1

I have 2 workgroup computers. I want to setup powershell-remoting between these two computers. The OS on both the computer is windows 1809.

Powershell remoting is enabled in one of the computer. Other computer can't be accessed directly to enable the powershell remoting. So i am running a script on the Host Machine(i.e one of the computer that has already powershell remoting enabled) to enable the remoting on a remote machine remotely. I use Invoke-WmiMethod to do remote operations. Following is the script i am using:

param(
    [parameter(Mandatory = $true)]
    [string]$RemoteMachineIPaddress,
    [parameter(Mandatory = $true)]
    [string]$SystemIPaddress
)

try{

$DisplayName = "Allow ICMPv4-In"

$secpasswd = ConvertTo-SecureString "Password" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential ("Admin02", $secpasswd)

Invoke-WmiMethod -ComputerName $RemoteMachineIPaddress -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential $Cred -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force'"
Invoke-WmiMethod -ComputerName $RemoteMachineIPaddress -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential $Cred -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Install-PackageProvider -Name Nuget -MinimumVersion 2.8.5.201 -Force'"
Invoke-WmiMethod -ComputerName $RemoteMachineIPaddress -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential $Cred -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Start-Service WinRM -Force'"
Invoke-WmiMethod -ComputerName $RemoteMachineIPaddress -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential $Cred -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Set-Item WSMan:\localhost\Client\TrustedHosts -Value $SystemIPaddress -Force'"
Invoke-WmiMethod -ComputerName $RemoteMachineIPaddress -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential $Cred -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Enable-PSRemoting -Force -SkipNetworkProfileCheck'"
Invoke-WmiMethod -ComputerName $RemoteMachineIPaddress -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential $Cred -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Restart-Service winrm'"

return $true
}
catch
{
return $false
}

When i run this script from the host machine i get the Access Denied error

Invoke-WmiMethod : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

I am running the above script in Admin Mode and also i have provided the Remote machine Admin Credentials to the Script.

Harshith R
  • 113
  • 1
  • 3
  • It may be that the `LocalAccountTokenFilterPolicy` registry value needs to be set to `1` (see https://support.microsoft.com/en-us/help/951016/ for details). – Bill_Stewart Oct 18 '19 at 17:49
  • @Bill_Stewart, I disabled the LocalAccountTokenFilterPolicy and now its working. Thanks!! – Harshith R Oct 25 '19 at 11:59
  • Sounds good; I posted as an answer with more detail to assist anyone else with the same issue. – Bill_Stewart Oct 25 '19 at 13:57

1 Answers1

1

This is likely because remote administrator connections to local accounts are managed by UAC (user account control). By default, remote connections will have the administrative token removed, as noted in this KB article:

Description of User Account Control and remote restrictions in Windows Vista (951016)

If this is the case, you can set the following registry value to 1 (type REG_DWORD) to allow the OS to build an elevated token rather than a restricted token:

Hive: HKEY_LOCAL_MACHINE
Subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value name: LocalAccountTokenFilterPolicy
Value data: 1 (REG_DWORD)

(Please note the security implications of changing this setting, though.)

Bill_Stewart
  • 258
  • 1
  • 7