访问被拒绝 - get-wmiobject win32_service (Powershell) [英] Access Denied - get-wmiobject win32_service (Powershell)

问题描述

11/13/2013 11:35:37 TRCW1 使用本地计算机 11/13/2013 11:35:37TRCE1 System.Management.ManagementException:访问被拒绝在System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus错误代码)在System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()在 Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing()

11/13/2013 11:35:37 TRCW1 using local computer 11/13/2013 11:35:37 TRCE1 System.Management.ManagementException: Access denied at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode) at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext() at Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing()

代码(在服务器名称循环中):

Code (inside a loop of server names):

$error.clear()  #clear any prior errors, otherwise same error may repeat over-and-over in trace 
if ($LocalServerName -eq $line.ServerName)
    {
       # see if not using -ComputerName on local computer avoids the "service not found" error 
       Add-Content $TraceFilename "$myDate TRCW1 using local computer " 
       $Service = (get-wmiobject win32_service -filter "name = '$($line.ServiceName)'")
    }
else 
    {
       Add-Content $TraceFilename "$myDate TRCW2 using remote computer $($line.ServerName) not eq $LocalServerName" 
       $Service = (get-wmiobject win32_service -ComputerName $line.ServerName -filter "name = '$($line.ServiceName)'")
    }

if ($error -ne $null) 
{
    Write-Host "----> $($error[0].Exception) " 
    Add-Content $TraceFilename "$myDate TRCE1 $($error[0].Exception)" 
}

我正在读取服务器名称的 CSV 文件.我终于添加了异常逻辑，发现我收到了拒绝访问".这仅发生在本地服务器上.看起来几乎是倒退，本地服务器出现故障，而远程服务器工作正常.我什至更改了逻辑以测试它是否是本地服务器，然后尝试在 WMI 上保留 -ComputerName 参数(如上面的代码所示)，但仍然出现错误.

I'm reading a CSV of server names. I finally added the exception logic, to find I'm getting an "Access Denied". This was only happening on the local server. Seems almost backwards, the local server fails, whereas the remote servers work fine. I even changed logic to test to see if it was the local server, then tried leaving off the -ComputerName parms on the WMI (as shown in code above), and still getting error.

到目前为止，我的研究表明答案可能在于

So far, my research shows the answer may lie with

set-item 可信主机

set-item trustedhosts

但我的主要问题是trustedhosts 是适用于本地服务器，还是仅适用于远程服务器.计算机不会总是信任自己吗?它是否仍然使用远程处理与自己交谈?

But my main question is whether trustedhosts is applicable to local servers, or only remote servers. Wouldn't a computer always trust itself? Does it still use remoting to talk to itself?

这台服务器在我来到这里之前很长时间显然是集群的一部分，现在不是.我也对此表示怀疑.

This server apparently was part of a cluster a long time before I got here, and now it's not. I'm also suspicious of that.

当我以交互方式运行时，脚本工作正常，只有当我安排它并在服务帐户下运行它时，它才会因访问被拒绝而失败.服务帐户是该框中的本地管理员.

When I run interactively the script works fine, it's only when I schedule it and run it under a service account that it fails with the access denied. The Service Account is local Admin on that box.

我使用 get-wmiobject win32_service 而不是 get-service 因为它返回额外的信息，我需要查找进程，以及使用另一个 WMI 调用启动服务的日期/时间.

I'm using get-wmiobject win32_service instead of get-service because it returns extra info I need to lookup the process, and date/time the service was started using another WMI call.

在 Win 2008/R2 上运行.

Running on Win 2008/R2.

以下更新 11/13/2013 5:27Pm

Below Update 11/13/2013 5:27Pm

我刚刚确认问题发生在不止一台服务器上.[我拿了脚本并在另一台服务器上运行它们.] 我的 CSV 输入包括要监控的服务器列表.我自己服务器之外的那些总是返回结果.那些到我自己的服务器，省略 -ComputerName 失败.(我已经尝试过使用和不使用本地服务器的 -ComputerName 参数).

I have just verified that the problem happens on more than one server. [I took the scripts and ran them on another server.] My CSV input includes a list of servers to monitor. The ones outside of my own server always return results. The ones to my own server, that omit the -ComputerName fail. (I have tried with and without the -ComputerName parm for the local server).

推荐答案

您是否以管理员身份" (UAC) 运行脚本?如果您启用了 UAC 并且您没有以管理员身份"运行它，那么当您为本地实例计算凭据时，它会删除本地管理员安全令牌.通过网络连接到另一台机器，A) 它完全绕过 UAC，并且 B) 当目标评估您的令牌时，您所在的组成员资格将得到全面评估，因此您获得管理员"访问权限.

Are you running the script "as administrator" (UAC)? When your credentials are calculated for your local instance if you have UAC enabled and you didn't run it "as administrator" it removes the local administrator security token. Connecting to a different machine over the network, A) it completely bypasses UAC, and B) when the target evaluates your token, the group memberships you're in are fully evaluated and thus you get "administrator" access.

可能不相关，但我刚刚在我的系统上运行了 10 个 2008 R2 服务器中的两个拒绝我收集的第一个性能标准，但仅当它作为计划任务运行时.如果我以交互方式运行它，它至少可以在 95% 的时间内工作.我正在收集磁盘秒数/读取数和秒数/写入数，因此仅针对这两个服务器没有显示读取数.我颠倒了顺序，你知道吗，Writes 不报告.我刚刚在我的标准列表的开头添加了一个驱动器 Seconds/Transfer 作为牺牲品，VOILA 现在我没有被拒绝访问读取和写入.

Probably unrelated, but I've just run across two 2008 R2 servers out of 10 on my system that reject THE FIRST performance criteria that I'm collecting, but only when it's running as a scheduled task. If I run it interactively it works at least 95% of the time. I'm collecting Disk Seconds/Read and Seconds/Write, so it's the reads that don't show, for these two servers only. I flipped the order and what do you know, the Writes don't report. I just added one drive Seconds/Transfer as a sacrificial lamb to the start of my criteria list, and VOILA now I don't get ACCESS DENIED to the reads and writes.

$counterlist = @("\$server\PhysicalDisk(0*)\Avg.Disk sec/Transfer","\$server\PhysicalDisk()\Avg. Disk sec/Read","\$server\PhysicalDisk()\Avg. Disk sec/Write")

$counterlist = @("\$server\PhysicalDisk(0*)\Avg. Disk sec/Transfer", "\$server\PhysicalDisk()\Avg. Disk sec/Read", "\$server\PhysicalDisk()\Avg. Disk sec/Write")

$counters = $counterlist |获取计数器

$counters = $counterlist | Get-Counter

(不知道如何编辑，但物理磁盘后的括号之间有星号...)

(not sure how to edit this, but there are asterisks in between the parenthesis after physicaldisk...)

这篇关于访问被拒绝 - get-wmiobject win32_service (Powershell)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！