none
How-To: Setup a service account to run a script that uses a second service account to establish a CIM-Session RRS feed

  • Question

  • Here is my issue. I have 12 AD forests and 30 some odd domains that I need be able to create CIM sessions to. I have one service account that I use to retrieve a set of 12 additional service accounts (one per forest) credentials for out of my privileged access management system.

    My first PowerShell console runs under the first service account is a local administrator on my server. I can successfully establish CIM sessions to 11 of my 12 forests using the remote service account from the other forest.  The remote service account in each forest is a member of Distbuted COM Users, Remote Management Users and DNSAdmins in all forests. The remote service account from the other forests has WMI Control permissions setup under Root\CIMv2 and Root\Microsoft for Enable Account, Remote Enable, Execute Methods. 

    If I launch a separate PowerShell console under my admin account and manually establish a CIM session to the 12th forest with the same credentials that the first service account uses I can establish a CIM session and retrieve data successfully. Conversely, if I try to establish a CIM session with my first service account in its PS console window I get an error 'Access is denied', but only in the 12th forest. 

    I am fairly confident the issue is not in the configuration of the remote service accounts themselves for the reasons outlined above. I am wondering if maybe it's GPO or local security configurations that are the problem?? Has anyone seen this issue before?  If so, how was it resolved?


    • Moved by Bill_Stewart Wednesday, December 12, 2018 8:22 PM Unanswerable drive-by question
    Thursday, August 30, 2018 1:21 AM

All replies

  • Since you can do this on 11 of 12 forests then it is obviously NOT a scripting issue 

    Note that this is not a break/fix forum.  It is intended for scripting questions and not as a tech support forum.  I recommend contacting MS support for assistance troubleshooting your forests/domains.


    \_(ツ)_/

    Thursday, August 30, 2018 1:37 AM
  • Understood. Problem is resolved. Input for the 12th forest had an extra character that was causing the issue.
    Friday, August 31, 2018 2:35 AM