I want to run a few scripts on a few servers but the issue is that all of them are on different domains. If they are on the same domain then I am able to run it is Powershell but across domains how would I do that? Can anyone throw some light on this?
-
at work we frequently acquire competitors, usually they want us to support them without a cross forest trust setup. Our work-around is to provide $admin creds from the correct forest while in that domain.Knuckle-Dragger– Knuckle-Dragger2014-01-01 16:17:05 +00:00Commented Jan 1, 2014 at 16:17
-
I think i am not clear enough.So let me reframe the question . When i am in a domain say domain1 and i need to run a script on domain2.server41 (server41 is the server on domain2) .for that i wanted to know how it can be done i already am the admin user in server41 . So do i need to become admin of the domain2 as well or do i need to do this from a central domain instead of domain1. Note: domain1 is not my central domainuser2509885– user25098852014-01-02 05:36:17 +00:00Commented Jan 2, 2014 at 5:36
Add a comment
|
3 Answers
On the server side
Enable-PSRemoting
On Client Side, Execute the following commands:
cd wsman:localhost\Client
Set-Item AllowUnencrypted -Value $true -force
Set-Item TrustedHosts -Value * -force
Then to create session in the server machine from client machine use the following commands:
$cred=get-credential
$Session= New-PSSession -computername Server01 -credential $cred -Port 5985
Enter-PSSession $Session
(Valid Credential on Server machine should be given)
Comments
This might be a good application for PS constrained sessions with delegation.
You can designate the credentials that will be used to run the commnads in the session configuration, and limit what can be run in the session, so you can create a session you can connect to without having domain credentials, and within that session you can run just those scripts and they will be automatically run using credentials that are set in the session configuration.
http://ramblingcookiemonster.wordpress.com/2013/07/20/granular-access-via-powershell-remoting/
Comments
I don't know if you're talking 2, 20 or 200 servers here (or the number of admins), but what I would do (if I had administrative access to the domains) would be to implement some kind of "administrative execution account" on each domain. I would then build logic to save creds to file on the workstation/management server initiating the connection (if the password is the same across domains it would be very easy - maybe too easy)
It should be easy enough to build logic to pick up the correct credentials file based on the computer domain, construct a credential object, and connect with it -basically some proxy functions for the most common remoting CmdLets like new-pssession and the like.
This would ensure that each operator would have to type in the username/password to each domain manually before using the script (saving the creds to file), which should help prevent unauthorized access.
