powershellpowershell-remotingwinrmsysinternals

Why can't I run accesschk using a PowerShell remote session to check system permissions?


I'm trying to get the system security permission for a specific user on a remote system using SysInternals AccessChk.

If I login to a computer as adminstrator, copy SysInternals tools to my LocalAppdata folder I can run

[System.IO.FileInfo]$LocalApplicationDataFolder = [System.Environment]::GetFolderPath(
  [System.Environment+SpecialFolder]::LocalApplicationData
)

& "$LocalApplicationDataFolder\SysInternals\accesschk64.exe" /accepteula -nobanner -u domain\plainuser -a *

But when using remoting, I get access denied.

Enter-PsSession -ComputerName host1

[System.IO.FileInfo]$LocalApplicationDataFolder = [System.Environment]::GetFolderPath(
  [System.Environment+SpecialFolder]::LocalApplicationData
)

& "$LocalApplicationDataFolder\SysInternals\accesschk64.exe" /accepteula -nobanner -u domain\plainuser -a *

Error enumerating account rights:
Access denied.


Solution

  • Ok, dead pan in action ;)

    As soon as I published the question I noticed the enumeration part in the error message.
    Due to the PowerShell double hop issue, accesschk can't of course contact a domain controller to enumerate the user name as my credentials (normally) isn't part of the remote session...

    So this code should work (if accesschk is available at the remote server)...

    $MyCred = Get-Credential
    $MyConfigName = New-Guid
    
    Invoke-Command -ComputerName host1 {
      Register-PsSessionConfiguration `
        -Name $Using:MyConfigName `
        -RunAsCredential $Using:MyCred
    }
    
    Invoke-Command -ComputerName host1 -ConfigurationName $MyConfigName {
      [System.IO.FileInfo]$LocalApplicationDataFolder = 
      [System.Environment]::GetFolderPath(
        [System.Environment+SpecialFolder]::LocalApplicationData
      )
    
      & "$LocalApplicationDataFolder\SysInternals\accesschk64.exe" /accepteula -nobanner -u domain\plainuser -a *
    }
    
    Invoke-Command -ComputerName host1 {
      Unregister-PsSessionConfiguration -Name $Using:MyConfigName -Force
    }
    

    Note: Other users can use MyConfigName as I haven't restricted the permissions...