Yami learns Powershell
-
My AD account can't log into most of these servers. There's one it can, though, so if you have something in mind I can test it with that server.
-
For each server, the credentials I have written down in my big list of credentials are sufficient to run the batch file via double-clicking on it.
Stupid question time: you're using the right creds on the right server, right?
-
Well I'd just see if it can log in with psexec. Maybe there's some weirdness with how local accounts are handled
Stupid question time: you're using the right creds on the right server, right?
Also that
-
yes :D I double-checked that first before posting here
-
Thought so ;)
Still, never hurts to make sure all the bases are covered
-
If anybody else is using it then ask them? For all you know you are simply bumping into some security restriction where your user isn't allowed to remotely execute those scripts.
I tried doing this and ran into the same
problemerror message.I logged into the remote server directly as admin (as my non-admin account, I didn't have perms to run winrm), and, from Powershell (I didn't try doing it in a regular command prompt, but that might work) just ran
winrm quickconfig
, and it said a couple of changes had to be made, and I said OK. After that, the enter-pssession worked for me with-credential domain\user
(I haven't yet read the last 10 or so posts in the thread, so maybe you got it working already).
-
-
I don't have admin on the server, is the problem.
You only need it once, to run
winrm quickconfig
. Can you get someone to do that for you?FWIW, after doing that, I can enter-pssession with an admin account, but not my own, which is weird, since I have remote logon perms on that server. So there may be another step beyond that.
-
I've sent an email asking
-
Windows Server 2003
That's a good plan, lets continue to use that for the next decade. It's worked for the past one.
-
:)
Nah, they're actively in the process of standing up 2008 servers for things that are staying on Windows and Red Hat servers for those that can transition to Linux. The Linux half is holding up the process somewhat, we're teething a bit, but soon the 2003 servers will be gone.
-
2008
Guessing not even R2. Because Vista is no more a sin to these people than anything else Microsoft has created.
-
Of course not. To do 2008 R2, you'd need one of those fancy [x64|x86_64|amd64] processors, and we all know that's just too much money to spend
-
that's just too much money to spend
They aren't concerned with that if they're paying for RedHat and having a lot of trouble getting it working on their inferior Windows hardware.
-
-
But to upgrade the architecture of the VM, you need to upgrade the VM's chip on the motherboard. Because each VM has its own chip on the motherboard that powers them, right? Surely you can't have a computer running on something that's not bare metal hardware...
-
Of course not. To do 2008 R2, you'd need one of those fancy [x64|x86_64|amd64] processors, and we all know that's just too much money to spend
My company just brought online the "new" development environment. It's a Xeon 5130, a 2GHz processor from 2006.
I think it's an improvement on the old one, but I haven't used it enough yet to be sure. I want to smack the lead dev, who won't give out remote desktop permissions, though, and makes everyone Citrix in, because it takes an extra 2 minutes or so.
-
who won't give out remote desktop permissions, though, and makes everyone Citrix in, because it takes an extra 2 minutes or so.
-
@FrostCat said:
who won't give out remote desktop permissions, though, and makes everyone Citrix in, because it takes an extra 2 minutes or so.
QFT
-
And TI(apparently)L Citrix is somehow more secure than RDP...
-
Yes, seriously. I've asked 3-4 times over the last few years, and the asshole doesn't even reply.
-
That's when you accidentally a few security settings.
If you feel secure in your position and can, of course...
-
SO.
Turns out. The execution policy is set to Restricted, which means it will block unsigned scripts. We can either change that to unrestricted (which the server team won't like) or sign our scripts.
-
...Or use one of the 30 ways around that, since that isn't a real security feature.
-
-
Stupid newbie question: if we have an SSL cert, is that in any way related to the kind of cert we'd need to sign our scripts?
-
For reference, here is my powershell script for signing other scripts:
#sign-script.ps1 #Version 1.0 #License: WTFPL (http://www.wtfpl.net/about/) # param ( [string] $path = $(throw "A script to sign is required."), [System.Security.Cryptography.X509Certificates.X509Certificate] $certificate ) process { if(!(Test-Path $path)) { throw "Script could not be found" } if($certificate -eq $null) { $certificate = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0] } if(!$certificate) { throw "No signing certificate found" } Set-AuthenticodeSignature -FilePath $path -Certificate $certificate }
Edit: To create a self-signed
scriptcert for codesigning: http://www.hanselman.com/blog/SigningPowerShellScripts.aspx
-
A quick Google suggests that, yes, you can use an SSL cert to sign PowerShell scripts
-
Edit: To create a self-signed script for codesigning:
Wait, do you need to sign the self-signed script for self-signing scripts?
