在非管理员用户下从远程运行PS cmdlet - 访问被拒绝
[英]Running PS cmdlets from remote under non-admin users - Access Denied
问题描述
I'm trying to run Get-ScheduledTask remotely through Invoke-Command. 
我正在尝试通过Invoke-Command远程运行Get-ScheduledTask。 The user is a non-admin but is a part of the "Remote Management Users". 用户是非管理员,但是“远程管理用户”的一部分。 PS-Remoting works fine. PS-Remoting工作正常。 Running the command locally works fine. 在本地运行命令工作正常。 But running it through Invoke-Command gets me the following error: 但是通过Invoke-Command运行它会出现以下错误:
Cannot connect to CIM server. Access denied
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
+ PSComputerName : us-web1
Here's the code sample: 这是代码示例:
Note: this is running directly under the non-admin user in question. 注意:这是直接在相关的非管理员用户下运行。
$servers = "us-web1","us-web2","us-engine1","us-engine2","us-engine3","us-engine4"
foreach ( $server in $servers ) {
Invoke-Command -ComputerName "$server" -ScriptBlock {
get-scheduledtask
}
}
2 个解决方案
解决方案1
3 2016-04-08 17:01:47
I was having a very similar issue with trying to use the get-printer command remotely without admin credentials. 尝试在没有管理员凭据的情况下远程使用get-printer命令时遇到了类似的问题。
What I found really helped was this link: https://social.technet.microsoft.com/Forums/exchange/en-US/b748d1bb-fa97-4c30-a626-145dfbc40873/service-acccount-permission-to-remote-powershell-to-dns-server-on-windows-server-2012?forum=winserverpowershell 我发现真正帮助的是这个链接: https : //social.technet.microsoft.com/Forums/exchange/en-US/b748d1bb-fa97-4c30-a626-145dfbc40873/service-acccount-permission-to-remote-powershell -to-DNS服务器上,Windows的服务器-2012?论坛= winserverpowershell
The process that I used for my issue was: 我用于我的问题的过程是:
Open Computer Management Console.
打开计算机管理控制台 Right click WMI Control (under Services and Applications) and click property. 右键单击WMI Control(在“服务和应用程序”下),然后单击“属性”。 In the newly open Window, click on Security tab.
在新打开的窗口中,单击“安全”选项卡。 Expand Root tree, and then click on the node CIMV2, and click the button security
展开根树,然后单击节点CIMV2,并单击按钮安全性 In the newly open Window, click the button Advanced.
在新打开的窗口中,单击“高级”按钮。 In the newly open Window, click the button Add under the permission tab.
在新打开的窗口中,单击权限选项卡下的添加按钮。 In the newly open Window, click on “select a principal”, then search and add the account or group you want to have access as the principal, then click ok.
在新打开的窗口中,单击“选择主体”,然后搜索并添加要作为主体访问的帐户或组,然后单击“确定”。 In the applies to, choose “this namespace and subnamespace”.
在apply中,选择“this namespace and subnamespace”。 For the permission, check on “Execute Methods”, “Enable Accounts” and “Remote Enable”
要获得权限,请选中“执行方法”,“启用帐户”和“远程启用” Click accept on all the open dialogue boxes
在所有打开的对话框上单击“接受” restart WMI services
重启WMI服务 attempt remotely running your command again.
尝试再次远程运行您的命令。 It will fail again, but this time you will see the real issue. 它会再次失败,但这次你会看到真正的问题。 Look in the error for "permission denied" then follow the same steps as above and grant access to the path shown. 查看错误“拒绝权限”,然后按照上述步骤操作,并授予对显示路径的访问权限。
Hope this helps 希望这可以帮助
解决方案2
0 2016-03-31 15:04:10
This could be an issue with credentials not passing through. 这可能是凭证无法通过的问题。 Try adding a get-credential and adding that to your invoke-command. 尝试添加get-credential并将其添加到invoke-command。 You can use the same creds, just try passing it directly. 您可以使用相同的信用卡,只需尝试直接传递即可。
Like this: 像这样:
$Cred = Get-Credential Invoke-Command -Credential $Cred -ScriptBlock {Get-ScheduledTask}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.