CODEWITHSUNDEEP
powershellpowershell-remotingwinrmsysinternals
Dennis
Dennis

Reputation: 1784

Why can't I run accesschk using a PowerShell remote session to check system permissions?

I'm trying to get the system security permission for a specific user on a remote system using SysInternals AccessChk.

If I login to a computer as adminstrator, copy SysInternals tools to my LocalAppdata folder I can run

[System.IO.FileInfo]$LocalApplicationDataFolder = [System.Environment]::GetFolderPath(
  [System.Environment+SpecialFolder]::LocalApplicationData
)

& "$LocalApplicationDataFolder\SysInternals\accesschk64.exe" /accepteula -nobanner -u domain\plainuser -a *

But when using remoting, I get access denied.

Enter-PsSession -ComputerName host1

[System.IO.FileInfo]$LocalApplicationDataFolder = [System.Environment]::GetFolderPath(
  [System.Environment+SpecialFolder]::LocalApplicationData
)

& "$LocalApplicationDataFolder\SysInternals\accesschk64.exe" /accepteula -nobanner -u domain\plainuser -a *

Error enumerating account rights:
Access denied.

Upvotes: 0

Views: 187

Answers (1)

Dennis
Dennis

Reputation: 1784

Ok, dead pan in action ;)

As soon as I published the question I noticed the enumeration part in the error message.
Due to the PowerShell double hop issue, accesschk can't of course contact a domain controller to enumerate the user name as my credentials (normally) isn't part of the remote session...

So this code should work (if accesschk is available at the remote server)...

$MyCred = Get-Credential
$MyConfigName = New-Guid

Invoke-Command -ComputerName host1 {
  Register-PsSessionConfiguration `
    -Name $Using:MyConfigName `
    -RunAsCredential $Using:MyCred
}

Invoke-Command -ComputerName host1 -ConfigurationName $MyConfigName {
  [System.IO.FileInfo]$LocalApplicationDataFolder = 
  [System.Environment]::GetFolderPath(
    [System.Environment+SpecialFolder]::LocalApplicationData
  )

  & "$LocalApplicationDataFolder\SysInternals\accesschk64.exe" /accepteula -nobanner -u domain\plainuser -a *
}

Invoke-Command -ComputerName host1 {
  Unregister-PsSessionConfiguration -Name $Using:MyConfigName -Force
}

Note: Other users can use MyConfigName as I haven't restricted the permissions...

Upvotes: 0

Related Questions