too.

You want to use the actual computers hostname.

Yeah I have that in the host file. So you are right when I use that PS command above it is using the real name I just used COMPUTER1 as reference. I have to have the real computer name and IP in the host file as this computer isn’t part of DNS.

eg host file

win10pc 192.168.1.1

Enter-PSSession -ComputerName win10pc -Credential (Get-Credential)