Use SSIS to launch powershell script that remotely launches a batch file without Administrator rights

Question

We have a SQL server (Name: SQL) that launches an SSIS job with proxy credentials (a service account), consisting of multiple steps.

One of these steps require files to be put in a local folder on a remote machine (Name: VM) and execute a program that securely copies these files to a service on the net. I have successfully ran both PowerShell and WinRM commands to do this (as administrator), but I need to find a way to run them without being an admin on SQL.

All of these steps work fine, when the service account is a local administrator of both SQL and VM. However, we do not want the service account to be a local admin on SQL.

The command I run is:
Invoke-Command -ComputerName vm.fqdn -ScriptBlock {E:\Share\ThirdParty\FTP_Admin\FtpUpload.bat}

I found a google post suggesting I need to give access to the root/CIIV2 namespace. I gave the service account full control and restarted the WinRM service.

When it fails (NOT running as administrator), the security log gets populated with 4656 event ID's.

Any idea what I can try? Been stumped on this for a while.

Answer 1

Here is the link on the Microsoft technet forums: http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/70a5a870-b911-4b1a-9c68-e7d91142e511

Long story short - ensure the server has been patched to post SP1 (Server 2008 R2) at least if you are running into these problems.

Answer 2

By default, only administrators have access to the (default) runspace you are connecting to:

On the vm.fqdn, try running:

set-pssessionconfiguration -Name microsoft.powershell -ShowSecurityDescriptorUI

and grant full control to the service account. Restart the WinRM service (just confirm when asked).