0

I have been working on a script that can remove an old version of zabbix from our servers, and install the latest version.

I am having a problem copying a file from a shared folder when I am using invoke-command.

I can run this script directly from the target machine and I can copy the folder perfectly:

$Installer = '\\Server01\Zabbix'
Write-Host -f green "[INFO]: Attempting to copy the folder located on $installer." 
 
 
 try{
 Copy-Item -Path  $installer -Destination c:\ -recurse -force
 Write-Host -f green "[INFO]: $installer is succesfully copied on C:\Zabbix on $env:computername." }
 catch
 {write-host -f red "[ERROR]: Copying $installer encountered an error on $env:computername : $error"
 $error.clear()}

Since I will be running this on multiple servers, I chose the method:

Invoke-Command -ComputerName $server -ScriptBlock{}

here is a sample code:

$servers = @( 'Server02')

foreach ($server in $servers) {
Invoke-Command -ComputerName $server -ScriptBlock {

 $Installer = '\\Server01\Zabbix'
Write-Host -f green "[INFO]: Attempting to copy the folder located on $installer." 
 
 try{
 Copy-Item -Path  $installer -Destination c:\ -recurse -force
 Write-Host -f green "[INFO]: $installer is succesfully copied on C:\Zabbix on $env:computername." }
 catch
 {write-host -f red "[ERROR]: Copying $installer encountered an error on $env:computername : $error"
 $error.clear()}

}}

and below is the error message:

[INFO]: Attempting to copy the folder located on \\Server01\Zabbix.
Access is denied
    + CategoryInfo          : PermissionDenied: (\\Server01\Zabbix:String) [Copy-Item], UnauthorizedAccessException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.CopyItemCommand
    + PSComputerName        : Server02
Cannot find path '\\Server01\Zabbix' because it does not exist.
    + CategoryInfo          : ObjectNotFound: (\\Server01\Zabbix:String) [Copy-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyItemCommand
    + PSComputerName        : Server02

I am using the same accounts, when accessing server 02 directly and running the commands without invoke-command. Access should be fine.

can anyone help?

thanks!

Improve this question
4
  • Sounds like a double hop problem. Commented Feb 23, 2024 at 9:55
  • The user account which is used here has permission to shared folder? As the error says permission denied / Path not found. Try login with the user account in the destination machine and see if you can see the file or folder specified. Commented Feb 23, 2024 at 13:01
  • Use a File Explorer from same machine you are running the failed PS script and see if you have access by using \\Server01\Zabbix. The issue is probably a permissions. It may be a domain issue. All machines have to be in the same domain. Adding the domain in front of the server name may solve issue. Commented Feb 23, 2024 at 14:11
  • It was a double hop problem as advised by boxdog. access was working fine, but my script is as advised, was doing a doublehop. I change a few lines in the code, and used new-pssession method for file copy. For the rest of the lines, I used Invoke-command method. works now. Thank you! Commented Feb 25, 2024 at 23:14

1 Answer 1

Reset to default
0

PowerShell doesn't support second-hop out of the box.

I.e You invoke the command remotely with you credentials on Server1.
When Server1 in turn tries to access resources on Server2, it hasn't access to your credentials as you normally don't pass them forward for further use.

In that case you either need to allow the credentials of the computer account of Server1 to access Server2 or use a method that will either allow passing along your credentials or allow account delegation.

See MS Learn - Making the second hop in PowerShell Remoting

CredSSP used to be the prefered option, but MS has put some further restrictions on using CredSSP which might make it fail.

So I would opt for using JEA (Just Enough Administration) instead if you don't have access to Kerberos delegation in the AD.

A third option is to use SSH for PowerShell remoting instead, as SSH actually do store your credentials on each hop. But that doesn't work with Windows PowerShell 5.1 or earlier.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.