0

I need to execute some code on remote machine, I use powershell's Invoke-Command to do that.

Invoke-Command -ComputerName TESTPC -ScriptBlock { Get-WMIObject Win32_ComputerSystem | Select-Object -ExpandProperty name };

It works on my local but fails in TeamCity server. It says: Connecting to remote server TESTPC failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.. I tried to solve it this way https://stackoverflow.com/a/27872686/3561198 but the condition is always true and it looks like the script is run with admin rights. How to fix the issue? Otherwise suggest another way to execute some code on remote Windows machine.

Serg046
  • 1,043
  • 1
  • 13
  • 42
  • The account you are running Powershell with does not have rights on that server. That is the error. Invoke-Command uses WinRM which is not the same as establishing a session with the server, but that is not your problem. I would triple-check that your account has rights on the remote machine and go from there. Are you elevating Powershell? Does the elevated account have Domain admin, etc? Also...you may have just provided sample code...but you are getting the name of a server and that’s it. What is the use case? – m0lochwalker Jul 08 '19 at 23:54
  • @m0lochwalker Which rights? Remote’s trusted hosts is configured with “*”. I checked it from the machine outside of TC and it works. I guess the problem is related to the user which is used by TC to run ps script. Most probably but it passes the role check described in linked SO question. How can I grant the rights in other way? – Serg046 Jul 09 '19 at 00:02
  • So we are talking about the account you open Powershell with and subsequently run your command. What privilege in your domain does it have? Does it belong to domain admin, or another group that gives you permissions across the board to execute WMI queries on remote machines? Is that account part of the Administrators group on the server in question? Your choices are to belong to a group which has permission to do this, or for said account (which you use to run your script) to be an admin on the remote server. – m0lochwalker Jul 09 '19 at 00:24
  • 1
    Look into Test-WSMan to your server. – m0lochwalker Jul 09 '19 at 00:44
  • Make sure you have a policy in place to open inbound WMI traffic. Check out how to make a GPO to achieve this. – m0lochwalker Jul 10 '19 at 13:13

1 Answers1

0

Start an interactive session with the destination machine first and then use Invoke-Command to run the script block.

Enter-PSSession Server01
Invoke-Command -ComputerName Server01, Server02 -ScriptBlock { your code here }
Exit-PSSession
Gino Mempin
  • 25,369
  • 29
  • 96
  • 135
Ram
  • 110
  • 2
  • 12
  • Doesn't it do the same? Invoke-Command starts it under the hood – Serg046 Jul 08 '19 at 17:29
  • It doesn’t do the same thing, but you definitely do not need to establish a session for Invoke-Command to work. You have an authentication/permission issue. That’s what the error says. – m0lochwalker Jul 08 '19 at 23:59
  • The same command works fine when I run it manually on agent’s machine through powershell window – Serg046 Jul 09 '19 at 00:04
  • Invoke-Command is used to leverage WinRM to run Powershell commands on a remote host. You can also run native cmd commands, sometimes requiring a little more trickery. You would never need to run Invoke-Command locally. – m0lochwalker Jul 09 '19 at 00:29