PowerShell Remoting configuration and remote management

Here is a little theory, mostly practical part. Describes how to configure WinRM, how to change the profile of the network adapter is given a script to add to TrustedHosts with filtering, explains why you need a trusted hosts, and treated superficially remote connections so that you can sit down and immediately administer the remote machines.

The easiest way to configure remote management is to perform Enable-PSRemoting in powershell with administrator rights. This will cause the following:
the

this will start the WinRM service (restart if running) the

• the WinRM service will go into a state — automatically run at startup
the
• will create a WinRM listener for HTTP traffic to port 5985 for all local IP addresses
the
• creates a firewall rule for WinRM listener. Attention, this item will fail if any of the network cards has the network type "public", because to open a port on this card is not good. If you configure out this error, change the profile it slavoski cmdlet Set-NetConnectionProfile, and then run Enable-PSRemoting again. If you need a network card with the profile "Public network" run Enable-PSRemoting with the option -SkipNetworkProfileCheck in this scenario, you created firewall rules only from the local network.

Then you need to allow you to connect to a remote machine with the machine which will be used for management. This is done for security purposes to minimize the risk of hacking session remote control or the DNS lookup itself instead of the remote machine and prevent the execution of scripts on the machines you forcibly is not allowed.

to check where you can connect using:
the

get-item wsman:\localhost\Client\TrustedHosts

for permission to connect to all
the

set-item wsman:localhost\client\trustedhosts -value *

If you open access for all putting * that WinRM will connect to ALL machines without verification. Remember that you are opening yourself to potential hacking of your local network. It is better to specify host addresses where you want to connect, then WinRM will reject all other addresses or names. If the machine with which it is managed is in the domain it will be to trust all machines in that domain. If it is not in the domain or in another domain, then you need to specify the TrustedHosts address or name of the machine on which we will connect. to the machine to which we connect is not necessary.

in the help shows the commands, I have them slightly altered in the script
the

######################################################################################
# NewHost adds to the list TrustedHost filtering if the string is already there
# you can pull from the command line specifying the parameter directly such as
# .\Add-TrustedHost.ps1 192.168.2.1
######################################################################################
param ( $NewHost = '192.168.2.89' )

Write-Host "adding host: $NewHost"

$prev = (get-item WSMan:\localhost\Client\TrustedHosts).value
if ( ($prev.Contains( $NewHost )) -eq $false)
{ 
if ( $prev -eq " ) 
{ 
set-item WSMan:\localhost\Client\TrustedHosts -Value "$NewHost" 
}
else
{
set-item WSMan:\localhost\Client\TrustedHosts -Value "$prev, $NewHost"
}
}

Write-Host "
Write-Host 'Now TrustedHosts contains:'
(get-item WSMan:\localhost\Client\TrustedHosts).value

it checks for whether there is such an entry, if not then adds to the list. You can call from the command line, specifying address, or name.

There is a difference to specify the name or address. If TrustedHosts will only address the open session by name will not work, and Vice versa — if you specify the name of the trailer at will not work. Keep this in mind.


Often found reference to a command
the

WinRM quickconfig

is not the same as Enable-PSRemoting

what is the difference

Enable-PSRemoting does more actions than the "winrm quickconfig". The Set-WSManQuickConfig cmdlet does exactly the same actions as the "winrm quickconfig". Enable-PSRemoting runs the Set-WSManQuickConfig when the configuration of the system

Set-WSManQuickConfig makes the following actions:
the

starts the WinRM service

sets the auto start of the WinRM service to automatic the

creates a listener

the

adds firewall exceptions

Enable-PSRemoting in addition makes it next

the
1. includes all registered configuration PowerShell sessions to receive instructions from remote machines
the
2. register the configuration if it is not registered "Microsoft.PowerShell"
the
3. register the configuration if it is not registered "Microsoft.PowerShell32" on 64 bit machines
the
4. removes ban "Deny Everyone" from the security descriptor of all the configuration sessions
the
5. restarts the WinRM service

source
Enable-PSRemoting TechNet
Set-WSManQuickConfig TechNet

---

Remote connections
1. Session 1-to-1
open team
the

Enter-PSSession -ComputerName Test

You will get a shell on the remote machine. You can connect to yourself putting localhost. Alternative creditably are specified with the option -Credential, it exits the cmdlet Exit-PSSession

