7

I'm trying to run Get-ScheduledTask remotely through Invoke-Command. The user is a non-admin but is a part of the "Remote Management Users". PS-Remoting works fine. Running the command locally works fine. But running it through Invoke-Command gets me the following error:

Cannot connect to CIM server. Access denied
    + CategoryInfo          : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
    + PSComputerName        : us-web1

Here's the code sample:

Note: this is running directly under the non-admin user in question.

$servers = "us-web1","us-web2","us-engine1","us-engine2","us-engine3","us-engine4"

foreach ( $server in $servers ) { 

Invoke-Command -ComputerName "$server" -ScriptBlock {

      get-scheduledtask
    }
}
Community
  • 1
  • 1
JustAGuy
  • 3,773
  • 8
  • 33
  • 49
  • Can you post the code snippet? I assume, you are connecting with administative creds and using the user creds "inside" this connection, to not run into no access because the connection is also made with the limited access rights – Martin Mar 31 '16 at 09:43
  • I'm actually running the shell itself as the user in question. I'll add the code right away. – JustAGuy Mar 31 '16 at 09:47
  • They might have permissions to run the command but not to connect remotely to run them. Does something like this help? http://msgoodies.blogspot.ca/2009/09/using-ps-session-without-having.html. I'm looking to see if there is a dupe of this here. – Matt Apr 04 '16 at 13:38
  • http://stackoverflow.com/questions/14127050/powershell-remoting-giving-access-is-denied-error is basically talking about the same thing. Just not your exact scenario. This would make for a good dup target if my theory is right. – Matt Apr 04 '16 at 13:44
  • Have you had a chance to look at my comments yet? – Matt Apr 07 '16 at 01:08
  • I just did. Sorry but it's irrelevant. I have no problems PS Remoting in. Running the actual commands while remoting on the other hand gives me an error. – JustAGuy Apr 12 '16 at 07:57

2 Answers2

5

I was having a very similar issue with trying to use the get-printer command remotely without admin credentials.

What I found really helped was this link: https://social.technet.microsoft.com/Forums/exchange/en-US/b748d1bb-fa97-4c30-a626-145dfbc40873/service-acccount-permission-to-remote-powershell-to-dns-server-on-windows-server-2012?forum=winserverpowershell

The process that I used for my issue was:

  1. Open Computer Management Console. Right click WMI Control (under Services and Applications) and click property.

  2. In the newly open Window, click on Security tab.

  3. Expand Root tree, and then click on the node CIMV2, and click the button security

  4. In the newly open Window, click the button Advanced.

  5. In the newly open Window, click the button Add under the permission tab.

  6. In the newly open Window, click on “select a principal”, then search and add the account or group you want to have access as the principal, then click ok.

  7. In the applies to, choose “this namespace and subnamespace”.

  8. For the permission, check on “Execute Methods”, “Enable Accounts” and “Remote Enable”

  9. Click accept on all the open dialogue boxes

  10. restart WMI services

  11. attempt remotely running your command again. It will fail again, but this time you will see the real issue. Look in the error for "permission denied" then follow the same steps as above and grant access to the path shown.

Hope this helps

Nick989898
  • 76
  • 1
0

This could be an issue with credentials not passing through. Try adding a get-credential and adding that to your invoke-command. You can use the same creds, just try passing it directly.

Like this:

$Cred = Get-Credential Invoke-Command -Credential $Cred -ScriptBlock {Get-ScheduledTask}

RowdyVinson
  • 100
  • 1
  • 6