I am having some issues with delegation. Hoping someone may have run into something similar.
If I execute this command locally on a machine, it works fine.
Test-Path "\\srvr\share" -PathType Container
The path can be a variable because I am trying to configure things from a remote workstation and I am reading values from a configuration file, so I set things up like this (assume the first two variables come from the config file):
$hostpath = "\\srvr\share" $hostname = "host1" $hostcreds = Get-Credential $hostsession = New-PSSession -ComputerName $hostname -Credential $hostcreds -Name $hostname Invoke-Command -Session $hostSession {param($tmp1) Test-Path $tmp1 -PathType Container} -ArgumentList $hostPath
I receive an "Access is denied" error on the Invoke-Command. Full error is:
Access is denied
+ CategoryInfo : NotSpecified: (:) [Test-Path], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.TestPathCommand
+ PSComputerName : Host1
I can go into Active Directory and change the delegation on the $hostname computer to "Trust this computer for delegation to any service (Kerberos only)", and it works. But I would rather constrain the delegation to an individual service
or two, if at all possible. So, I tried selecting "Trust this computer for delegation to specified services only - Use Kerberos only" and select all the possible options . I received the "Access is denied" error. So there
is obviously some difference between trusting any service and selecting all listed services. BTW, right now I am running everything from "host1" so I am creating a PSsession from/to the same host, but the share is on a different host.
So I ensured when I selected services to delegate, I selected them from both the host1 and srvr computers. No matter what combination, I get Access denied.
So I figured I would take a different tack. I changed the Invoke-Command to execute against a -Computer instead of a -Session.
Invoke-Command -ComputerName $hostname {param($tmp1) Test-Path $tmp1 -PathType Container} -Credential $hostCreds -ArgumentList $hostpath
I found out that if $hostpath references a local directory (C:\temp), this command works fine. But if it references a file share, I get the Access is denied. Both local directory and shares are valid values, so I can't use this option.
So, I'm wondering if there is another way I can try configuring the Invoke-Command to get this to work against a file share.
Secondly, if all else fails, I did find this in my searching for an answer. I found a link in this forum that pointed to the Group Policy forum. It included a script segment.
Set objComputer = GetObject("LDAP://CN=CLIENTNAME,OU=OUNAME,DC=DOMAINNAME,DC=com")
objComputer.Put "userAccountControl", "528384"
objComputer.SetInfo
This script supposedly forces the computer into the trust for any service mode. But I don't know how to translate it into PowerShell. If I had that in PowerShell, I suppose I could save the initial setting, reset it for my script, and then reset it upon completion so I would not leave the computer in a fully delegated mode.
Thanks for the ins