This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 42%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Tell me, please, what is the logic of the Get-Hotfix cmdlet with the -ComputerName parameters and, in general, the whole process of accessing the remote server?
I need to contact a non-domain server to get information on the currently installed updates.
I successfully get this using the "Get-Hotfix -ComputerName Server -Credential $Cred_Administrator" command
In the $Cred_Administrator variable I enter the account of the built-in local administrator.
If I create a new user and grant him local administrator rights, then by specifying his data, I already get the "Access Denied" response.
The first question - why? What advantage does the built-in administrator have in this case from the newly created system administrator?
If I change the WinRM settings (reduce security quite a lot), then the command is executed for new local administrators as well. However, I don't want to downgrade security if there are other options.
The second question is why the account should be in local administrators? Doesn't the "Remote Management Users" group make it possible to run remote commands on a server? This Get-Hotfix cmdlet is executed with the least rights when logging in interactively. Remote access to the server is allowed, rights are granted through this group, what is missing?
No answer to the question? :(
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 77%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKV%3C/text%3E%3C/svg%3E)
Khov vannak
If you have already run "winrm quickconfig" on the remote machine, then try this with a remote administrator account on your machine.
$User = ".\admin"
$PWord = ConvertTo-SecureString -String "admin" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Invoke-Command -ComputerName test10 -Credential $Credential -ScriptBlock {get-hotfix}
WinRM was included exclusively for test purposes, I don't want to include it on all non-domain servers for security reasons.
I want to understand, why the Get-Hotfix command is executed without any settings, when it running remotely from credential the built-in administrator, but does not work, from credential a new local administrator (for example, admin instead of the built-in Administrator)
I'm sorry, I do not understand your last question.
On my test10 VM, I have an admin account just like you commented, it is named admin.
I tried running get-hotfix remotely and got this error.
The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
I had to enable the WMI-In firewall rule for the private and public profiles and then it worked.
I tried it with a Testuser account (not an admin) and got access denied. I believe that is due to Windows using "Interactive" to grant access to COM applications. I tried playing with Dcomcnfg and granting access to "everyone" in COM Security but it still didn't work. I don't really want that enabled so I did not go any further.
Adding testuser to the Remote Management Users group allowed Get-Ciminstance to function, but Get-Hotfix still failed.
Update: Since WMI was working, testuser was able to run this query. See if that works for you.
Get-CimInstance -ComputerName test10 -class WIN32_QuickFixEngineering
Thank you so much for such a detailed answer! I tried it, here is the result:
I meant this:
As a result, the command is executed:
Get-Hotfix -ComputerName TestServer -Credential $Credential
Your script implies first executing the command:
WinRM QuickConfig
After executing this command, Get-Hotfix is executed successfully under other local administrators. However, I would like to avoid setting up WinRM if possible on such servers (since for the built-in administrator, the command is executed without this setting).
Regarding the last command, here is the output:
PS C:> Get-CimInstance -ComputerName "TestServer" -Class Win32_QuickFixEngineering
Get-CimInstance : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer TestServer. Verify that the computer exists on
the network and that the name provided is spelled correctly.
At line:1 char:1
At the same time, the server name is resolved in the IP correctly.
About my goal:
To use a minimum of edits in the OS and get information about updates from remote non-domain servers as safely as possible. Initially it seemed that the rights of a simple user would be enough, but it seems that they are not :(
That's my mistake on that last call. I did not include the credentials. I'm not sure how that was working.
So I tried again to get my TestUser account working, but I kept getting access denied.
I found this page that describes the steps to enable non-admin access, but I did not configure my test machine to do that. It would seem to be a whole lot easier to just use an administrator account.
https://sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=10
As to why your admin account does not work, the most common reasons are that it just isn't a member of the administrators group, or has some attribute set like "must change password".
Here is my latest version of what I was testing with. It demonstrates how to use CimSession with alternate credentials.
I also added an invoke-command to list the administrators group membership and to display details about your admin user.
If you don't see anything wrong with the user, then logon to the desktop of the target machine with that account and try to open a command prompt with "Run as administrator". Also check the security eventlog.
cls
$computer = "test10"
$User = ".\admin"
$PWord = ConvertTo-SecureString -String "admin" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Get-HotFix -ComputerName $computer -Credential $Credential | Format-Table
$sess = New-CimSession -ComputerName $computer -Credential $Credential
Get-CimInstance -CimSession $sess -class WIN32_QuickFixEngineering
Get-CimInstance -CimSession $sess -class WIN32_Product | Format-Table
Remove-CimSession -CimSession $sess
Invoke-Command -ComputerName $computer -Credential $Credential -ScriptBlock {
"Members of the Administrators group"
Get-LocalGroupMember -Name Administrators
"------------"
net.exe user Admin
}
As to why your admin account does not work...
The question was why is WINRM QC required to work? Without WINRM QC, everything works under the built-in administrator. It works with the new administrator only after WINRM QC.
Another question was why the "Remote Management Users" group does not allow access to execute even after setting up WINRM QC.
Additional about your cmdlet Get-CimInstance. I can't to execute it without additional settings in WinRM, because by default on non-domain server insecure authentication methods are not included:
New-CimSession : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We can't sign you in with this credential becau
se your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can s
ign in with that credential.
Without WINRM QC, everything works under the built-in administrator. It works with the new administrator only after WINRM QC.
