Learning Powershell step one - enable remote access



  • In efforts to learn powershell better, I'm trying to enable it globally within my domain.

    I've created a GPO that enables the inbound firewall ports
    Uj3eZDH.png

    and the WinRM service
    fg2ckVk.png

    Both of these settings are applying, and about half my machines are now working.

    The other half are generating one of the following errors:

    Connecting to remote server computername failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returnedby a HTTP server that does not support the WS-Management protocol. For more information, see theabout_Remote_Troubleshooting Help topic.    + CategoryInfo          : OpenError: (computername:String) [], PSRemotingTransportException    + FullyQualifiedErrorId : URLNotAvailable,PSSessionStateBroken
    
    Connecting to remote server computername failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.    + CategoryInfo          : OpenError: (computername:String) [], PSRemotingTransportException     + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken
    

    For full disclosure, about 1/2 of the machines that have an error, have an can't resolve error, I'll look at those at another time - it's likely most of them (being laptops) are simply offline - or machines that no longer exist.



  • Starting with this one

    Connecting to remote server computername failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returnedby a HTTP server that does not support the WS-Management protocol. For more information, see theabout_Remote_Troubleshooting Help topic.    + CategoryInfo          : OpenError: (computername:String) [], PSRemotingTransportException    + FullyQualifiedErrorId : URLNotAvailable,PSSessionStateBroken
    

    .
    .
    .

    Using screen connect (because I can't use a remote powershell session) I run

    winrm e winrm/config/listsener
    

    And the Output:

    Listener [Source="GPO"] 
    Address = * 
    Transport = HTTP 
    Port = 5985 
    Hostname 
    Enabled = true 
    URLPrefix = wsman 
    CertificateThumbprint 
    ListeningOn = ::1, fe80::ad99:8e4d:c356:9939%5, fe80::c0a1:571b:2955:87be%7, fe80::cda4:4841:5bff:7b5c%8, fe80::f902:5ea5:2d74:a154%3 
    

    Interesting - the server is only listening on IPv6 addresses.



  • ListeningOn = ::1, fe80::ad99:8e4d:c356:9939%5, fe80::c0a1:571b:2955:87be%7, fe80::cda4:4841:5bff:7b5c%8, fe80::f902:5ea5:2d74:a154%3 
    

    Interesting - the server is only listening on IPv6 addresses.

    Turns out IPvX filters are for the addresses that are listening (i.e. the local IP on the machine you are trying to remote into).
    I set a filter like this 10.0.0.1-10.0.5.254 (where my admin machines would live).
    Unfortunately, since this isn't an incoming filter (that's the firewall's job) this filter wasn't large enough to cover all of my production networks. I had 10.1.0.1-10.1.0.254 that wasn't inside the above range, and of course keep the machine from listening on it's IPv4 (the IPv6 was listening because I just left it wide open - testing, not using IPv6 in general, so left it as default (*))

    So tweaking my filter to 10.0.0.1-10.0.5.254, 10.1.0.1-10.1.0.254 solved my problem.