PowerShell V2 Remoting on Workgroup Joined Computers – YES It Can Be Done

There are a number of extra steps to take to get V2 remoting to work on workgroup joined computers like the ones in your home – unless you’re running a DC at home (sick puppy).  First up, is a registry setting that makes V2 remoting work on workgroup computers:

PS> new-itemproperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -name LocalAccountTokenFilterPolicy -propertyType DWord -value 1

Be sure to run this from an elevated prompt.  Then from that same elevated prompt, execute the following cmdlet:

PS> Enable-PSRemoting

To verify that remoting is working on this PC by executing the following command (also from an elevated prompt):

PS> Enter-PSSession localhost

If remoting is working you should get a prompt something like this:

[localhost]: PS C:\Users\Keith\Documents>

Note: If you are trying to get PowerShell 2.0 remoting working on an XPMode virtual machine (you know the one you get for free with Windows 7 Pro or higher) then you need to enable Classic share & security model for local accounts like so: 

  1. Run Secpol.msc
  2. Navigate to Security Settings -> Local Policies -> Security Options -> "Network access: Share and security model for local accounts
  3. Change it to "Classic" mode.

Now try re-running Enable-PSRemoting and it should work.

Finally, on the PC(s) that you want to use to initiate remoting, execute this command so that all the local target computers are trusted:

PS> set-item wsman:localhost\client\trustedhosts -value *

Now, at this point you should be able to enter a new pssession to a remote computer.  Note that you don’t have to be in an elevated prompt to do this.  However you will need to pass your credentials to the remote computer like so:

PS> $cred = Get-Credential  # Type in the username/password for an admin account on the remote PC
PS> Enter-PSSession MediaCenterPC –cred $cred

Credential Delegation

One other area that can bite you is credential delegation.  Here is the scenario.  Say you remote into a PC and from that PC you want to access files on another PC via a UNC share.  As things stand now, you run into the following error:

[mediacenterpc]: PS C:\Users\Keith\Documents> dir \\homeserver\photos
Get-ChildItem : Cannot find path ‘\\homeserver\photos’ because it does not exist.
    + CategoryInfo          : ObjectNotFound: (\\homeserver\photos:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

To fix this you have to enable credential delegation (second hop) and use CredSSP authentication.  First on the target/remote computer you need to run this in an elevated prompt:  Note that you can’t run this from a V2 remoting session (you’ll get “access is denied”):

PS> Enable-WSManCredSSP –Role Server

Now on your client/local computer execute the following from an elevated prompt for each remote computer you need credential delegation for:

PS> Enable-WSManCredSSP –Role Client –DelegateComputer <computer_name>

We are close but there is one last step and it requires a tweak via the global policy editor.  Run gpedit.msc and navigate to Computer Configuration –> Administrative Templates –> System –> Credential Delegation as shown below:

Open up the “Allow Delegating Fresh Credentials with NTLM-only Server Authentication” setting.  Enable the setting and then click on the “Show…” button to add a server to the list.  I added mine like so:

Press OK and then press the “Apply” button on the previous dialog to apply the setting.  Now credential delegation will work for that configured remote computer.  Note that when you enter a new PSSession you have to use CredSSP authentication as shown below:

PS> Enter-PSSession MediaCenterPC -Cred $cred -Authentication CredSSP
[mediacenterpc]: PS C:\Users\Keith\Documents> dir \\HomeServer\Software

    Directory: \\HomeServer\Software

Mode                LastWriteTime     Length Name
—-                ————-     —— —-
d—-         7/21/2008   9:37 PM            Add-Ins
d—-         7/21/2008  10:01 PM            Home PC Restore CD

Note that from the remoting session on MediaCenterPC, I can now see the files shared from my Windows Home Server.  Woohoo!  It isn’t exactly as straight forward as I would like but it can be done.

This entry was posted in PowerShell. Bookmark the permalink.

1 Response to PowerShell V2 Remoting on Workgroup Joined Computers – YES It Can Be Done

  1. Pingback: Automating SharePoint build and deployment–Part 4 : Putting it together « Danger Mouse on SharePoint

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s