Share via

Problem with language mode in remote session

Marco Hofman 6 Reputation points
2021-10-20T14:17:26.677+00:00

I have a problem with the language mode on a server that I access remotely with New_PSSession

Ik have created on the server a session configuration with the script below:

Clear-Host
[string]$User              = "SQL-AuditSQLConfig"
[string]$ConfigurationName = "SQL-AuditSQLConfig2"

If ((Get-PSSessionConfiguration -Name $ConfigurationName) -ne $null)
{
    Unregister-PSSessionConfiguration -Name $ConfigurationName -Force
}

#Register SessionConfiguration
New-PSSessionConfigurationFile -Path .\FullLanguage.pssc -LanguageMode FullLanguage
Register-PSSessionConfiguration -Name $ConfigurationName -Path .\FullLanguage.pssc -Force

$id = new-object System.Security.Principal.NTAccount($User)
$sid = $id.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
Set-PSSessionConfiguration $ConfigurationName -SecurityDescriptorSddl "O:NSG:BAD:P(A;;GA;;;BA)(A;;GX;;;$sid)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)" -Path C:\Users\SA0253192\Documents\FullLanguage.pssc -Force

(Get-PSSessionConfiguration -Name SQL-AuditSQLConfig2).LanguageMode

The last line of the script tells me that the language mode of the session is "FullLanguage"

When I connect to this session with the script below, it tells me that the session language mode is "ConstrainedLanguage"

Clear-Host

[string]$FQDN_NodeName = "server.my.domain.nl"
[string]$User = "mydomain\user"
[string]$PSSessionConfigurationName = "SQL-AuditSQLConfig2"

$Password       = ConvertTo-SecureString -String "**********" -AsPlainText -Force
$Credential     = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $Password
$sessionOptions = New-PSSessionOption -IncludePortInSPN 
$myNodeSession  = New-PSSession -ComputerName $FQDN_NodeName -ConfigurationName $PSSessionConfigurationName -Credential $Credential -SessionOption $sessionOptions

Invoke-Command -Session $myNodeSession -ScriptBlock { $ExecutionContext.SessionState.LanguageMode }

Remove-PSSession -Id $myNodeSession.Id
  • The environment variable "__PSLockdownPolicy" is not set.
  • The problem does not occur on another server, which also is running Windows 2016 and is positioned in the same organizational unit in Active Directory (so they have the same set of policies).

Does anyone know what is happening here?

Regards,
Marco

Windows for business | Windows Server | User experience | PowerShell
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marco Hofman 6 Reputation points
    2021-10-22T10:07:40.303+00:00

    Hi Rich,

    I have tested this, but is gives an error:

    Invoke-Command : Parameter set cannot be resolved using the specified named parameters.
    At line:14 char:1

    • Invoke-Command -Session $myNodeSession -ConfigurationName $PSSessionC ...
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidArgument: (:) [Invoke-Command], ParameterBindingException
    • FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.PowerShell.Commands.InvokeCommandCommand

    I have have found another workaround. I have added the parameter -NoMachineProfile to the New-PSSessionOption cmdlet:

    Clear-Host

[string]$FQDN_NodeName = "server.my.domain.nl"
[string]$User = "mydomain\user"
[string]$PSSessionConfigurationName = "SQL-AuditSQLConfig2"

$Password       = ConvertTo-SecureString -String "**********" -AsPlainText -Force
$Credential     = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $Password
$sessionOptions = New-PSSessionOption -IncludePortInSPN -NoMachineProfile
$myNodeSession  = New-PSSession -ComputerName $FQDN_NodeName -ConfigurationName $PSSessionConfigurationName -Credential $Credential -SessionOption $sessionOptions

Invoke-Command -Session $myNodeSession -ScriptBlock {  $ExecutionContext.SessionState.LanguageMode }

Remove-PSSession -Id $myNodeSession.Id

    Now it returns the language mode "FullLanguage"

    It still doesn't clarify why the session on this particular server switches to "ConstrainedLanguage", while others don't. But I can continue my work.

    Regards,
    Marco

    1 person found this answer helpful.
    0 comments
  2. Rich Matheisen 48,026 Reputation points
    2021-10-20T14:58:23.913+00:00

    This probably isn't the answer, but try adding a sessiontype to the configuration file: 

    New-PSSessionConfigurationFile -Path .\FullLanguage.pssc -LanguageMode FullLanguage -SessionType Default

    Is it possible that there's a GPO on the remote server? I don't think that's relevant because the custom endpoint should be able to ignore that.

    0 comments
  3. Marco Hofman 6 Reputation points
    2021-10-20T15:44:43.163+00:00

    Thanks Rich,

    I have tested it with the "-SessionType Default", but ik didn't help.

    When I run the "$ExecutionContext.SessionState.LanguageMode" statement on the problem server in a normal powershell session (without New-PSSession) the language mode is "FullLanguage".

    I have compared the GPO's on both servers (the one with the problem and the one without the problem) with GPResult /R. They are identical. So I don't think it has to do with a GPO.

    Regards,
    Marco

    0 comments
  4. Rich Matheisen 48,026 Reputation points
    2021-10-20T18:48:18.543+00:00

    Hmmmm . . . I'm wondering if what's happening is that the Invoke-Command is using the languagemode from a default set of configuration settings (perhaps from its creating it's own session?).

    How about adding -ConfigurationName to the Invoke-Command? 

    Invoke-Command -Session $myNodeSession -ConfigurationName $PSSessionConfigurationName -ScriptBlock { $ExecutionContext.SessionState.LanguageMode }
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.