Remote Execution in PowerShell |
Post Reply 
|
| Author | |
mikem 
I'm new here 
Joined: 29 Oct 2008 Online Status: Offline Posts: 12 |
 Quote Reply
 Topic: Remote Execution in PowerShellPosted: 29 Oct 2008 at 09:30 |
|
Hello All:
I need to write a script that will run a remote process that will execute a program on a server. For example, I need to be able to create a process on a remote machine that runs a program on a mapped drive or UNC share. Using the Create method from the Win32_process class, I am able to execute any programs on the local disk of the remote machine (ie., notepad, calc) but cannot execute anything on a network resource (I keep getting a return value of 2: Access Denied - I'm a domain admin so I have access to every share). I checked MSDN and it doesn't really indicate that you can or cannot run something from a network resource.
This is not so much a powershell questions as it is a WMI question, because I can't do this in VBScript either (nor can I do it using psexec).
Any insights would be greately appreciated - thanks!
|
|
 |
|
|
jvierra
MVP 
Joined: 31 Aug 2006 Location: United States Online Status: Offline Posts: 6517 |
Quote Reply
Posted: 29 Oct 2008 at 09:54 |
|
Yes mikem this is a limitation of WIndows. What you are trying to do is to ask teh remote machine to be a delegate for you and teh process. This is blocked by default. Any process you can access or create on a remote machine will not be able to "touch" any other machine in the network. Only an "interactive" session can do this by default.
You would need to tell Active Directory to "Trust" the machine for "Delegation" to make this work. This is usually not a good idea as it can present a considerable security risk if not managed closely.
If you really think there is no other way to do this task then "Trust" the machine for delegation and it will allow you to have a remote process access remote resources. Domain Admins already have delegation authority but non-admin accounts would not be able to do this.
|
|
|
|
|
jvierra
MVP
Joined: 31 Aug 2006 Location: United States Online Status: Offline Posts: 6517 |
Quote Reply
Posted: 29 Oct 2008 at 09:57 |
|
Note about PowerShell V2.
PowerShell V2, when released, should make all of this remoting much easier and more secure. YOu migh twant to download the beta and start testing it in it's current state although it is still pretty rough with the remoting mostly due to lack of documentation.
|
|
|
|
|
mikem
I'm new here
Joined: 29 Oct 2008 Online Status: Offline Posts: 12 |
Quote Reply
Posted: 29 Oct 2008 at 10:17 |
|
Thanks for the quick jvierra.
I wouldn't want to trust the machine for the security reasons you mentioned. I installed PS V2 and tried the same script without any luck; I get the same Access Denied errors. I'll see if I can copy the files locallly and execute them from there. Our issue is that we're using a very old config management program (WinInstall) to deploy software. On a number of machines, the WinInstall Service is broken and needs to be reinstalled, so they only way we can do something like this is to either manually install the agent on the machines, or execute some remote process which would be preferable.
I read some posts elsewhere that suggest calling a remote resource works intermittently (whatever that means). But one post suggested porting the script over to C#, and somehow associate credentials to teh process token - perhaps a project for the future.
Thanks again for your feedback.
|
|
|
|
|
jvierra
MVP
Joined: 31 Aug 2006 Location: United States Online Status: Offline Posts: 6517 |
Quote Reply
Posted: 29 Oct 2008 at 11:23 |
|
PowerShellV2 remoting has to be installed on both ends. You need the remoting NET classes which are new. I don't suggest using it in a production environment. I posted that in case you wanted to play with teh newer features in a test system.
To do this kind of a remote install I usually copy all of the file to the target machine then execute the remote "Win32_Process.Create". This will only work if the installer can run in"quiet" or "unattended mode". This has been a very reliable method of doing remote installs.
You can also use Group Policy to do this.
By the way - I have heard most of those stories and they are out of place. Your issue is purely delegation. You either have it or you don't. There is NO work around.
Edited by jvierra - 29 Oct 2008 at 11:27 |
|
|
|
Topic Options|
Post Reply
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |