2

Problem

I'd like to enable remote powershell scripting for all workstation hosts on a VLAN. There's no Active Directory or Directory services whatsoever. So HOST A on subnet 192.168.1.x would like to query HOST B 192.168.2.x.

I've already run:

Enable-PSRemoting -force

A prompt for credentials would be the desired result for any workstation on the VLAN. The admin stations are on subnet 192.168.1.x and fall in the IP range 192.168.1.10-20.

Question

Is it possible to allow powershell remote auth for hosts in that range, or any IP coming from a particular subnet?:

192.168.1.0/24

To clarify: I am setting up workstations to deploy and I'd like them to be set up to allow me remote powershell powers out in the field. My admin stations are at one subnet and the workstations to be deployed are at numerous others.

RTFM

I'm looking at this link from Microsoft:

http://technet.microsoft.com/en-us/magazine/ff700227.aspx

This suggests that I need to run the following for each admin computer:

winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'

Can someone confirm or refute this?

MDMarra
  • 100,734
  • 32
  • 197
  • 329
Bubnoff
  • 415
  • 7
  • 18
  • what version of os's are we talking about. – tony roth Feb 23 '12 at 03:23
  • Win 7 pro on the workstations in question. – Bubnoff Feb 23 '12 at 06:44
  • 1
    What has the IP addressing to do with PowerShell remoting at all?!? Either you can run commands on remote hosts or you can't, the IP addresses are completely non relevant (as long as there isn't a firewall between you and the servers). – Massimo Feb 23 '12 at 19:27
  • The docs indicate that if not in a Workgroup setting you need to set up 'trustedhosts' – Bubnoff Feb 23 '12 at 19:29

3 Answers3

4

If you are not using Kerberos/AD authentication, which you are not, then you will have to add each machine to your TrustedHosts configuration -OR- you will have to set up SSL between each node. The best way to achieve the former would be with a script of course. A script that uses a list of machine names from a file, probably.

Secondly, you can run a PSRemoting session with "Negotiate" authentication, which will prompt you for creds, like so:

enter image description here

The only reason I did not get prompted for creds in the above screenshot is because I had already stored the credentials in the $creds variable. Otherwise it will prompt you.

I don't mean to be self-promoting, but I covered all of these topics in great detail on my blog here, (parts 1 and 2,) and I'm sure it will help you out some:

http://www.myotherpcisacloud.com/post/2012/01/26/Monitoring-with-Windows-Remote-Management-(WinRM)-and-Powershell-Part-I.aspx

The reason why you have to add a host to the TrustedHosts list on the computer trying to make the connection, is because of the inherent lack of mutual authentication in a non-Kerberos or SSL environment.

(Edited for clarity.)

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Thank you! So -- I need to set up trustedhosts on all workstations as well as on the admin stations? Can I use an IP range, or *? Headed over to your blog. – Bubnoff Feb 23 '12 at 19:36
  • Yes, you can use IPs, and you can use wildcard characters (*) in both IP addresses and hostnames, such as in "*.domain.com". If for some reason the asterisk is not working as the wildcard in your IP address range, try using 0 instead. It may also be necessary to address the connection using the same label that you put in your TrustedHosts list. For example, if SERVER1 has IP address 192.168.0.5, but you only put the IP address in your TrustedHosts list, you will probably only be able to use the IP address to make the PS connection. But I'm not positive - I haven't tested every possibility. – Ryan Ries Feb 23 '12 at 19:46
  • Check this Technet article under the "HOW TO ADD A COMPUTER TO THE TRUSTED HOSTS LIST" about halfway down the page for examples of how to use wildcards: http://technet.microsoft.com/en-us/library/dd347642.aspx – Ryan Ries Feb 23 '12 at 19:48
  • OK. That makes sense. From looking at some of the docs it suggests that I can use 192.168.1.0 to allow any connection from that range. – Bubnoff Feb 23 '12 at 20:07
  • 1
    The article you link to seems to suggest something like: 192.168.1.* – Bubnoff Feb 23 '12 at 20:13
  • Yes, use the asterisks. They got parsed out in my previous comment. – Ryan Ries Feb 23 '12 at 20:27
1

its hard to understand exactly what it is your requesting, but if I understand it correctly, this might help. Basically looping through 192.168.2.0/24, pinging it, if it responds, running the command you posted.

$fourthoctet = 0..255

Foreach ($fo in $fourthoctet)
    {
    $ip = (new-object System.Net.Networkinformation.Ping).Send("192.168.2.$fo") | where-object {$_.Status -eq "success"} | select Address
    If ($ip -ne $null)
        {
        Enable-PSRemoting -force $($ip.address)
        }
    }
Eric C. Singer
  • 2,329
  • 16
  • 17
1

The * actually works as a wildcard with IP-Addesses. E.g>

winrm set winrm/config/client @{TrustedHosts="10.1.0.*"}
Daniel Fisher lennybacon
  • 148
  • 5