Lan Remote Connection Utility

Hello all, I am trying to make LAN remote connection utility for my IT department with powershell.
With the help from OpenAI’s GPT-3.5, I managed to achieve a script that works only on remote machines that already enabled and configured winrm service.
I tried to add one of the commands below to allow remote management:

1- Invoke-Command -ComputerName $ipAddress -Credential $credentials -ScriptBlock {sc start winrm} -ErrorAction SilentlyContinue

2- Invoke-Command -ComputerName $ipAddress -Credential $credentials -ScriptBlock {Enable-PSRemoting -Force} -ErrorAction SilentlyContinue

But the script is crashing with error that winrm service is not running on a remote machine.
How can I enable and configure winrm remotely in powershell? What am I missing?

Any Help will be appreciated and thank you in advance.

that is pretty much a chicken/egg scenario. My vote is if you have GPO is to use that. More info here:

2 Likes

little bit of a chicken/egg situation there. Invoke-Command leverages WinRM to execute remote commands, so if WinRM isn’t already running, you can’t use Invoke-Command to turn WinRM on.
You might consider a non-Powershell solution to this: Create a Group Policy that configures WinRM on all your target machines for you:
https://www.mustbegeek.com/how-to-enable-winrm-via-group-policy/

1 Like

Thank you. I tried to use PSexec from PStools instead of Invoke-Command but still got errors.

So … this means you DONT have GPO available? Maybe you could show your code and errors so others can try to help?

1 Like

Thank you. I dont have GPO related to winrm and cannot make one meanwhile. When the script will work properly it will be on Github for everybody. The error is -

Connecting to remote server 10.xxx.xxx.xxx failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (10.xxx.xxx.xxx:String) , PSRemotingTransportException
+ FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken

OK, this error “appears” to be related to your initial post. I was hoping for your code/errors for what you tried with “psexec” … but that may get flames for not being “powershell” related.

1 Like

I definitely agree GPO is the way to go here. I wouldn’t accept “you can’t use the right tool for the job” However, if you find yourself in a position of needing to remotely enable without GPO, then psexec would be my next choice. Of course, that has it’s own requirements for the admin shares to be enabled and accessible. Assuming they are, then the last gotcha I can point out is if the network “profile” is public, Enable-PSRemoting fails by default, which it should IMO. So as part of your “enable powershell remoting” psexec script, you should check for/change any public network categories to private before attempting to enable ps remoting. Psexec can take a script file itself, though that is information that is best found on other sites/forums than this one. Thus, you would want to run something like this via psexec (or rmm or other available tools) to enable WinRM

Get-NetConnectionProfile | Where-Object  {$_.networkcategory -eq 'public'} | Foreach-Object {
    Write-Verbose "Setting network interface '$($_.name) on '$env:computername' to private" -Verbose
    $_ | Set-NetConnectionProfile -NetworkCategory Private
}

Enable-PSRemoting
1 Like

Thank you, I found yesterday a working solution here:
Enable PSRemoting: Local and Remote Techniques” using WMI

It’s ok to veer a little off topic, IMO, but sometimes people start recommending alternate software or just go down rabbit holes that really aren’t PS focused and then spirals out of control. Sometimes we just have to reign it back in. In this case it’s probably fine as it is tangentially related to some degree.

1 Like

Finished working on base LAN remote connection utility script. Thank you all for helping me, any improvement will be appreciated.

Congrats on finishing and getting it up on Github, that’s awesome.
I don’t want to pick apart the entire script but from briefly looking at it two things stand out to me that I’ll provide feedback on:

  1. It uses an IP address for remote connection, which inherently won’t work in my environment or really any Active Directory domain environment. That’s probably ok, as we’ve said, this should be handled through Group Policy in an example like mine. But, consider your audience and who might be using your script, and then test for their scenarios.
  2. There are 9 instances of Invoke-Commad in this script when there only needs to be one. Make one script block that contains all the actions you want to perform on the remote host, and fire that off in one Invoke-Command instance. It will be more performant and throw less errors. As it stands now you’re just suppressing the errors with your ErrorAction preference instead of using Try/Catch blocks and handling the errors appropriately.

Also, you do a Test-Connection to the host after doing Invoke-CimMethod. You should do it before the first time you attempt to make a connection to the host.
This is my preference, and doesn’t have to be yours, but this is a Powershell script, try removing all native commands from it and using the Powershell equivalent whenever possible. I.e. don’t use “echo”, or “reg add” or “netsh advfirewall” etc. Find the Powershell native way to perform these actions and use them.

1 Like

Aside from agreement with greyOut, I might be missing something. Your GitHub “Title” is confusing to me at least. It seems to reference “Remote Desktop” which to me is completely different than “Remote PowerShell”. You might get a bigger audience if your title/description reflects “enabling Remote PowerShell without using GPO” … or something like that.

Just my $.02

2 Likes

Thank you for you informative reply.
I understand that this should be managed through Group Policy, however, I don’t have a domain privileged account to do so. Moreover, the script is working in my AD domain environment.
What you suggest using instead of IP address, computer name?
To be honest, at first I did not thought of any audience except of mine IT department, just wanted to make our job easier and efficient. If the script can be used and help others as well that’s great.

I will try to reduce the number of Invoke-Command instances, your suggestion really sounds more efficient and better practice than mine. Removing the native command and replacing them with Powershell equivalent also a good idea, I will make an effort to correct this.
Again, thank you very much.

Thank you for the reply.
I tried to make a remote desktop connection tool for me and my coworkers. The implementation is with the help of Powershell.
Now I am focusing more to make LRCU work as seamlessly as possible and less on audience,
thank you again.