I want to run a simple script from cmd using ad user/password, it fails and produces error of AccessDenied,PSSessionStateBroken.
command: PowerShell -ExecutionPolicy Bypass Invoke-Command -Credential (New-Object -TypeName System.Management.Automation.PSCredential -Argumentlist “domain\user”,($pw= ConvertTo-SecureString “password” -AsPlainText -Force)) -filepath ‘PATH_OF_SCRIPT\SCRIPT.ps1’ -computername “COMPUTER_FQDN”
if i make this user as member of domain admins(group) the issue fixed but i need to run this script with simple ad user.
Is the Path_of_script\script.ps1 a local folder or a shared folder?
[quote quote=240653]Is the Path_of_script\script.ps1 a local folder or a shared folder?
[/quote]
Local folder
if i add this user in ‘domain admin’ group then i can run this script but if this user is simply member of domain user group then it gives error of access denied. so to be more accurate what privileges are needed for this user to be able to run the script?
Invoke-Command uses WinRM as protocol and only BUILTIN\Administrators Group members can use WinRM, by default
You should add this user to the BUILTIN\Remote Management Users Group
Check with this command who can access the server through WinRM
(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
Perhaps this will help
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
See this link for more info
Thanks for your response. (Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission returns
NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllow
ed
I added my user to the BUILTIN\Remote Management Users and BUILTIN\Administrators groups but no luck. still facing same error
[quote quote=240938]Perhaps this will help
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI See this link for more info
http://woshub.com/powershell-remoting-via-winrm-for-non-admin-users/
[/quote]
Thanks for your response. it worked for me. but is there any way/command so that i do the manual work like (adding user and assign the execute(invoke) rights to the user) automatically through the script or command.
Could you not assign a group the rights needed and then just add/remove users to that group?
[quote quote=241025]Could you not assign a group the rights needed and then just add/remove users to that group?
[/quote]
i have add this user to a group having all access rights ‘full control’ checked but it didn’t work until i made this user member of ‘domain admins’ group.
If you need to make changes to multiple computers, you should use the group policy approach as described in the article I linked previously. If you want to use a group to control access, it needs to be a LOCAL group on each machine. That’s why it’s recommended to use the preconfigured “Remote Management Users” local group. You can even adjust the level of access that group has if you choose. You can replicate those custom permissions using the commands below, also outlined in the article.
# After making changes manually on a host, capture the custom SDDL
$SDDL = (Get-PSSessionConfiguration -Name "Microsoft.PowerShell").SecurityDescriptorSDDL
# You can export it if you like
$SDDL | Export-clixml d:\IT\custom-SDDL.xml
# You could change the permissions remotely from a privileged account
Invoke-Command -computername computer1,computer2,computer3 -scriptblock {
Set-PSSessionConfiguration -Name Microsoft.PowerShell -SecurityDescriptorSddl $using:SDDL
}