Running PS cmdlets from remote under non-admin users - Access Denied

Question

I'm trying to run Get-ScheduledTask remotely through Invoke-Command. The user is a non-admin but is a part of the "Remote Management Users". PS-Remoting works fine. Running the command locally works fine. But running it through Invoke-Command gets me the following error:

Cannot connect to CIM server. Access denied
    + CategoryInfo          : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
    + PSComputerName        : us-web1

Here's the code sample:

Note: this is running directly under the non-admin user in question.

$servers = "us-web1","us-web2","us-engine1","us-engine2","us-engine3","us-engine4"

foreach ( $server in $servers ) { 

Invoke-Command -ComputerName "$server" -ScriptBlock {

      get-scheduledtask
    }
}

Answer 1

I was having a very similar issue with trying to use the get-printer command remotely without admin credentials.

What I found really helped was this link: https://social.technet.microsoft.com/Forums/exchange/en-US/b748d1bb-fa97-4c30-a626-145dfbc40873/service-acccount-permission-to-remote-powershell-to-dns-server-on-windows-server-2012?forum=winserverpowershell

The process that I used for my issue was:

1. Open Computer Management Console. Right click WMI Control (under Services and Applications) and click property.

2. In the newly open Window, click on Security tab.

3. Expand Root tree, and then click on the node CIMV2, and click the button security

4. In the newly open Window, click the button Advanced.

5. In the newly open Window, click the button Add under the permission tab.

6. In the newly open Window, click on “select a principal”, then search and add the account or group you want to have access as the principal, then click ok.

7. In the applies to, choose “this namespace and subnamespace”.

8. For the permission, check on “Execute Methods”, “Enable Accounts” and “Remote Enable”

9. Click accept on all the open dialogue boxes

10. restart WMI services

11. attempt remotely running your command again. It will fail again, but this time you will see the real issue. Look in the error for "permission denied" then follow the same steps as above and grant access to the path shown.

Hope this helps

Answer 2

This could be an issue with credentials not passing through. Try adding a get-credential and adding that to your invoke-command. You can use the same creds, just try passing it directly.

Like this:

$Cred = Get-Credential Invoke-Command -Credential $Cred -ScriptBlock {Get-ScheduledTask}