我正在尝试通过winrm管理Windows服务器2012 R2 Standard服务器。在服务器上,我想从rsat包运行dnscmd。你可以在下面看到,如果我只是在powershell提示符下运行dnscmd,它是成功的。但是,当我通过winrm远程调用它时,该命令将失败,并显示ERROR_ACCESS_DENIED。
PS C:Windowssystem32> dnscmd adServer /RecordDelete mycompany.com newTestRecord A /f
Deleted A record(s) at mycompany.com
Command completed successfully.
PS C:Windowssystem32> Test-WsMan localhost
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
PS C:Windowssystem32> Invoke-Command -ComputerName localhost -ScriptBlock {
>> dnscmd adServer /RecordDelete mycompany.com newTestRecord A /f
>> }
Command failed: ERROR_ACCESS_DENIED 5 0x5
PS C:Windowssystem32> Invoke-Command -ComputerName localhost -ScriptBlock {
>> hostname
>> }
myServerHostname
问题是双跳/多跳。当您通过winRM登录时,它不希望允许您使用相同的凭据令牌访问不同的计算机。我通过winrm连接,然后打开一个嵌套的Powershell会话来解决这个问题。它本质上是刷新令牌,允许用户连接到active directory服务器。
有关更多信息,请参阅以下
-
https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/
-
https://blogs.msdn.microsoft.com/sergey_babkins_blog/2015/03/18/another-solution-to-multi-hop-powershell-remoting/
请确保为dnscmd安装远程服务器管理工具(RSAT(。
$password = '{pass}' | ConvertTo-SecureString -AsPlainText -Force
$username = '{user}'
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$password
Invoke-Command -ComputerName localhost -Credential $cred -ConfigurationName svc_dns_middleMan -ScriptBlock {
'{dnscmd_commands}'
}