我想在一些随机的时间间隔内在各种Windows节点上远程运行少量作业。我可以使用PS远程登录到远程计算机并在那里创建一个任务以在某个特定用户帐户下运行它。
为了让PS Remoting工作,我知道我不需要成为following article的管理员,但是我无法理解安排任务所需的最低权限是什么< / strong>在该脚本用户的远程计算机上。
我不想使用管理员帐户,因为这可能会导致我在这些计算机上打开安全风险。
有人可以帮助我。我正在使用C#应用程序启动与该计算机的远程PowerShell连接,如下所示。
private void StartCollection(string triggerId, ActivationData parameters)
{
string scriptUserName = parameters.Params["PSUser"];
string scriptUserPassword = parameters.Params["PSUserPassword"];
string remotecomputerName = parameters.Params["ComputerName"];
string scheme = parameters.Params["PSScheme"];
string port = parameters.Params["PSPort"];
var agentFile = Path.Combine(parameters.AssemblyPath, parameters.FileName);
List<string> allParams = new List<string>();
allParams.Add(String.Format("-trigger {0} -collector {1} ", triggerId, parameters.CollectorId));
allParams.Add(String.Format("-monitored_by {0} -monitored_at {1}", parameters.Monitoring.Name, parameters.Monitoring.InterfacePoint));
foreach (var param in parameters.Params)
{
if (!ConfigurationKeys.Contains(param.Key))
{
allParams.Add(string.Format("-{0} {1}", param.Key, param.Value));
}
}
var cmdLineParams = string.Join(" ", allParams.ToArray());
// Cred to execute PS on the remote computer.
SecureString securePassword = scriptUserPassword.ToSecureString();
PSCredential scriptCred = new PSCredential(scriptUserName, securePassword);
var remoteUriStr = String.Format("{0}://{1}:{2}/wsman", scheme, remotecomputerName, port);
var remoteComputer = new Uri(remoteUriStr);
var connection = String.IsNullOrEmpty(scriptUserName) ? new WSManConnectionInfo(remoteComputer) : new WSManConnectionInfo(remoteComputer, null, scriptCred);
//connection.AuthenticationMechanism = AuthenticationMechanism.Credssp;
var runspace = RunspaceFactory.CreateRunspace(connection);
runspace.Open();
using (var powershell = PowerShell.Create())
{
powershell.Runspace = runspace;
//Cred to run the agent under: Job credential.
SecureString jobPass = parameters.UserCred.Item2.ToSecureString();
string jonUser = parameters.UserCred.Item1;
PSCredential jobCred = new PSCredential(jonUser, jobPass);
var scriptfile = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "Start-Program.ps1");
Command command = new Command(scriptfile);
command.Parameters.Add("ComputerName", remotecomputerName);
command.Parameters.Add("StartTime", "22:50");
command.Parameters.Add("Program", agentFile);
command.Parameters.Add("Parameters", cmdLineParams);
command.Parameters.Add("TaskCredential", jobCred);
powershell.Commands.AddCommand(command);
var results = powershell.Invoke();
runspace.Close();
Console.WriteLine("Outputing the PS1 Result: {0}: " ,parameters.CollectorId);
foreach (var obj in results.Where(o => o != null))
{
Console.WriteLine("\t" + obj);
}
if (powershell.Streams.Error.Count > 0)
{
var errors = from err in powershell.Streams.Error select err.ErrorDetails.Message;
throw new Exception(String.Join(Environment.NewLine, errors.ToArray()));
}
}
}
答案 0 :(得分:0)
设置PS Remoting权限后,为其提供任务计划访问权限的简单方法是使远程用户成为目标服务器上本地“Backup Operators”组的成员。这将为他们提供在服务器上安排和管理任务的必要权限,但也会为他们提供对该服务器上文件的间接读访问权。
如果仍有太多访问权限,那么我已经看到了通过ACL授予对目标服务器上C:\ Windows \ Tasks文件夹的控制权的引用,但我自己从未尝试过。