0

I have written below code to create file in remote system by domain credentials. When i execute this code I get permission denied error.

Code:

$username = "domain\username"
$password = "Welcome1234$"
$secstr = New-Object -TypeName System.Security.SecureString
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr
Invoke-Command -Credential $cred -Computer VM1{
New-Item \\VM2\sapmnt\SID\SYS\profile\test.txt -ItemType file
}

error:

Access to the path '\\VM2\sapmnt\SID\SYS\profile\test.txt' is denied.
    + CategoryInfo          : PermissionDenied: (\\VM2\s...rofile\test.txt:String) [New-Item], UnauthorizedAccessException
    + FullyQualifiedErrorId : NewItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.NewItemCommand
Jason Ye
  • 13,710
  • 2
  • 16
  • 25
hans
  • 41
  • 1
  • 10
  • Can you use that account to access `\\VM2\sapmnt\SID\SYS\profile`? Does that account have permission (Read/Write)? – Jason Ye Oct 06 '17 at 02:02

1 Answers1

0

Can you use that account to access that path \\VM2\sapmnt\SID\SYS\profile? Do you have permission to read or write?

I had test in my lab, it works for me.

Grant permission (Read/Write)to that account:

enter image description here

Here is the script:

$username = 'jason'
$pass = ConvertTo-SecureString -string 'password' -AsPlainText -Force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $username, $pass
$s = New-PSSession -ConnectionUri 'http://13.73.23.129:5985' -Credential $cred -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck)
Invoke-Command -Session $s -ScriptBlock {new-item \\jasonvm\profile\jasontest3.txt}

Update:

changing the ip-address to HOSTNAME resolve this issue:

$username = 'jason'
$pass = ConvertTo-SecureString -string 'password' -AsPlainText -Force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $username, $pass
$s = New-PSSession -ConnectionUri 'VM2hostname:5985'; -Credential $cred -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) 
Invoke-Command -Session $s -ScriptBlock {new-item \\jasonvm\profile\jasontest3.txt}
Jason Ye
  • 13,710
  • 2
  • 16
  • 25
  • When I executed it as azure custom code extension. I got below error. server failed \\nwith the following error message : The WinRM client cannot process the \\nrequest. Default authentication may be used with an IP address under the \\nfollowing conditions: the transport is HTTPS or the destination is in the \\nTrustedHosts list, and explicit credentials are provided. Use winrm.cmd to \\nconfigure TrustedHosts. Note that computers in the TrustedHosts list might not \\nbe authenticated. – hans Oct 06 '17 at 08:07
  • this issue is resolved by changing the ip-address to host name. – hans Oct 06 '17 at 08:21
  • This issue is resolved by changing the ip-address to HOSTNAME. $s = New-PSSession -ConnectionUri 'http://VM2hostname:5985' -Credential $cred -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) – hans Oct 06 '17 at 08:22
  • Jason, thanks a ton for your valuable reply. I need another help in which I am trying to install SAP application from azure custom code extension. So I thought to use the same code. Below is the code for your reference. Invoke-Command -Session $s -ScriptBlock {C:\media\SWPM\sapinst.exe SAPINST_INPUT_PARAMETERS_URL=C:\media\inifile\inifile.params SAPINST_EXECUTE_PRODUCT_ID=NW_DI:S4HANA1610.CORE.HDB.PD SAPINST_SKIP_DIALOGS=true SAPINST_SLP_MODE=false | Out-Null} but i got an error saying that SAPINST_SKIP_DIALOGS is not the recognized cmdlet. – hans Oct 06 '17 at 09:44
  • Is it possible that we can write SAPINST.EXE code in another script & call that script in the above code with domain user. – hans Oct 06 '17 at 09:44
  • Maybe we can use `custom script extension for windows VM`, Please refer to this [link](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/extensions-customscript), in this way, we can use custom script to run some command, hope this helps. – Jason Ye Oct 06 '17 at 09:56
  • Thank you Jason but it did not work for me. When I am trying to run the azure script as customcode extension it starts the script as SYSTEM user but I wan t it to run with domain user. I am facing this issue for long time & unable to resolve it. It will be great help if you can help me to resolve it. Below is the code I have written for it. – hans Oct 09 '17 at 09:56
  • $fileScriptLocal = "D:\test.ps1" $myuserpass = "Welcome1234$" $mydomainuser = "DOMAIN\domainuser" $MyuserpassSecure = ConvertTo-SecureString $Myuserpass -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential -argumentlist $Mydomainuser, $MyuserpassSecure $arguments = "-noprofile -file $fileScriptLocal -sudo -su -Credential $credential -computername hostname" try { Start-Process powershell.exe -Verb RunAs -ArgumentList $arguments write-output(" - New process started.") } catch { write-output(" - New process failed to start.") – hans Oct 09 '17 at 09:57
  • @hans Have you check the answer in your another [question](https://stackoverflow.com/questions/46613998/azure-powershell-start-process-this-command-cannot-be-executed-due-to-the-erro)? Maybe we should add this domain user account in that policy, please try it. – Jason Ye Oct 09 '17 at 10:00
  • @hans In Azure, when we use `custom script extension` to run some script, Azure will use `SYSTEM ` account, it is a by design behavior. We can't change other account to run this script:( – Jason Ye Oct 09 '17 at 10:14
  • In below two link they have mentioned that how we can use the domain user to run the custom code extension. Can you please check these links & please let me know if my understanding is incorrect. https://stackoverflow.com/questions/46433123/azure-custom-script-extension-execute-script-as-another-user https://stackoverflow.com/questions/46409952/double-hopping-credentials-from-vsts-through-azure-powershell-script-to-powershe – hans Oct 09 '17 at 11:04
  • @hans it is not use another account to run script, it is talking about add permission to system account. You want to run script remotely, I think you can use winemaker, in this way we can use domain user to run this script. – Jason Ye Oct 09 '17 at 11:14
  • I am actually SAP consultant hence don't have much knowledge about it. Can you please guide me how it can help me to achieve my goal. Basically what I am trying to do is : Installing SAP application on VM2 & during the installation the installer has to read parameter from existing running SAP application from VM1. When custom code extension run with system user, it gives an error that installer cannot read parameter from VM1 because of access denied error hence i thought to use domain user to fulfill my requirement. Now can you suggest what can i do to run the script successfully. – hans Oct 09 '17 at 11:17
  • I am not able to paste my code since it has character limit. Can you please suggest how I can share the code with you – hans Oct 10 '17 at 06:19
  • I sent the code to you. In both cases the installation start with SYSTEM user instead of domain user. – hans Oct 10 '17 at 06:36