Introduction
The previous article inwards this series explored Active Directory Domain Services management alongside PowerShell. Now nosotros volition examine the remoting features inwards PowerShell 4.0 as well as explore the protocols, services, as well as configurations needed for remoting to function. There volition live on demonstrations to highlight how remoting industrial plant past times getting information, creating objects, changing settings, as well as assigning user permissions to a grouping of computers remotely.Windows PowerShell Remoting
Windows PowerShell remoting provides a method to transmit whatever command to a remote figurer for local execution. The commands practise non have got to live on available on the figurer that originates the connection; it is plenty if only the remote computers are able to execute the commands.Windows PowerShell remoting relies on the spider web services managements (WS-Man) protocol. WS-Management is a distributed management describe of piece of occupation forcefulness (DMTF) opened upwardly measure that depends on HTTP (or HTTPS) protocol. The Windows Remote Management (WinRM) service is the Microsoft implementation of WS-Management, WinRM is at the inwardness of Windows PowerShell remoting but this service tin bathroom besides live on used past times other non-PowerShell applications.
By default, WS-Man as well as PowerShell remoting usage port 5985 as well as 5986 for connections over HTTP as well as HTTPS, respectively. This is much friendlier to network firewalls when compared to other legacy communication protocols such every bit the distributed ingredient object model (DCOM) as well as remote physical care for telephone band (RPC), which usage numerous ports as well as dynamic port mappings.
Remoting is enabled past times default on Windows Server 2012 as well as it is required past times the server manager console to communicate alongside other Windows servers, as well as fifty-fifty to connect to the local figurer where the console is running. On customer operating systems, such every bit Windows 7 or Windows 8, remoting is non enabled past times default.
Once enabled, remoting registers at to the lowest degree 1 listener. Each listener accepts incoming traffic through either HTTP or HTTPS; listeners tin bathroom live on jump to 1 or multiple IP addresses. Incoming traffic specifies the intended finish or endpoint. These endpoints are besides known every bit session configurations.
While this article concentrates on the remoting characteristic of Windows PowerShell, it is worth noting that at that topographic point are other remote connectivity protocols that are besides used past times specific PowerShell cmdlets. For instance, around cmdlets usage the RPC protocol, others depend on the remote registry service. These numerous communication protocols demand additional configuration on the firewall to allow those PowerShell commands to live on executed across the network.
Enabling PowerShell Remoting on a Local Computer
You may demand to enable remoting on Windows clients, older Windows Server operating systems, or Windows Server 2012 if it has been disabled. However, direct house inwards take away heed that remoting must live on enabled exclusively on computers that you lot volition connect to; no configuration is needed on the figurer from which you lot are sending the commands.To manually enable remoting, run the Enable-PSremoting cmdlet every bit shown below:
Figure 1
Running the Enable-PSremoting cmdlet makes the next changes to the computer:
- Sets the WinRM service to start automatically as well as restart it.
- Registers the default endpoints (session configurations) for usage past times Windows PowerShell.
- Creates an HTTP listener on port 5985 for all local IP addresses.
- Creates an exception inwards the Windows Firewall for incoming TCP traffic on port 5985.
Running Get-PSSessionConfiguration exposes the endpoints created by Enable-PSremoting.
Figure 2
Enabling PowerShell Remoting Using Group Policy
If you lot have got a large break of computers, configuring a grouping policy object (GPO) may live on a improve selection to enable remoting than manually executing the Enable-PSremoting cmdlet inwards each system.The gild is non important, but the next 3 steps must live on completed for the GPO to trickle downwards effectively as well as enable remoting on your domain computers:
- Create a Windows firewall exception for the WinRM service on TCP port 5985
- Allow the WinRM service to automatically take away heed for HTTP requests
- Set the WinRM Service to start automatically
Create a windows firewall exception for the WinRM service on TCP port 5985
- To create the firewall exception, usage the Group Policy Management Console and navigate to Computer Configuration\Administrative Templates\Network\Network Connections \Windows Firewall\Domain Profile.
Figure 3
- Right-click the Windows Firewall: Define inbound programme exceptions and select Edit.
Figure 4
- Click on Show and on the Show Contents dialog box; under Value enter the next line:5985:TCP:*:Enabled:WinRM as seen below:
Figure 5
Allow the WinRM service to automatically take away heed for HTTP requests
- Again using Group Policy Management, that setting tin bathroom live on located under Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service.
