使用 Powershell 在多台计算机上通过 HTTPS 配置 WinRM

【问题标题】:Configure WinRM over HTTPS on Multiple Computers with Powershell使用 Powershell 在多台计算机上通过 HTTPS 配置 WinRM
【发布时间】:2020-12-02 19:59:24
【问题描述】:

使用 Powershell 在多台计算机上通过 HTTPS 配置 WinRM

我将以下脚本放在一起用于通过 HTTPS 配置 WinRM,它在每台机器上都运行良好。我很难重新编码它以在位于文本文件中的多台机器上远程运行。

另外,作为奖励,我希望对出现故障或带回任何类型错误的机器进行某种日志记录和检查。

任何帮助将不胜感激。

$user = "Account to Use - Service Account Suggested"
$Certname = "HOSTNAME FQDN"
$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname
$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint
WinRM e winrm/config/listener
#winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="$Certname"; CertificateThumbprint=$thumbprint}'
New-Item WSMan:\localhost\Listener -Address * -Transport HTTPS -HostName $Certname -CertificateThumbPrint $thumbprint
$port=5986
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=$port
net localgroup "Remote Management Users" /add $user
net localgroup "Event Log Readers" /add $user
Restart-Service WinRM
Restart-Service Winmgmt -Force


#Adding the below script should replace "winrm configSDDL default"
$GENERIC_READ = 0x80000000
$GENERIC_WRITE = 0x40000000
$GENERIC_EXECUTE = 0x20000000
$GENERIC_ALL = 0x10000000

# get SID of user/group to add

$user_sid = (New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $user).Translate([System.Security.Principal.SecurityIdentifier])

# get the existing SDDL of the WinRM listener
$sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value

# convert the SDDL string to a SecurityDescriptor object
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, $sddl

# apply a new DACL to the SecurityDescriptor object
$sd.DiscretionaryAcl.AddAccess(
[System.Security.AccessControl.AccessControlType]::Allow,
$user_sid,
($GENERIC_READ -bor $GENERIC_EXECUTE),
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None
)

# get the SDDL string from the changed SecurityDescriptor object
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)

# apply the new SDDL to the WinRM listener
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force```

【问题讨论】:

  • 在循环中按原样使用您的代码。使用正常的 PowerShell 远程会话传递计算机列表,或通过 GPO 将其设置为登录脚本。记录您需要定义它是什么并将其写入。请参阅用于记录的 PowerShell 帮助文件或有关该主题的大量在线文章。
  • 如何将它与计算机列表一起循环传递,同时将计算机名称放入 $certname 变量中?

标签: powershell for-loop foreach winrm foreach-object


【解决方案1】:

我们的评论交流的后续行动。

假设这条线...

$user       = "Account to Use - Service Account Suggested"

...对于所有系统都是相同的,然后用任何内容预先填充它,然后...

Get-ADComputer (activedirectory) | Microsoft Docs

about_Foreach - PowerShell | Microsoft Docs

(Get-ADComputer -Filter 'OperatingSystem -NotLike "*Server" -and enabled -eq "True"').Name | 
ForEach {
    $user       = "Account to Use - Service Account Suggested"
    $Certname   = $PSItem
...
}

您已经在此处动态请求证书名称...

$Cert       = New-SelfSignedCertificate -certstorelocation 'cert:\localmachine\my' -dnsname $Certname
$pw         = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint

...所以没什么可传入的。

然而,要在远程目标上运行此脚本,只需使用正常的默认 PSRemoting 远程会话设置。

about_Remote - PowerShell | Microsoft Docs

about_Remote_Requirements - PowerShell | Microsoft Docs

Invoke-Command -ComputerName Server01 -ScriptBlock {Get-Culture}

所以,像这样……

$Creds = Get-Credential -Credential "$env:USERDOMAIN\$env:USERNAME"
(Get-ADComputer -Filter 'OperatingSystem -NotLike "*Server" -and enabled -eq "True"').Name | 
ForEach {
    Invoke-Command -ComputerName $PSItem -ScriptBlock {
        $user       = "Account to Use - Service Account Suggested"
        $Certname   = $PSItem
        ...
    } -Credential $Creds

}

【讨论】:

  • 我对如何将我的脚本转换为 for each 感到困惑
【解决方案2】:

下面的脚本给了我以下错误

CloneCert and DnsName parameters cannot both be empty
    + CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificate], ParameterBindingException
    + FullyQualifiedErrorId : RuntimeException,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand
    + PSComputerName        : XXX.local
 
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 172.17.62.29, ::1, fe80::c5c5:a94f:341c:48fa%13

Cannot validate argument on parameter 'HostName'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
    + CategoryInfo          : InvalidData: (:) [New-Item], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.NewItemCommand
    + PSComputerName        : XXXX.local
 

An error occurred while attempting to contact the  Windows Firewall service. Make sure that the service is running and try your request again.


$Computers = get-content "C:\temp\regkey.txt"
Foreach ($Computer in $Computers)
{

Invoke-Command -ComputerName $Computer -ScriptBlock {

    $user = "bmonitor-ps"
    #$Certname = $Computer
    $Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Computer
    $thumbprint = $Cert.Thumbprint


WinRM e winrm/config/listener
#winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="$Certname"; CertificateThumbprint=$thumbprint}'
New-Item WSMan:\localhost\Listener -Address * -Transport HTTPS -HostName $Computer -CertificateThumbPrint $thumbprint
$port=5986
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=$port
net localgroup "Remote Management Users" /add $user
net localgroup "Event Log Readers" /add $user
Restart-Service WinRM
Restart-Service Winmgmt -Force


#Adding the below script should replace "winrm configSDDL default"
$GENERIC_READ = 0x80000000
$GENERIC_WRITE = 0x40000000
$GENERIC_EXECUTE = 0x20000000
$GENERIC_ALL = 0x10000000

# get SID of user/group to add

$user_sid = (New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $user).Translate([System.Security.Principal.SecurityIdentifier])

# get the existing SDDL of the WinRM listener
$sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value

# convert the SDDL string to a SecurityDescriptor object
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, $sddl

# apply a new DACL to the SecurityDescriptor object
$sd.DiscretionaryAcl.AddAccess(
[System.Security.AccessControl.AccessControlType]::Allow,
$user_sid,
($GENERIC_READ -bor $GENERIC_EXECUTE),
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None
)

# get the SDDL string from the changed SecurityDescriptor object
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)

# apply the new SDDL to the WinRM listener
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force


}
}

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2012-11-15
    • 2020-01-07
    • 1970-01-01
    • 1970-01-01
    • 2022-10-14
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode