First off yeah: what happened? Well work. So not a bad thing. But anyway, time to get back into the mix of things on this blog and get more stuff posted. With Server 2016 released and the masses consuming there is one thing I”m seeing a lot of both internally and externally, however: a general confusion on how to do some simple things in PowerShell that prevent them from using it day-to-day. So today I figured I’d write up guide on how to accomplish one of the most common things: remoting into another box.
Basically let’s replace the daily need for MSTSC.
Connecting to a Remote Server
PowerShell works in “sessions”, and connections can be made in the “current session” (think of it as the current PowerShell windows) or in separate sessions. Understanding this will allow you manipulate your current “focus” and switch between systems quickly, not unlike having multiple remote desktop windows open.
The easiest way to remote into another server is to simply use the Enter-PSSession statement to connect to a new session. this will overwrite the current session.
If new credentials are needed to connect, they can be gathered with Get-Credentials, which can be called before hand in a variable or at the time of connection:
Multiple connections can be created and managed using New-PSSession and Get-PSSession. I recommend storing sessions in a variable for easy reference later. You can then use Enter-PSSession on said variable (or any open session) to switch to that session, and Exit-PSSession to leave a session without closing it.
You can then close a session with Remove-PSSession when you are all done.
Trusting Computers when in a Workgroup
By default, PowerShell will only connect to systems that can reliably identify themselves. This means with Kerberos identity in AD or with a valid certificate (issued from a trusted provider). In some cases, however, neither is available and you simply want to connect. For this to work you need to add computers to your TrustedHosts list in WinRM. This can be done in PowerShell fairly easily, and the list can even accept wildcards.
You can browse the workstation manager settings directly like any other directory, simply make sure you are running with elevated privileges (if you are using the UAC).
Note in the sample image a single host has been put in the list. This can be replaced/updated (wildcard is supported) with:
set-item WSMan:\localhost\Client\TrustedHosts <trusted list comma delimited>
The <trusted list comma delimited> is a string, so if special characters are used make sure to use the appropriate quotations. It should be noted that WinRM does NOT have to accept HTTP based authentication, and many times it doesn’t. If this is the case, the computer will accept named connections only which default to NTLM/Kerberos and reject IP connections. In order to accept connections over HTTP a machine may need to run Enable-PSRemoting. If done all authentication methods are enabled by default. Depending on security requirements, this should be done with caution.
Rather than adding new authenticating mechanisms, this can be bypassed by including a hosts file so short name name resolution works (or using company DNS servers that will resolve the client).
Copying Files over WINRM
Another useful trick is sending files over WinRM. This allows the remote admin to send zip files, scripts, etc. to the remote host without having to enable File and Print services or enabling additional firewall ports. Note that while this is native in WMF/PowerShell 5.1, earlier versions will have to download a module or write their own script logic for this to work, but only on the host doing the copying. As the target machine is just receiving a file over WMF, it does NOT have to be running the latest version of PowerShell.
This is done with a simple Copy-Item command, all it requires is an established connection to the target server and knowledge about the destination path.
Copy-Item <sourcefile> -Destination <target path> -ToSession <target session>
A complete command is shown below as a sample:
Hopefully this will help get people started on relying less on MSTSC and stating to trust their scripting skills a bit more.