Limitation, the following:
the

the
• you can't make second jump — only 1 session within a session to connect can't continue
the
• you cannot use commands with the GUI. If you do shell hangs, press Ctrl+C to dropped

you can't run commands with their own was, for example nslookup, netsh the

• you can run scripts if the policy is run on the remote machine that allows them to run
the
• it is impossible to cling to an interactive session, you login as a "network logon", like the trailer to a network drive. Why not run the logon scripts, and you may not get the home folder on the remote machine (one more argument not to maputi Khom folders logon scripts)
the
• you will not be able to interact with the user on the remote machine even if he is logged in. Fail to show him the window, or type something to him.

this method is best for simple operations, came in, pulled the server and was disconnected. If you want to keep variables in scope, need long-term operation (many hours or days), need more administration you need to use more advanced equipment.

the Comment.
objects transmitted over the network are cut off and cease to be alive. They have removed the methods, properties remain. Pull the object on your machine to work some magic and put it back will not work. If you need to write more, I will add separately.

2. Session 1-to-many
the

Invoke-Command

determine who will do so:
the

$sb = { commands for the remote machine are separated with a semicolon }

transfer to the remote machines Test1 and Test2
the

Invoke-Command -ComputerName Test1, Test2 -ScriptBlock $sb

over time, you can throw on a 32 machine. If an alternative creditably then use the-Credential parameter

To pass the entire script instead of the parameter -ScriptBlock write-FilePath remote machine does NOT need to have access to the file, it will be dismantled for parts, transmitted via HTTP and executed on the other side.

Remember that on the other side there will be a new ospreys, so your script will not get the values from your console, and script variables may be on the other side empty. Therefore, pass at once ready instructions and scripts with parameters.

to use Invoke-Command you should be able to turn lines in the script blocks. For example, you have commands that depend on the safeguarded list, you need to generate a string, to turn it into a ScriptBlock and send to the remote computer
the

$sb = [Scriptblock]::Create( $SomeString )

kuda78
The article missed a very important point — passing parameters to the script on the remote machine.

$deployRemote = {
param(
[string]$targetEnvName
[string]$targetUsername)
$Global:ErrorActionPreference = "Stop"
#...
}

Yes indeed skipped. Made deliberately in order not to clutter up the overview settings and descriptions. Thank you. The-ArgumentList parameter works with both script blocks and scripts

3. Session
This is when the other side creates a copy of polica constantly hanging in memory and go commands. As a result, it is possible to reconnect, chenit long to start for execution, to cling to different scripts or different users. For example, you have a set of scripts deal with one issue in parts, each of them one by one can connect to a single remote session to see the results of the work previous teams have some loaded modules, shared variables, the shared environment, until the session is forcibly closed.

The establishment of the session occurs with the New-PSSession cmdlet, the result can be placed in variable
the

$DC01 = New-PSSession -ComputerName DC01
$Controllers = New-PSSession DC01, DC02, DC03

you can use the same connection settings as in the Invoke-Command

How to use:
if 1-to-1
the

Enter-PSSession -Session $DC01

if 1-to-many
the

Invoke-Command -Sessions $Controllers -ScriptBlock {get-eventlog-logname security-newest 50}

to see what session is open, you can use Get-PSSession to close the Remove-PSSession
close all sessions
the

Get-PSSession | Remove-PSSession

the trailer to the session using the Connect-PSSession, disconnect using the Disconnect-PSSession

Invoke-Command can create immediately disconnected the session, it sends commands for execution and turns off, and later you will connect and download the results. This is done by setting -Disconnected. Getting results using the cmdlet Recieve-PSSession.

Session have a lot of settings, perhaps even the creation of sessions with the circumcision command set, modules, etc. Called custom endpoints

Article based on information from habrahabr.ru