| Author |
 Topic  |
|
|
Rambler
Major Contributor
Czech Republic
956 Posts
Status: offline |
 Posted - 06/29/2012 : 10:32:10 AM
|
Hi everyone.
Is it somehow possible to use modules such as ActiveDirectory, FailoverClusters etc. without actually installing/enabling RSAT?
I have a script that needs to be run locally on every machine (it's setting permissions using icacls), but I'd like to avoid enabling RSAT (even parts of it) on the servers.
|
|
|
jhicks
Here To Stay
USA
283 Posts
Status: offline |
Posted - 06/29/2012 : 10:37:56 AM
|
| The only way you can get the AD module on Windows 7 is to install RSAT and configure it for AD. What you might have to do is install RSAT on your machine, use remoting to run icacls. Use the AD module locally to get what you need and then pass that to the remote icacls command. The other option, at least for AD, is to write your own functions using ADSI. |
Jeffery Hicks
Windows PowerShell MVP
http://jdhitsolutions.com.blog
http://twitter.com/JeffHicks
http://www.ScriptingGeek.com
Now Available: Managing Active Directory with Windows PowerShell: TFM 2nd ed. |
 |
|
|
Rambler
Major Contributor
Czech Republic
956 Posts
Status: offline |
Posted - 06/29/2012 : 10:46:51 AM
|
Thanks Jeffery. I haven't explored remoting much yet - do I understand it correctly that I could create remote session from my management station which has RSAT installed and still use the modules on the remote computer (inside the PSH session)?
Edit: Ah, found this http://blogs.metcorpconsulting.com/tech/?p=240, so I guess the answer is yes |
Edited by - Rambler on 06/29/2012 10:47:00 AM |
|
|
|
JeffWouters
Here To Stay
Netherlands
149 Posts
Status: offline |
Posted - 06/29/2012 : 12:19:24 PM
|
Take a look at Don Jones' Secrets of PowerShell Remoting book (free): http://powershellbooks.com/
A lot of content but explaines it from A to Z :-) |
Greetsz,
Jeff. |
|
|
|
jhicks
Here To Stay
USA
283 Posts
Status: offline |
Posted - 06/29/2012 : 12:28:35 PM
|
| That's a little different. Implicit remoting allows you to use stuff that isn't installed on your computer. I don't think this applies to your situaton. But in your case you want to run some icalcs commands on remote computers and use some AD stuff along the way. Even with the AD module loaded on your machine, you can't run a command like Get-ADUser on the remote machine. What you can do however, is run the command on your machine and then use the result remotely. Ultimately, this is going to come down to what you need to achieve. |
Jeffery Hicks
Windows PowerShell MVP
http://jdhitsolutions.com.blog
http://twitter.com/JeffHicks
http://www.ScriptingGeek.com
Now Available: Managing Active Directory with Windows PowerShell: TFM 2nd ed. |
|
|
|
Rambler
Major Contributor
Czech Republic
956 Posts
Status: offline |
Posted - 07/03/2012 : 06:06:01 AM
|
Maybe my description wasn't clear enough in the first post. I need to run stuff that isn't installed on the computer from which I run the script.
For example I have script that displays CSV information on a Hyper-V cluster. I use the FailoverClusters module, which I don't have installed on the machine from which I run the script. So I've added the implicit remoting code from the above link and the module loads fine, but now there's a problem with credentials/elevation. I get access denied, although I'm running the script as domain admin (even tried elevated PSH session).
# Create a Powershell remote session to a server with the #commandlets installed.
$Session = New-PSsession -Computername server1
# Use the newly created remote Powershell session to send a #command to that session
Invoke-Command -Command {Import-Module FailoverClusters} -Session $Session
# Use that session with the modules to add the available # commandlets to your existing Powershell command shell with a #new command name prefix.
Import-PSSession -Session $Session -Module FailoverClusters
$objs = @()
$csvs = Get-ClusterSharedVolume -cluster <clustername>
foreach ( $csv in $csvs )
{
$csvinfos = $csv | select -Property Name -ExpandProperty SharedVolumeInfo
foreach ( $csvinfo in $csvinfos )
{
$obj = New-Object PSObject -Property @{
Name = $csv.Name
Path = $csvinfo.FriendlyVolumeName
Size = $csvinfo.Partition.Size / 1GB
FreeSpace = $csvinfo.Partition.FreeSpace / 1GB
UsedSpace = $csvinfo.Partition.UsedSpace /1GB
PercentFree = $csvinfo.Partition.PercentFree
}
$objs += $obj
}
}
$objs | ft -auto Name,Path,@{ Label = "Size(GB)" ; Expression = { "{0:N2}" -f ($_.Size) } },@{ Label = "FreeSpace(GB)" ; Expression = { "{0:N2}" -f ($_.FreeSpace) } }`
,@{ Label = "UsedSpace(GB)" ; Expression = { "{0:N2}" -f ($_.UsedSpace) } },@{ Label = "PercentFree" ; Expression = { "{0:N2}" -f ($_.PercentFree) } }
The script is raw, nothing fancy, just to get the info I need.
