1

I run a powershell command to list all of the services on a remote matchine:

$b = 0;
get-wmiobject win32_service -computer $computerName -credential $cred | select-object Name, @{n='Counter';e={$script:b+=1;$b}} | % "{0}: {1}" -f $_.Counter, $_.Name }

This works the first time I run it. Sometimes it works the second time. Then it stops working part way through with an Access Denied error. I then discover that my account is locked on the remote machine. I get the account unlocked, run the script a few times, and I'm locked out again. WTF?

Why would accessing a remote machine using WMI lock my account on the machine?

How can I stop it happening?

Supporting Information

I'm quering the remote machine using a name and password of an account local to the machine. I'm not using a domain account.

The remote machine is running Windows Server 2008 R2.

By "stopping part way" I mean that it prints out around 20 of the services and then gets the error.

After More Investigation

This might be an anomaly (or outright bug) in Windows that is exposed by my particular configuration:

  • I had a domain account COMPANY_DOMAIN\ashepherd
  • The remote server has a local account SERVER_NAME\ashepherd

I am logged into my client machine using the domain account, but am attempting to access the server using it's LOCAL account. The two accounts have the same account name, but happen to have different passwords.

As an experiment, I modified SERVER_NAME\ashepherd so both accounts have the same password. And now everything works without any lockouts.

To get the credentials, I was typing in

$cred = (get-credential)

Then I was just typing in ashepherd, instead of SERVER_NAME\ashepherd.

I don't think this is the way it should be. Is this known behavior?

Andrew Shepherd
  • 573
  • 2
  • 6
  • 16
  • OS on both sides? Tried it with others? Just this one system is troublesome? I've never come across this before... – Marco Shaw Mar 28 '11 at 01:40
  • @Marco Shaw: I'm only getting locked out of the machine I'm interrogating. The credentials are for an account local to the queried machine, not a domain account. – Andrew Shepherd Mar 28 '11 at 02:33
  • By "part way through" do you mean it is part of the way through listing the services when you get Access Denied? Or is there more to the above script that you aren't showing? – Neobyte Mar 29 '11 at 07:24
  • @Neobyte - your first guess is correct. It prints out about 20 of the services, then gets the error – Andrew Shepherd Mar 29 '11 at 10:41
  • What format are you passing the account information in? Are you qualifying the domain name like USER = "DOMAIN\USERNAME" or just passing User = "USERNAME"? – Chris Thorpe Apr 03 '11 at 23:49
  • @Chis - I was just passing USERNAME. – Andrew Shepherd Apr 04 '11 at 00:00
  • just passing the username implies whatever you are logged in with... if you type "\USERNAME" it implies the remote machine credentials. Also, if you type ".\USERNAME" it implies your local machine. – JakeRobinson Apr 04 '11 at 02:28

2 Answers2

0

Check the security event log to see what security audit failures are being listed for that account. You didn't mention the lockout policy... does the lockout reset? If so, could something else be causing it to lock out. The security event log will give you a clue as to if that's the case.

K. Brian Kelley
  • 9,004
  • 31
  • 33
  • Thanks for the suggestion. I did check the logs, which prompted more experimentation which allowed me to find a workaround (though I wouldn't call it a fix). I've put the details as an addendum to the question. – Andrew Shepherd Apr 03 '11 at 22:58
0

Andrew when you say it "prints out around 20 of the services" can you check if it always stops at exactly the same one? That may give a clue?

Cheers

Kieran Walsh
  • 908
  • 7
  • 14
  • 31