none
Cannot do the same via Invoke-command as on server console RRS feed

  • Question

  • Hi,

    my user shall create some directories on different NAS-systems from his workstation.

    I have created a powershell script with a pssession to a server with admin rights.

    I use there some invoke-command commands which work fine. But now I have problems with creating directories on different NAS-Systems.

    When I run the commands on the server (without invoke-command), all works fine.

    When I run the commands on the workstation via Invoke-command (on the same server with the same admin credentials) i get access denied errors.

    Example:

    Invoke-Command -Session pssess -Credential $Cred -ScriptBlock {New-Item '\\NAS1\PROJECTS\0005' -ItemType directory}
    The user name or password is incorrect.
        + CategoryInfo          : WriteError: (\\NAS1...TS\0005:string) [New-Item], IOException
        + FullyQualifiedErrorId : CreateDirectoryIOError,Microsoft.PowerShell.Commands.NewItemCommand
        + PSSession        : pssess
     

    Invoke-Command -Session pssess -Credential $Cred -ScriptBlock {New-Item '\\NAS2\PROJECTS\0005' -ItemType directory}
    Access is denied
        + CategoryInfo          : PermissionDenied: (\\NAS2\PROJECTS\0005:String) [New-Item], UnauthorizedAccessException
        + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.NewItemCommand
        + PSSession        : pssess
     

    Invoke-Command -Session pssess -Credential $Cred -ScriptBlock {New-Item '\\NAS3\PROJECTS\0005' -ItemType directory}
    Access is denied
        + CategoryInfo          : PermissionDenied: (\\NAS3\PROJECTS\0005:String) [New-Item], UnauthorizedAccessException
        + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.NewItemCommand
        + PSSession        : pssess

    How can I solve this?

    I think, I can use filesystemwatch on the server and send ps-scripts from the workstation to a server-directory. I want to avoid that.

    Has anyone another idea?

    Thanks for any help.


    • Edited by HWint Wednesday, January 15, 2020 8:25 PM
    • Moved by jrv Monday, January 20, 2020 9:16 AM abandoned
    Wednesday, January 15, 2020 8:23 PM

All replies

  • NAS servers do not support remoting unless they are Windows Server based,

    You cannot Invoke-Command to the server you are on using the same credentials as you are logged in with.

    Why remote when the folder is on the same server?

    To connect to the server you are logged into you must be an admin runni9ng in an elevated session.


    \_(ツ)_/

    Wednesday, January 15, 2020 8:37 PM
  • Hi jrv,

    I don't understand your answer. I try to explain my problem again.

    I have a win 10 Client and a win 2016 Server. Both are members of a Win2016 Domain.

    We have some NAS-Systems of different types (for example Isilon). They are integrated into the environment so they can be used as Windows SMB-devices.

    I logon into the server with domain Admin credentials and use within powershell the command:
    new-item \\NAS1\PROJECTS\Example -ItemType directory  
    This works!

    Then I go to the win 10 client, logon with user credentials and use within Powershell the command:
    Invoke-Command -ComputerName $server -Credential $cred -ScriptBlock{new-item \\NAS1\PROJECTS\Example -ItemType directory}

    The credentials are the Admin-credentials from above and I get an access denied error.

    I was told, that invoke-command is running on the remote server with the credentials
    you give it.

    Why is the result different from the server session?


    • Edited by HWint Thursday, January 16, 2020 2:11 PM
    Thursday, January 16, 2020 2:04 PM
  • NAS is a remote server.  Security prevents accessing it from a remote connection.  To connect to a share you need to pass credentials.  A remote session has no credentials to pass.

    Search for "second hop restriction" for a complete explanation.


    \_(ツ)_/

    Thursday, January 16, 2020 2:23 PM
  • Thanks; so I need a construction, where the server does it itself.
    Thursday, January 16, 2020 4:04 PM
  • I think the issue is a lack of basic technical training in Windows and network technologies.

    If you are trying to create a folder on a file share just create it. There is no need for remoting.  The folder is already remote.

    This is all you need to run:

    New-Item '\\NAS1\PROJECTS\0005' -ItemType directory

    Why do you think this has to be done remotely?


    \_(ツ)_/

    Thursday, January 16, 2020 4:11 PM
  • I wood have done that, if it would work. But it doesn't, because my user is no admin and the NAS-Systems doesn't accept Invoke-command with the credential parameter

    But your hint "second hop restriction" let me find a solution.

    It's working now. Thanks

    Thursday, January 16, 2020 6:08 PM
  • Post your solution.  Others will find it useful.


    \_(ツ)_/

    • Marked as answer by HWint Monday, January 20, 2020 9:08 AM
    • Unmarked as answer by jrv Monday, January 20, 2020 9:15 AM
    Thursday, January 16, 2020 6:10 PM