Figure 6
- Right-click Allow remote server management through WinRM and select Edit. Click on Enabled and specify the IPv4 as well as IPv6 filters, which define which IP addresses listeners volition live on configured on. You tin bathroom locomote inwards the * wildcard to betoken all IP addresses.
Figure 7
Set the WinRM Service to start automatically
- This setting tin bathroom live on found on Computer Configuration\Windows Settings\Security Settings\System Services\Windows Remote management (WS-Management).
Figure 8
- Right-click Windows Remote management (WS-Management), select Properties and ready the startup fashion to “Automatic.”
Figure 9
Once all the preceding GPO settings are completed as well as the grouping policy is applied, your domain computers inside the policy orbit volition live on create to bring incoming PowerShell remoting connections.
Using Remoting
There are ii mutual options for approaching remoting alongside PowerShell. The rootage is known every bit one-to-one remoting, inwards which you lot brand a unmarried remote connexion as well as a prompt is displayed on the shroud where you lot tin bathroom locomote inwards the commands that are executed on the remote computer. On the surface, this connexion looks similar an SSH or telnet session, fifty-fifty though it is a real dissimilar applied scientific discipline nether the hood. The instant selection is called one-to-many remoting as well as it is specially suited for situations when you lot may desire to run the same commands or scripts inwards parallel to several remote computers.One-to-One Remoting (1:1)
The Enter-PSSession cmdlet is used to start a one-to-one remoting session. After you lot execute the command, the Windows PowerShell prompt changes to betoken the mention of the figurer that you lot are connected to. See figure below.Figure 10
During this one-to-one session, the commands you lot locomote inwards on the session prompt are transported to the remote figurer for execution. The commands’ output is serialized into XML format as well as transmitted dorsum to your computer, which thus deserializes the XML information into objects as well as carries them into the Windows PowerShell pipeline. At the session prompt, you lot are non express to only entering commands, you lot tin bathroom run scripts, import PowerShell modules, or add together PSSnapins that are registered to the remote computer.
There are around caveats on this remoting characteristic that you lot demand to live on aware of. By default, WinRM exclusively allows remote connections to the actual figurer name; IP addresses or DNS aliases volition fail. PowerShell does non charge profile scripts on the remote computer; to run other PowerShell scripts; the execution policy on the remote figurer must live on ready to allow it. If you lot usage the Enter-PSSession cmdlet inwards a script, the script would run on the local machine to brand the connection, but none of the script commands would live on executed remotely because they were non entered interactively inwards the session prompt,
One-to-Many Remoting
With one-to-many remoting, you lot tin bathroom send a unmarried command or script to multiple computers at the same time. The commands are transported as well as executed on the remote computers, as well as each figurer serializes the results into XML format earlier sending them dorsum to your computer. Your figurer deserializes the XML output into objects as well as moves them to the pipeline inwards the electrical flow PowerShell session.The Invoke-Command cmdlet is used to execute one-to-many remoting connections. The -ComputerName parameter of the Invoke-Command accepts an array of names (strings); it tin bathroom besides have the names from a file or locomote them from around other source. For instance:
H5N1 comma-separated listing of computers:
-ComputerName FS1,CoreG2,Server1
Reads names from a text file named servers.txt:
-ComputerName (Get-Content C:\Servers.txt)
Reads a CSV file named Comp.csv that has a figurer column alongside figurer names.
