I'm trying to get the system security permission for a specific user on a remote system using SysInternals AccessChk
.
If I login to a computer as adminstrator, copy SysInternals tools to my LocalAppdata
folder I can run
[System.IO.FileInfo]$LocalApplicationDataFolder = [System.Environment]::GetFolderPath(
[System.Environment+SpecialFolder]::LocalApplicationData
)
& "$LocalApplicationDataFolder\SysInternals\accesschk64.exe" /accepteula -nobanner -u domain\plainuser -a *
But when using remoting, I get access denied.
Enter-PsSession -ComputerName host1
[System.IO.FileInfo]$LocalApplicationDataFolder = [System.Environment]::GetFolderPath(
[System.Environment+SpecialFolder]::LocalApplicationData
)
& "$LocalApplicationDataFolder\SysInternals\accesschk64.exe" /accepteula -nobanner -u domain\plainuser -a *
Error enumerating account rights:
Access denied.
Ok, dead pan in action ;)
As soon as I published the question I noticed the enumeration
part in the error message.
Due to the PowerShell double hop issue, accesschk
can't of course contact a domain controller to enumerate the user name
as my credentials (normally) isn't part of the remote session...
So this code should work (if accesschk is available at the remote server)...
$MyCred = Get-Credential
$MyConfigName = New-Guid
Invoke-Command -ComputerName host1 {
Register-PsSessionConfiguration `
-Name $Using:MyConfigName `
-RunAsCredential $Using:MyCred
}
Invoke-Command -ComputerName host1 -ConfigurationName $MyConfigName {
[System.IO.FileInfo]$LocalApplicationDataFolder =
[System.Environment]::GetFolderPath(
[System.Environment+SpecialFolder]::LocalApplicationData
)
& "$LocalApplicationDataFolder\SysInternals\accesschk64.exe" /accepteula -nobanner -u domain\plainuser -a *
}
Invoke-Command -ComputerName host1 {
Unregister-PsSessionConfiguration -Name $Using:MyConfigName -Force
}
Note: Other users can use MyConfigName
as I haven't restricted the permissions...