Filed Under: Yo Dawg
-
@rad131304 said:
Edit: To create a self-signed script for codesigning:
Wait, do you need to sign the self-signed script for self-signing scripts?
Filed Under: Yo Dawg
Do'h - i meant cert.
-
So I have an RDP file, connecting to SERVERNAME using Username and Password.Once in that remote desktop session, my sole task has been reduced to clicking on a batch file, typing in a single parameter, and watching to make sure it runs successfully.
I'm converting this to powershell.
For scripting remote tasks on a Windows 2003 box, psexec is your friend. Connects over SMB just like file and print sharing. Runs anything on the far side that can be run on the far side. If that happens to be console oriented, you get to feed it input and collect its stdout and stderr. Hell, it will probably even let you launch Powershell.
-
The execution policy is set to Restricted, which means it will block unsigned scripts. We can either change that to unrestricted (which the server team won't like) or sign our scripts.
That will be the default execution policy, which is totally not a real security feature.
-
there's no reason not to sign them
Yeah, there is. It's a stupid pointless pain in the arse set of hoops to jump through that buys you nothing you can't get more easily with a command line option.
-
Set-AuthenticodeSignature : Cannot bind argument to parameter 'Certificate' because it is null. At line:1 char:70 + Set-AuthenticodeSignature H:\Powershell\switchServer.ps1 -Certificate <<<< @(Get-ChildItem cert:\CurrentUser\My -codesign)[0] + CategoryInfo : InvalidData: (:) [Set-AuthenticodeSignature], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAuthenticodeSigna tureCommand
I made a self-signed cert, it showed up in mmc.exe exactly as the tutorial suggested it would, I exported it, I've imported it on the remote server... but I can't find it to sign with apparently? Is the path different on Windows 7?
-
I'm an idiot, I made the trusted authority cert but not the actual cert. Works now.
-
I'm an idiot, I made the trusted authority cert but not the actual cert. Works now.
Yeah, none of that crap is obvious. We use those at work for our dev web servers and when you install the regular cert, nothing tells you it won't also grab the CA cert for you.
-
So I have 90% of the script written. Silly me, when someone grabbed me this morning and said "I have a ticket here about powershell access, which server is that on?" I figured within 6 hours they'd have enabled signed scripts....
Silly me.
-
...so what is this about?
Connecting to remote server failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException + FullyQualifiedErrorId : PSSessionOpenFailed
This doesn't seem to be permissions...
-
...so what is this about?
Connecting to remote server failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException + FullyQualifiedErrorId : PSSessionOpenFailed
This doesn't seem to be permissions...
Looks like WS-Management service isn't running the server you're trying to talk to.
-
Can I find out without admin access?
I don't see anything like WS_Management in the Services list. But I see a lot of similar things. So what would it be called?
-
Windows Remote Management (WS-Management)
It's set to manual start by default; plus it's probably not configured properly so it may not start for you. You said these were web servers, and, by default, the service listens to port 80 IIRC.
-
That one is Started.
We use RDP to manage these servers, so if it's in any way connected to allowing RDP, it's on foir tat.
-
That one is Started.
We use RDP to manage these servers, so if it's in any way connected to allowing RDP, it's on foir tat.
It uses different ports (my google-fu just told me they are 5985 and 5986[1]), so my guess would be that it's not connected to RDP. You're getting beyond my experience at this point, though.
-
The network guys verified that my laptop and the server are on the same side of the firewall, so it's not that.
-
The network guys verified that my laptop and the server are on the same side of the firewall, so it's not that.
Maybe Windows firewall is blocking the connection?
-
didn't we run into this the last time you played with powershell? IIRC the solution is for you to find an admin to run
winrm quickconfig
and then it'll "magically" start working.
-
As it turns out, they make us Citrix "due to licensing reason". From this I conclude Citrix CALs are probably $5 than Windows Remote Desktop CALs.
-
As it turns out, we did:
http://what.thedailywtf.com/t/yami-learns-powershell/48533/57
(Thanks to server cooties I can't see if you got that situation resolved)
-
A quick Google suggests that, yes, you can use an SSL cert to sign PowerShell scripts
What about code-signing apps, so you don't get "a program from an unknown publisher wants to do unspeakable things to your hard drive?"
-
Not looked into that, so no idea if you can or not