Couldn't use Get-WinEvent from remote computer in VLAN

Question

The remote computer are Win-10 VM in a VLAN.
We only have a few ports open in VLAN, including 3389 for Remote Desktop, 5985 & 5986 for powershell.

Remote Desktop works well.

But I couldn't to use powershell to remote debug on those computers,

If I run

Get-WinEvent -LogName System -Credential domain\test_user -ComputerName 10.100.155.1

I get this error

Get-WinEvent : The RPC server is unavailable

If I use invoke-command to execute the same script,

Invoke-Command -ComputerName 10.100.155.1 -Credential domain\test_user -ScriptBlock {Get-WinEvent -LogName System -Credential domain\test_user -ComputerName 10.100.155.1}

I will get another error:

[10.100.155.1] Connecting to remote server 10.100.155.1 failed with the following error message : Access is denied.

I have tried many solutions on internet, unfortunately, none is working. For example, I have checked if the services are running, if the firewall allows remote event management on remote computer, they looks alright.

Any idea where could be wrong?

Have you tried passing a credential object into -Credential? $x = Get-Credential — Jacob Colvin, May 31 '18 at 20:37
Possible duplicate of [Powershell remoting with ip-address as target](https://stackoverflow.com/questions/6587426/powershell-remoting-with-ip-address-as-target) — BenH, Jun 01 '18 at 13:00

Maximilian Burszley · Answer 1 · 2018-06-01T01:37:27.873

2

Your problem is two-fold.

You cannot use WinRM (Invoke-Command) with an IP address. It uses Kerberos and Kerberos requires a DNS name.
You're passing your credentials and computername twice.

This should work without a problem:

$InvokeArgs = @{
    ComputerName = 'Computername.domain.com'
    Credential   = (Get-Credential -Credential domain\test_user)
    ScriptBlock  = { Get-WinEvent -LogName System }
}
Invoke-Command @InvokeArgs

edited Jun 01 '18 at 01:37

answered May 31 '18 at 20:46

Maximilian Burszley

18,243
4
34
63

Thanks. But we don't use DNS for those machines, so they don't has DNS name. Outside VLAN, I can only access them by IP address. Any solution to this scenario? – Jim Jun 01 '18 at 06:16
I also tried to use Authentication = Negotiate, but I still get **Access Denied** Error – Jim Jun 01 '18 at 07:50
@Jim: psexec from sysinternals – Maximilian Burszley Jun 01 '18 at 10:51

score 0 · Answer 2 · answered Aug 11 '21 at 20:37

Access Denied is an Authentication Issue, double check your username and password.

I was working on a similar problem, trying to fetch count of system logons. Here's what worked for me:

$fetchEvents = { Get-WinEvent -FilterHashtable @{
Logname='system'
ProviderName='Microsoft-Windows-Winlogon'
StartTime=(get-date).AddDays(-10)
ID = 7001
} | Format-Table -Property TimeCreated, UserID, ID, MachineName }

Invoke-Command -ComputerName $ServerList -Credential $creds -ScriptBlock $fetchEvents

Couldn't use Get-WinEvent from remote computer in VLAN

2 Answers2