Please remember that there is a lot that I don't know about how your machines have been configured. If you have some policy set that restricts access to your admin user, there is no way that I would know about it. So when you ask why something "didn't work" or got "access denied", the simple answer is that I just don't know. The best that I can offer is try to help you troubleshoot the problem.
That says that adding a user to that group does not automatically grant access to everything, you also would need to resolve "This applies only to WMI namespaces that grant access to the user."
At least for now, I would recommend that you put the issue of the Remote Management group aside, and focus on getting Administrator group members to work.
On my test VM I stopped and disabled the Windows Remote Management service. That should effectively simulate a WinRM that has not been QC'd.
After doing that, my CimSession calls fail, but straight WMI calls, including WMIC.exe and Get-Hotfix still work.
cls
$computer = "test10"
$User = ".\admin"
$pswd = "admin"
$PWord = ConvertTo-SecureString -String $pswd -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
"-----Testing get-wmiobject------"
Get-WmiObject -ComputerName $computer -Credential $Credential -Class WIN32_OperatingSystem | Format-Table
"-----Testing wmic------"
wmic.exe /node:$computer /user:$user /password:$pswd os get name
"-----Testing get-hotfix------"
Get-HotFix -ComputerName $computer -Credential $Credential | Select-Object -First 2 | Format-Table
"-----Testing CimSession------"
$sess = New-CimSession -ComputerName $computer -Credential $Credential
if ($sess) {
Get-CimInstance -CimSession $sess -class WIN32_Product | Format-Table
Remove-CimSession -CimSession $sess
}
"-----List administrator group members to verify that the admin user is a member------"
$group = Get-WmiObject -ComputerName $computer -Credential $Credential win32_group -filter 'Name = "Administrators"'
$group.GetRelated('Win32_UserAccount') | Format-Table
Produces this output.
-----Testing get-wmiobject------
SystemDirectory Organization BuildNumber RegisteredUser SerialNumber Version
--------------- ------------ ----------- -------------- ------------ -------
C:\Windows\system32 19045 Admin 00330-80000-00000-AA859 10.0.19045
-----Testing wmic------
Name
Microsoft Windows 10 Pro|C:\Windows|\Device\Harddisk1\Partition3
-----Testing get-hotfix------
Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
TEST10 Update KB5029919 NT AUTHORITY\SYSTEM 9/14/2023 12:00:00 AM
TEST10 Update KB5028951 NT AUTHORITY\SYSTEM 8/16/2023 12:00:00 AM
-----Testing CimSession------
New-CimSession : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the
computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and
allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to
remote computers within the same local subnet.
At line:14 char:9
+ $sess = New-CimSession -ComputerName $computer -Credential $Credent ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ConnectionError: (:) [New-CimSession], CimException
+ FullyQualifiedErrorId : HRESULT 0x80338126,Microsoft.Management.Infrastructure.CimCmdlets.NewCimSessionCom
mand
+ PSComputerName : test10
-----List administrator group members to verify that the admin user is a member------
AccountType Caption Domain SID FullName Name
----------- ------- ------ --- -------- ----
512 TEST10\Administrato TEST10 S-1-5-21-3672446222-1547575315-356276567-500 Administrato
512 TEST10\Admin TEST10 S-1-5-21-3672446222-1547575315-356276567-1001 Admin
Hopefully that resolves the issue of "I don't want to run winrm quickconfig". Is your testing successful?
When you run that script using the Administrator account, does it show that the Admin user is a member of the group?
I have a second Win10 VM that I don't test with as much. The WMI calls failed with "The RPC server is unavailable" until I enabled these 2 firewall rules.
I am very sorry for my lack of activity for so long, I was very busy.
Once again, thank you very much for your detailed answer!
I don't know about how your machines have been configured
After performing the WinRM settings, edits occur in the OS and even with the service disabled, the behavior of the system is different. You can check this by installing a fresh server and executing these commands.
Unfortunately, I think doing the winrm setup is my single solution to the problem at the moment. Other actions do not lead to the desired result :(
-----Testing get-wmiobject------
SystemDirectory Organization BuildNumber RegisteredUser SerialNumber Version
C:\Windows\system32 19045 Admin 00330-80000-00000-AA859 10.0.19045
-----Testing wmic------
Name
Microsoft Windows 10 Pro|C:\Windows|\Device\Harddisk1\Partition3
-----Testing get-hotfix------
Source Description HotFixID InstalledBy InstalledOn
TEST10 Update KB5029919 NT AUTHORITY\SYSTEM 9/14/2023 12:00:00 AM
TEST10 Update KB5028951 NT AUTHORITY\SYSTEM 8/16/2023 12:00:00 AM
-----Testing CimSession------
New-CimSession : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the
computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and
allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to
remote computers within the same local subnet.
At line:14 char:9
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----List administrator group members to verify that the admin user is a member------
AccountType Caption Domain SID FullName Name
512 TEST10\Administrato TEST10 S-1-5-21-3672446222-1547575315-356276567-500 Administrato
512 TEST10\Admin TEST10 S-1-5-21-3672446222-1547575315-356276567-1001 Admin
CategoryInfo : ConnectionError: (:) [New-CimSession], CimException
FullyQualifiedErrorId៖ HRESULT 0x80338126,Microsoft.Management.Infrastructure.CimCmdlets.NewCimSessionCom
mand
PSComputerName : khov vannak
----- administrator group members to verify that the admin user is a member------
AccountType Caption Domain SID FullName Nam
e khov vannak