Here's the error:
quote:
You do not have administrative privileges on the cluster. Contact your network administrator to request access.
Access is denied
+ CategoryInfo : NotSpecified: (:) [Get-ClusterSharedVolume], ClusterCmdletException
+ FullyQualifiedErrorId : Get-ClusterSharedVolume,Microsoft.FailoverClusters.PowerShell.GetClusterSharedVolumeComm
and
out-lineoutput : The object of type "Microsoft.PowerShell.Commands.Internal.Format.FormatStartData" is not valid or not
in the correct sequence. This is likely caused by a user-specified "format-table" command which is conflicting with th
e default formatting.
+ CategoryInfo : InvalidData: (:) [out-lineoutput], InvalidOperationException
+ FullyQualifiedErrorId : ConsoleLineOutputOutOfSequencePacket,Microsoft.PowerShell.Commands.OutLineOutputCommand
Do I need to create the remote session in a different way or what is the problem? |
Edited by - Rambler on 07/03/2012 06:12:43 AM |
|
|
|
jhicks
Here To Stay
USA
283 Posts
Status: offline |
Posted - 07/03/2012 : 07:41:25 AM
|
| So Server1 is the cluster that has the Failovercluster module, right? I would try creating the session with -PSCredential explicitly specifying an admin credential for the server. Then enter the session, import the module and try running the the Get-ClusteredShareVolume command. This will help verify if credentials are an issue. |
Jeffery Hicks
Windows PowerShell MVP
http://jdhitsolutions.com.blog
http://twitter.com/JeffHicks
http://www.ScriptingGeek.com
Now Available: Managing Active Directory with Windows PowerShell: TFM 2nd ed. |
|
|
|
jhicks
Here To Stay
USA
283 Posts
Status: offline |
Posted - 07/03/2012 : 07:56:41 AM
|
| I just had a thought. If you are remoting to Server1 and then using the cluster cmdlets to connect to another remote machine that can be problematic. This second-hop isn't normally allowed for security reasons. |
Jeffery Hicks
Windows PowerShell MVP
http://jdhitsolutions.com.blog
http://twitter.com/JeffHicks
http://www.ScriptingGeek.com
Now Available: Managing Active Directory with Windows PowerShell: TFM 2nd ed. |
|
|
|
Rambler
Major Contributor
Czech Republic
956 Posts
Status: offline |
Posted - 07/03/2012 : 09:00:28 AM
|
Yes, that seems to be the problem. I've created the session with providing the -Credential parameter and imported the failovercluster module, Get-ClusterSharedVolume failed again with access denied.
Then I've tried the same, but created the session directly to the cluster node and then it worked because I didn't have to specify the -cluster parameter. The good news is I can use the cluster name instead of a node name to connect to.
You said this cred/token "transitiveness" is not normally allowed - is there a way to allow it then? |
|
|
|
jhicks
Here To Stay
USA
283 Posts
Status: offline |
Posted - 07/03/2012 : 09:50:00 AM
|
The long answer is to set up delegation with CredSSP. But that is a pain. The issue is 2nd hop authentication. I've had luck manually authenticating with a simple net use command. In the session run the net use command and map a drive to c$ or IPC$
[remote]PS C:\> net use * \\server2\c$ /user:domain\admin MyPassw0rd
Then try running PowerShell commands that connect to remote computers. I can't guarantee this technique will work 100% of the time. |
Jeffery Hicks
Windows PowerShell MVP
http://jdhitsolutions.com.blog
http://twitter.com/JeffHicks
http://www.ScriptingGeek.com
Now Available: Managing Active Directory with Windows PowerShell: TFM 2nd ed. |
|
|
|
Rambler
Major Contributor
Czech Republic
956 Posts
Status: offline |
Posted - 07/04/2012 : 7:54:28 PM
|
Thanks Jeffery, I'll try that out.
I guess I'll stick to connecting directly to the cluster in this particular script. I'll have to see how it turns out in my other scripts where I need this functionality. |
|
|
| |
Topic |
|
modules without RSAT?
