问题描述
使用Powershell在多台计算机上通过HTTPS配置WinRM
我整理了以下脚本,以通过HTTPS配置WinRM,它在每台计算机上都可以很好地工作。我很难重新编码它以便在一个文本文件中的多台计算机上远程运行。
此外,我还想进行某种形式的日志记录和检查,以检查出现故障或带回任何类型错误的计算机。
任何帮助将不胜感激。
$user = "Account to Use - Service Account Suggested"
$Certname = "HOSTNAME FQDN"
$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname
$pw = ConvertTo-securestring -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint
WinRM e winrm/config/listener
#winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="$Certname"; CertificateThumbprint=$thumbprint}'
New-Item WSMan:\localhost\Listener -Address * -Transport HTTPS -HostName $Certname -CertificateThumbPrint $thumbprint
$port=5986
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=$port
net localgroup "Remote Management Users" /add $user
net localgroup "Event Log Readers" /add $user
Restart-Service WinRM
Restart-Service Winmgmt -Force
#Adding the below script should replace "winrm configSDDL default"
$GENERIC_READ = 0x80000000
$GENERIC_WRITE = 0x40000000
$GENERIC_EXECUTE = 0x20000000
$GENERIC_ALL = 0x10000000
# get SID of user/group to add
$user_sid = (New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $user).Translate([System.Security.Principal.SecurityIdentifier])
# get the existing SDDL of the WinRM listener
$sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value
# convert the SDDL string to a SecurityDescriptor object
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false,$false,$sddl
# apply a new DACL to the SecurityDescriptor object
$sd.discretionaryAcl.AddAccess(
[System.Security.AccessControl.AccessControlType]::Allow,$user_sid,($GENERIC_READ -bor $GENERIC_EXECUTE),[System.Security.AccessControl.InheritanceFlags]::None,[System.Security.AccessControl.PropagationFlags]::None
)
# get the SDDL string from the changed SecurityDescriptor object
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)
# apply the new SDDL to the WinRM listener
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force```
解决方法
我们进行评论交流的后续行动。
假设这条线...
$user = "Account to Use - Service Account Suggested"
...对于所有系统来说都是相同的,然后用任何东西预先填充,然后...
(Get-ADComputer -Filter 'OperatingSystem -NotLike "*Server" -and enabled -eq "True"').Name |
ForEach {
$user = "Account to Use - Service Account Suggested"
$Certname = $PSItem
...
}
您已经在这里动态要求提供证书名称...
$Cert = New-SelfSignedCertificate -certstorelocation 'cert:\localmachine\my' -dnsname $Certname
$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint
...所以没什么可传递的。
但是,要在远程目标上运行此脚本,只需使用正常的默认PSRemoting远程会话设置即可。
Invoke-Command -ComputerName Server01 -ScriptBlock {Get-Culture}
所以,像这样...
$Creds = Get-Credential -Credential "$env:USERDOMAIN\$env:USERNAME"
(Get-ADComputer -Filter 'OperatingSystem -NotLike "*Server" -and enabled -eq "True"').Name |
ForEach {
Invoke-Command -ComputerName $PSItem -ScriptBlock {
$user = "Account to Use - Service Account Suggested"
$Certname = $PSItem
...
} -Credential $Creds
}
,
以下脚本给我以下错误
ngnix
CloneCert and DnsName parameters cannot both be empty
+ CategoryInfo : NotSpecified: (:) [New-SelfSignedCertificate],ParameterBindingException
+ FullyQualifiedErrorId : RuntimeException,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand
+ PSComputerName : XXX.local
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1,172.17.62.29,::1,fe80::c5c5:a94f:341c:48fa%13
Cannot validate argument on parameter 'HostName'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
+ CategoryInfo : InvalidData: (:) [New-Item],ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.NewItemCommand
+ PSComputerName : XXXX.local
An error occurred while attempting to contact the Windows Firewall service. Make sure that the service is running and try your request again.