2

When running the below code, i can put anything in the block at the bottom - I'm trying to copy a folder across to run an exe from a local folder and perform an install of that exe during the remote session to remote machines. I am getting Access Denied Errors. I read, i cant use the Kerberos Delegation Cmdlets which are only for a forest level of 2012 and above. Current Site has Domain Functional Level 2008 R2. Is there another way to achieve copying the files across during each remote session to the computers specified in the text file?

Thanks in advance

########################################

$Cred = Get-Credential DOMAIN\USER


$Computers = Get-Content C:\tab.txt | Where-Object { $_ } 

ForEach ($Computer in $Computers)
       #  {
       # if (Test-Connection -ComputerName $Computer -BufferSize 16 -Count 1 ` 
       -Quiet) 
        {

        # Creates a new remote PowerShell Session and script block - enter 
        the code you want to execute remotely from this block 

        $Session = New-PSSession $computer -Credential $cred

            Invoke-Command -Session $Session -ScriptBlock {


        Copy-Item -Path "\\print-server\pcclient\win\*" -Destination 
        "c:\pcclient" -Force -Recurse -Verbose
        # Start-Sleep -s 10  
        # Start-Process "\\Print-Server\PCClient\win\client-local-install.exe" -ArgumentList "/SILENT"   

        }

        }

        Remove-PSSession -Session $Session

# }

Royston
  • 433
  • 2
  • 9
  • 25

1 Answers1

2

This is because you're on a remote machine, trying to access another network resource. When you connect to the remote machine in PowerShell, you're effectively connected/authenticated to that machine only, (unless you specify otherwise) it doesn't have access to your credentials to access the network share, so the connection to the network share is treated as unauthenticated, hence the failure.

This article https://blogs.technet.microsoft.com/heyscriptingguy/2012/11/14/enable-powershell-second-hop-functionality-with-credssp/ covers it well, essentially in you will need to run this locally (to allow your machine to pass credentials):

Enable-WSManCredSSP -Role Client -DelegateComputer * -Force

On the server run (to allow the server to accept these credentials):

Enable-WSManCredSSP -Role Server –Force

And update your New-PSSession command to:

$Session = New-PSSession $computer -Credential $cred -Authentication CredSSP

If you want, you can share your credentials with only specific machines, or subsets of a domain using *.yourdomain.lan or whatever, if you connect to multiple machines, then it's easier to use -DelegateComputer *.

Daniel Morritt
  • 1,787
  • 17
  • 25
  • Thanks for this information. I’ll run through it in the next few days. I did believe credssp contained some security flaws but, will get back to you with some feedback if you don’t mind, thanks again for the excellent response. – Royston Jan 06 '18 at 20:09