-ComputerName (Import-CSV C:\Comp.csv | Select –Expand Computer)
Queries Active Directory for figurer objects
-ComputerName (Get-ADComputer –filter * | Select –Expand Name)
Here is an representative of using remoting to obtain the MAC addresses of a grouping of computers:
<code>
Invoke-Command -ComputerName FS1,CoreG2,Server1 -ScriptBlock `
{Get-NetAdapter |Select-Object -Property SystemName,Name,MacAddress |
Format-Table}
</code>
Here is the output:Invoke-Command -ComputerName FS1,CoreG2,Server1 -ScriptBlock `
{Get-NetAdapter |Select-Object -Property SystemName,Name,MacAddress |
Format-Table}
</code>
Figure 11
Here is around other example: Let’s say that you lot demand to create a folder on each figurer to shop drivers and, at the same time, you lot desire to assign total command permission to a domain user, named User1, to access the folder. Here is 1 agency you lot could code the solution:
<code>
Invoke-Command -ComputerName Fs1,CoreG2,Server1,Win81A `
-ScriptBlock {New-Item -ItemType Directory -Path c:\Drivers
$acl = Get-Acl c:\Drivers
$User1P = "lanztek\User1","FullControl","Allow"
$user1A =New-Object System.Security.AccessControl.FileSystemAccessRule $User1P
$acl.SetAccessRule($User1A)
$acl | set-acl c:\Drivers}
</code>
The preceding script may live on run from whatever accessible figurer inwards the network. It creates a folder named “Drivers” on the root of the C drive on each 1 of the computers that it touches.Invoke-Command -ComputerName Fs1,CoreG2,Server1,Win81A `
-ScriptBlock {New-Item -ItemType Directory -Path c:\Drivers
$acl = Get-Acl c:\Drivers
$User1P = "lanztek\User1","FullControl","Allow"
$user1A =New-Object System.Security.AccessControl.FileSystemAccessRule $User1P
$acl.SetAccessRule($User1A)
$acl | set-acl c:\Drivers}
</code>
The $aclvariable stores the safety descriptor of the Drivers folders; $User1P defines the permission grade for User1 (full control). The $User1A variable holds a novel object that defines an access dominion for a file or directory. $User1A is used to modify the safety descriptor ($acl). The concluding describe of the script pipes the modified safety descriptor ($acl) to the Set-Acl cmdlet. Finally, the Set-Acl cmdlet applies the safety descriptor to the Drivers folder.
Once the scripts executes, you lot locomote immediate confirmation that the folder has been created on each 1 of the remote computers.
Figure 12
One-to-many remoting tin bathroom live on used 1 time again to verify that User1 has total command permission to the Drivers folder:
<code>
Invoke-Command -ComputerName Fs1,CoreG2,Server1,Win81A `
-ScriptBlock {get-acl c:\drivers |
Select-Object PSComputername,AccessToString}
</code>
Invoke-Command -ComputerName Fs1,CoreG2,Server1,Win81A `
-ScriptBlock {get-acl c:\drivers |
Select-Object PSComputername,AccessToString}
</code>
Figure 13
By default, remoting connects upwardly to 32 computers at the same time. If you lot include to a greater extent than than 32 computers, PowerShell starts working alongside the rootage 32 as well as queues the remaining ones. As computers from the rootage batch consummate their tasks, the others are pulled from the queue for processing. It is possible to usage the Invoke-Command cmdlet alongside the -ThrottleLimit parameter to growth or decrease that number.
Persistent PSSessions
When using Invoke-Command with the –ComputerName parameter, the remote figurer creates a novel event of PowerShell to run your commands or scripts, sends the results dorsum to you, as well as thus closes the session. Each time Invoke-Command runs, fifty-fifty if it does to the same computers, a novel session is created as well as whatever piece of occupation done past times a previous session volition non live on available inwards retentiveness to the novel connection. The same tin bathroom live on said when you lot usage the Enter-PSSession with the –ComputerName parameter as well as thus teach out the connexion past times closing the console or using the Exit-PSSession command.It is skillful to know that PowerShell has the capability to constitute persistent connections (PSSessions) past times using the New-PSSession cmdlet. The New-PSSession allows you lot to launch a connexion to 1 or to a greater extent than remote computers as well as starts an event of Windows PowerShell on every target computer. Then you lot run Enter-PSSession or Invoke Command with their –Session parameter to usage the existing PSSession instead of starting a novel session. Now you lot tin bathroom execute commands on the remote figurer as well as teach out the session without killing the connection. Superb!
In the next example, the New-PSSession cmdlet is used to create 4 dissimilar PSSessions; the PSSessions are stored inwards a variable names $Servers. Get-Content reads the figurer names from a text file named Servers.txt as well as locomote past times that information to New-PSSession via the -ComputerName parameter.
<code>
$Servers = New-PSSession -ComputerName (Get-Content c:\Servers.txt)
</code>
After running the command, typing $Servers or Get-PSSession will allow you lot to confirm that the sessions have got been created.$Servers = New-PSSession -ComputerName (Get-Content c:\Servers.txt)
</code>
Figure 14