使用Powershell在多台计算机上通过HTTPS配置WinRM

编程问答 2022-11-01

问题描述

使用Powershell在多台计算机上通过HTTPS配置WinRM

我整理了以下脚本,以通过HTTPS配置WinRM,它在每台计算机上都可以很好地工作。我很难重新编码它以便在一个文本文件中的多台计算机上远程运行。

此外,我还想进行某种形式的日志记录和检查,以检查出现故障或带回任何类型错误的计算机。

任何帮助将不胜感激。

$user = "Account to Use - Service Account Suggested"
$Certname = "HOSTNAME FQDN"
$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname
$pw = ConvertTo-securestring -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint
WinRM e winrm/config/listener
#winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="$Certname"; CertificateThumbprint=$thumbprint}'
New-Item WSMan:\localhost\Listener -Address * -Transport HTTPS -HostName $Certname -CertificateThumbPrint $thumbprint
$port=5986
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=$port
net localgroup "Remote Management Users" /add $user
net localgroup "Event Log Readers" /add $user
Restart-Service WinRM
Restart-Service Winmgmt -Force


#Adding the below script should replace "winrm configSDDL default"
$GENERIC_READ = 0x80000000
$GENERIC_WRITE = 0x40000000
$GENERIC_EXECUTE = 0x20000000
$GENERIC_ALL = 0x10000000

# get SID of user/group to add

$user_sid = (New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $user).Translate([System.Security.Principal.SecurityIdentifier])

# get the existing SDDL of the WinRM listener
$sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value

# convert the SDDL string to a SecurityDescriptor object
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false,$false,$sddl

# apply a new DACL to the SecurityDescriptor object
$sd.discretionaryAcl.AddAccess(
[System.Security.AccessControl.AccessControlType]::Allow,$user_sid,($GENERIC_READ -bor $GENERIC_EXECUTE),[System.Security.AccessControl.InheritanceFlags]::None,[System.Security.AccessControl.PropagationFlags]::None
)

# get the SDDL string from the changed SecurityDescriptor object
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)

# apply the new SDDL to the WinRM listener
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force```

解决方法

我们进行评论交流的后续行动。

假设这条线... 

$user       = "Account to Use - Service Account Suggested"

...对于所有系统来说都是相同的,然后用任何东西预先填充,然后...

Get-ADComputer (activedirectory) | Microsoft Docs

about_Foreach - PowerShell | Microsoft Docs 

(Get-ADComputer -Filter 'OperatingSystem -NotLike "*Server" -and enabled -eq "True"').Name | 
ForEach {
    $user       = "Account to Use - Service Account Suggested"
    $Certname   = $PSItem
...
}

您已经在这里动态要求提供证书名称... 

$Cert       = New-SelfSignedCertificate -certstorelocation 'cert:\localmachine\my' -dnsname $Certname
$pw         = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint

...所以没什么可传递的。

但是,要在远程目标上运行此脚本,只需使用正常的默认PSRemoting远程会话设置即可。

about_Remote - PowerShell | Microsoft Docs

about_Remote_Requirements - PowerShell | Microsoft Docs 

Invoke-Command -ComputerName Server01 -ScriptBlock {Get-Culture}

所以,像这样... 

$Creds = Get-Credential -Credential "$env:USERDOMAIN\$env:USERNAME"
(Get-ADComputer -Filter 'OperatingSystem -NotLike "*Server" -and enabled -eq "True"').Name | 
ForEach {
    Invoke-Command -ComputerName $PSItem -ScriptBlock {
        $user       = "Account to Use - Service Account Suggested"
        $Certname   = $PSItem
        ...
    } -Credential $Creds

}
,

以下脚本给我以下错误

ngnix

CloneCert and DnsName parameters cannot both be empty
    + CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificate],ParameterBindingException
    + FullyQualifiedErrorId : RuntimeException,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand
    + PSComputerName        : XXX.local
 
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1,172.17.62.29,::1,fe80::c5c5:a94f:341c:48fa%13

Cannot validate argument on parameter 'HostName'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
    + CategoryInfo          : InvalidData: (:) [New-Item],ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.NewItemCommand
    + PSComputerName        : XXXX.local
 

An error occurred while attempting to contact the  Windows Firewall service. Make sure that the service is running and try your request again.

for-loopforeachforeachforeach-objectpowershellpowershellwinrm

相关问答

Selenium Web驱动程序和Java元素在(x,y)点处不可单击其他元素将获得点击?
Selenium Web驱动程序和Java。元素在(x,y)点处不可单击。其...
Python-如何使用点“” 访问字典成员?
Python-如何使用点“。” 访问字典成员?
Java 字符串是不可变的到底是什么意思?
Java 字符串是不可变的。到底是什么意思?
Java中的“ final”关键字如何工作?我仍然可以修改对象
Java中的“ final”关键字如何工作?(我仍然可以修改对象。...
“loop:”在Java代码中这是什么,为什么要编译?
“loop:”在Java代码中。这是什么,为什么要编译?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbcDriver发生异常为什么?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbc...