Why do I get access denied using Invoke-Command on localhost?

Question

I have valid credentials of a Windows service account stored in $creds and want to use them to access the C: emp\ directory on another server called remotehost. I use Invoke-Command to execute the same test twice, first on localhost (which leads to denied access) and then on remotehost (which succeeds):

Invoke-Command -ComputerName localhost -Credential $creds -ScriptBlock {
    Test-Path -Path \remotehost\C$	emp\    # access denied
}

Invoke-Command -ComputerName remotehost -Credential $creds -ScriptBlock {
    Test-Path -Path \remotehost\C$	emp\    # True
}

Can anyone explain this "access denied"? Why can I successfully connect to remotehost and execute a command there, but I cannot execute the same command from localhost directly?

Just to be sure, I also verified that the connection to localhost works:

Invoke-Command -ComputerName localhost -Credential $creds -ScriptBlock {
    Test-Path -Path C:	emp    # True
}

Doug Maurer · Accepted Answer

What you're experiencing is the double hop issue. You are running a remote command and trying to make another hop to a different remote system. Even though it is your local system, it is still a remote session and thus has the same limitations. You can confirm this by using your remotehost example with a 3rd remote location.

Invoke-Command -ComputerName remotehost1 -Credential $creds -ScriptBlock {
    Test-Path -Path \remotehost2\C$	emp\
}

You will also get Access Denied

My guess for why this example succeeds is windows is smart enough to know the UNC path actually points at the local system.

Invoke-Command -ComputerName remotehost1 -Credential $creds -ScriptBlock {
    Test-Path -Path \remotehost1\C$	emp\
}

Why do I get access denied using Invoke-Command on localhost?

Answers (2)

Related Questions