如何解决“Get-WmiObject:访问被拒绝”的问题?

时间:2013-09-03 14:18:19

标签: powershell wmi cmdlets elevated-privileges

我有两个有效的PowerShell脚本。您可以使用:

调用script1.ps1
.\script1.ps1 "sender-ip=10.10.10.10"

该脚本应该返回userId=DOMAIN/UserId。第一个脚本:

#script1.ps1

$abc = $args
$startInfo = $NULL
$process = $NULL
$standardOut = $NULL

<#Previously created password file in C:\Script\cred.txt, read-host -assecurestring | convertfrom-securestring | out-file C:\Script\cred.txt#>
$password = get-content C:\Script\cred.txt | convertto-securestring

$startInfo = New-Object System.Diagnostics.ProcessStartInfo
$startInfo.FileName = "powershell.exe"
$startInfo.Arguments = "C:\script\script2.ps1 " + $abc

$startInfo.RedirectStandardOutput = $true
$startInfo.UseShellExecute = $false
$startInfo.CreateNoWindow = $false
$startInfo.Username = "Username"
$startInfo.Domain = "DOMAIN"
$startInfo.Password = $password 

$process = New-Object System.Diagnostics.Process
$process.StartInfo = $startInfo
$process.Start() | Out-Null
$standardOut = $process.StandardOutput.ReadToEnd()
$process.WaitForExit()

# $standardOut should contain the results of "C:\script\script1.ps1"
$standardOut 

这是整个工作脚本.ps1

#script2.ps1

$line_array = @()
$multi_array = @()
[hashtable]$my_hash = @{}
$Sender_IP = $NULL
$Win32OS = $NULL
$Build = $NULL
$LastUser = $NULL
$UserSID = $NULL
$userID=$NULL
$output = $NULL


foreach ($i in $args){
   $line_array+= $i.split(" ")
}

foreach ($j in $line_array){
    $multi_array += ,@($j.split("="))
}

foreach ($k in $multi_array){
    $my_hash.add($k[0],$k[1])
}

$Sender_IP = $my_hash.Get_Item("sender-ip")


<#Gather information on the computer corresponding to $Sender_IP#>

$Win32OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $Sender_IP 


<#Determine the build number#>
$Build = $Win32OS.BuildNumber


<#Running Windows Vista with SP1 and later, i.e. $Build is greater than or equal to 6001#>
if($Build -ge 6001){
    $Win32User = Get-WmiObject -Class Win32_UserProfile -ComputerName $Sender_IP
    $Win32User = $Win32User | Sort-Object -Property LastUseTime -Descending
    $LastUser = $Win32User | Select-Object -First 1
    $UserSID = New-Object System.Security.Principal.SecurityIdentifier($LastUser.SID)
    $userId = $UserSID.Translate([System.Security.Principal.NTAccount])
    $userId = $userId.Value
}


<#Running Windows Vista without SP1 and earlier, i.e $Build is less than or equal to 6000#>
elseif ($Build -le 6000){
    $SysDrv = $Win32OS.SystemDrive
    $SysDrv = $SysDrv.Replace(":","$")
    $ProfDrv = "\\" + $Sender_IP + "\" + $SysDrv
    $ProfLoc = Join-Path -Path $ProfDrv -ChildPath "Documents and Settings"
    $Profiles = Get-ChildItem -Path $ProfLoc
    $LastProf = $Profiles | ForEach-Object -Process {$_.GetFiles("ntuser.dat.LOG")}
    $LastProf = $LastProf | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1
    $userId = $LastProf.DirectoryName.Replace("$ProfLoc","").Trim("\").ToUpper()
}

else{
    $userId = "Unknown/UserID"
}

if ($userId -ne $NULL){
    $output = "userId=" + $userId
}
elseif ($userID -eq $NULL)
{
    $userId = "Unknown/UserID"
    $output = "userId=" + $userId
}


$output.replace("\","/") 

这是我的问题。在我们域中的大多数IP地址上,它返回:

  

Get-WmiObject:访问被拒绝。 (HRESULT的例外情况:0x80070005   (E_ACCESS DENIED))

我研究了这个,并且 "get-wmiobject win32_process -computername" gets error "Access denied , code 0x80070005"建议授予提升的帐户权限,以便在整个域中运行WMI。

这篇文章http://technet.microsoft.com/en-us/library/cc787533(v=ws.10).aspx解释了如何做到这一点。

但是说服负责域名的团队为这个提升的帐户授予WMI权限将是一个延伸。并且,该脚本能够返回域中某些IP地址的UserId。

还有另一种解决方法吗?我应该在谷歌上研究什么?

1 个答案:

答案 0 :(得分:1)

您是否考虑过使用Invoke-Command并使用PowerShell Remoting远程执行脚本2?

您的远程脚本可以使用其他凭据执行,您可能会更好地说服您的安全团队启用PowerShell远程处理而不是WMI。通过invoke-command运行时,你的wmi查询将是机器的本地查询,因此将有更好的工作机会,它也避免了读取标准输出缓冲区的需要。

为了帮助您入门,请尝试Enter-PSSession,因为这样您就可以快速确定让PS Remoting在您的环境中工作所需的工作量。

将来您可能希望同时定位多台计算机,在这种情况下,PS Remoting和Start-Job会有所帮助。