尝试为我们的SMTP群集编写监控脚本(Powershell),该群集有时会写入3个节点。
当我在本地时,在SMTP群集上运行此命令:
Get-NlbClusterNode
我得到了我需要的输出。
但如果我从远程服务器(相同的网络和域)尝试相同的操作,我会得到:
[smtp-s001a]: PS C:\> Get-NlbClusterNode
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo :
+ FullyQualifiedErrorId :
AccessDenied,Microsoft.NetworkLoadBalancingClusters.PowerShell.GetNlbClusterNode
为什么?只有“Get-NlbClusterNODE”命令才允许我访问被拒绝。 “Get-NlbCluster”举个例子,效果很好。
有什么建议吗?
答案 0 :(得分:0)
我有同样的问题。
我花了一段时间才弄明白。我从我的服务中运行Powershell作为一个过程。该服务在所有主机上的相同用户帐户下运行,但密码是在每个主机/群集节点上随机生成的,这就是为什么我得到“拒绝访问...”一旦我将密码更改为相同,一切正常。< / p>
答案 1 :(得分:0)
我找到了一些解决方法。 在远程会话中使用admin credentional模拟
function EntryPoint()
{
ImportModule-Impersonate;
$impersonate = new-object UserSession.Impersonate;
try
{
if ($impersonate.Login("SKODA", "Administrator", "*****") -eq $false) {
throw new Exception("Invalid credentials");
}
Import-Module NetworkLoadBalancingClusters
Get-NlbClusterNode;
}
finally
{
$impersonate.Dispose();
}
};
function ImportModule-Impersonate {
$assem = @();
$source = @"
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;
namespace UserSession
{
public class Impersonate : IDisposable
{
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
private WindowsImpersonationContext _impersonationContext;
[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);
public bool Login(String domain, String userName, String password)
{
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if (RevertToSelf())
{
if (LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
WindowsIdentity tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
_impersonationContext = tempWindowsIdentity.Impersonate();
if (_impersonationContext != null)
{
CloseHandle(token);
CloseHandle(tokenDuplicate);
return true;
}
}
}
}
if (token != IntPtr.Zero)
{
CloseHandle(token);
}
if (tokenDuplicate != IntPtr.Zero)
{
CloseHandle(tokenDuplicate);
}
return false;
}
public void Logout()
{
if (_impersonationContext != null)
{
_impersonationContext.Undo();
_impersonationContext = null;
}
}
public void Dispose()
{
Logout();
}
}
}
"@;
Add-Type -ReferencedAssemblies $assem -TypeDefinition $source -Language CSharp
}
EntryPoint;
答案 2 :(得分:0)
同时禁用UAC并重新启动计算机。
答案 3 :(得分:0)
我遇到了完全相同的问题。使用这些凭据访问和运行Get-NlbClusterNode的用户具有正确的权限,但是由于某些无法解释的原因,他遇到了奇怪的错误。
我放弃了调查,并做了以下解决方法:
$username = "domain\user_name"
$securePassword = "secure_hash" | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
$result = Start-Process powershell.exe -WorkingDirectory $PSHome -Credential $credential -ArgumentList ("-File $PSScriptRoot\your-script.ps1") | Out-Null
如果在your-script.ps1中输入:
Invoke-Command -ComputerName "your-remote-server" -ScriptBlock {
Get-NlbClusterNode
#Any other commands you want here
}
它按预期工作...