Running remote script to write in file share

Iron Contributor

Hi,

I'm building a script for checking, downloading and installing updates on Windows Servers, using the PSWindowsUpdate module.

My goal is to go to one server a time, check for updates and write a log file in csv format to a fileshare, so after I can parse that CSV file to do some checks and then apply the updates later on.

The issue is that when running the script (from a server), I get the message:
"Access to the path '\path\filename.csv' is denied."


But if I go directly to the server itself and run the command, it works, as the server has permissions over that folder. 
So it's something while I'm running the script remotely that is not right.
I've tried several ways, like:

- Enter-PSSession
- Invoke-Command -ComputerName $server { command }

- Invoke-Command -Session $s -ScriptBlock { command }

So what I am missing here?

 

Thanks

11 Replies
Yes, This is related to second hope jump and you need Kerberos Auth.
Read this link from here
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=pow...
Another option if you are in the session by using the Invoke-PSSession, to try a New-PSDrive
https://lazyadmin.nl/powershell/new-psdrive/
Hi,
Thanks for the notes. Now I understand which is the issue.
But still having some problems to solve it.
Tried the New-PSDrive method, but I have an error. My code is this:
$cred = Get-Credential domain\user (user is domain admin)
$s = New-PSSession -ComputerName servername
Invoke-Command -Session $s -ScriptBlock { New-PSDrive -Name Z -PSProvider FileSystem -Root \\path -Persist }
Got this error:
Access is denied
+ CategoryInfo : InvalidOperation: (Z:PSDriveInfo) [New-PSDrive], Win32Exception
+ FullyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
+ PSComputerName : servername

Also, tried this method here, which seemed the easiest one:
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=pow...
But still permissions error.

Do you have any idea of how could I solve this issue? I'm thinking if it would help to create and run a local schedule task, and that way we would avoid a second hop right?

Thanks

 

@dmarquesgn 

Hi
I assume that the user have the correct permission to perform the required action.
Try the following code

$Cred=Get-Credential
Invoke-Command -ComputerName Server1 -ScriptBlock {New-PSDrive -Root '\\FileServer.FQDN.local\MyShare' -PSProvider FileSystem -Name X -Credential $Using:Cred -Persist;Set-Content -Path 'X:\myfile.txt' -Value 'www2w111'}

@farismalaeb 

Hi,
Thanks. I have the permissions, as I'm using a domain admin for the testing.
I tried your code and it works, but I have some issues. I replaced a part of the code to acomplish my objective. It's like this right now:

$Cred=Get-Credential
Invoke-Command -ComputerName servername -ScriptBlock {New-PSDrive -Root '\\share_ip\WindowsUpdateLogs' -PSProvider FileSystem -Name X -Credential $Using:Cred -Persist; (Get-WUList).GetEnumerator() | Export-Csv -Path "X:\$(hostname)-$(get-date -f dd-MM-yyyy)-WindowsUpdate.log" }

But this works once and then if I try to run it a next time on the same server or a different server I get this error message:

A specified logon session does not exist. It may already have been terminated
+ CategoryInfo : InvalidOperation: (X:PSDriveInfo) [New-PSDrive], Win32Exception
+ FullyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
+ PSComputerName : servername

 

If I leave it for 1h and back for testing, it works again once. So there's something with the expiration of the session which I'm not understanding.

Also, I need to insert this into a cycle to fetch the updates on each server. But if this is running just once, I can't insert it on a cycle.

 

Thanks in advance.

 

@dmarquesgn 

I try it on my end, and Yes, the same issue I got

But I notice the following: my file server is a failover cluster, but if I set the write destination to a server node or a single server, the script you provide works fine.

I need to go deeper into this to see what is causing this; for now I think its related to the double-hope issue.

Can you try to write to other node or destination and let me know.

 

@farismalaeb 

Hi,

My server is not a cluster, it's a regular VM. Also, I've tried with another share on another server and the issue persists, with same error message.

It's quite odd, as it seems that the session is terminated just after has been established.

 

Thanks

@farismalaeb 

Thanks for the links.

Well, I've tried the parameters "-scope local", but the issue is just the same. In my case, sometimes runs the first time, sometimes doesn't even run the first time.

 

Also, I've got that option "Network access: Do not allow storage of passwords and credentials for network authentication" already Disabled, so it's not related to that as well. 

Also, if I try to remove the PSDrive with the command Remove-PSDrive <Z> it says the drive does not exist, even when it was created.

 

Do you think if we create a scheduled task to run the commands will the same issue?

 

Thanks

No, This is related to a double-hop authentication issue.
if you enable the scheduled task, then the script will be executed from the server itself rather than being called remotely to write to a second hop destination.

Hi,
Back from vacations, I'm working on this topic again.
In fact creating a scheduled task, we overcome the double-hop authentication issue.
But we face more or less a similar issue. A scheduled task does not like to run script from network shares, but locally they run just fine. So one of the things I need is to copy the ps1 file from the network share to the local server, and that's when I have exatcly the same issue.
I found a workaround which is to create the ps1 file on the local server and add the content to the file, which is fine if the ps1 file is one or two lines, but will be complicated if it's a long ps1 file.

So I'm still trying to find a way to copy the ps1 file to the local server to run the scheduled task after.