远程管理WinRM,Enter-PSSession
wmimgmt.msc-------打开windows管理体系结构(WMI)
启用PowerShell远程管理:
1)在本地计算机(需要管理远程计算机的计算机)上运行Set-item wsman:localhost\client\trustedhosts –value *,添加trusthost列表
2)在远程计算机(需要被远程管理的计算机上)上运行Enable-PSremoting -force即可
=======================================================
$s="hello"
Invoke-Command 192.168.12.99 -Credential administrator {param ($s) write-host $s+"abc"} -ArgmentList $s
Enable-PSremoting
Disable-PSremoting
如果要启用PS远程管理,此时网络位置不能被设置为public,因为Windows 防火墙例外不能在网络位置是public时被启用。
检查远程服务器上的WINRM服务是否在运行:
test-wsman -computername server01
test-wsman -authentication default
该命令等同于 winrm id -remote:server01
只是没有返回OS版本
检查winrm服务是否在本地计算机上运行,通过-authentication参数可以得出OS版本号
test-wsman -authentication default
检查winrm服务是否在本地计算机上运行
test-wsman
Test-WSMan cmdlet 提交一个识别请求以确定 WinRM 服务是在本地计算机还是远程计算机上运行。如果接受测试的计算机正在运行该服务,则该 cmdlet 将显示被测服务的 WS-Management 标识方案、协议版本、产品供应商及产品版本
使用 authentication 参数进行测试以了解 WS-Management (WinRM) 服务是否正在本地计算机上运行。使用 authentication 参数可允许 Test-WSMan cmdlet 返回操作系统的版本
如果未执行过Enable-PSremoting,则运行 Test-wsman 会报错
执行 Enter-PSSession localhost,如果未开启psremoting,则会报错
=================================================================
查看TrustedHost列表
gci wsman::localhost\client\trustedhosts
如果需要新加入trustedhost列表,计算机名和IP可以同时加入,则如下:
$a = (gci wsman::localhost\client\trustedhosts).value
$m=$a+",win9"
set-item wsman:localhost\client\trustedhosts -value $m
添加TrustedHost列表
Set-item wsman:localhost\client\trustedhosts –value *
Set-item wsman:localhost\client\trustedhosts –value sever1,server2
Set-item wsman:localhost\client\trustedhosts –value *.testj.com
如果需要连接远程计算机IP,则需要将远程IP加入到发出远程连接的计算机的trustedhosts中,如果是 * 则不需要再更改
Set-item wsman:localhost\client\trustedhosts –value 192.168.12.1,win2012.testj.com
在通过IP连接远程计算机时,必须显示提供凭据,即使要使用当前凭据也如此,如下:
Enter-PSSession 192.168.12.99 -Credential administrator
Get: winrm get winrm/config
Set:
winrm g winrm/config
默认情况下,客户端计算机要求对网络流量加密。要允许客户端计算机请求未加密流量,请执行以下命令:
winrm s winrm/config/Client @{AllowUnencrypted="true"} #Windows 2008 R2下运行
winrm s winrm/config/Client '@{AllowUnencrypted="true"}' #Windows 10下运行
TrustedHosts 是一个数组,用于指定可信的远程计算机的列表。同一工作组中的其他计算机或不同域中的计算机均应添加到此列表中。
注意:TrustedHosts 列表中的计算机未经过身份验证。
执行以下命令可将所有计算机都纳入TrustedHosts。
winrm s winrm/config/Client @{TrustedHosts="*"}
基本身份验证是以明文形式将用户名和密码发送给服务器或代理的方案。这是最不安全的身份验证方法。默认值为True。
执行以下命令可将客户端计算机设置为使用基本身份验证:
winrm s winrm/config/Client/Auth @{Basic="true"}
在混合域环境中使用远程管理
默认情况下,不同域下的用户即使是本地管理员组的成员仍然不能连接到其他域中的主机。这是因为从其他域的远程连接只是运行在独立的用
户权限之上。为了能使不同域的主机可以连接到本地计算机,用户可以更改LocalAccountTokenFilterPolicy注册表键值(设置为1)来允许其他
域的成员到本地计算机,如果曾执行过 enable-psremoting,则该值会被设置为1,再执行 disable-psremoting后,该值仍为1,
new-itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -
propertyType DWord -value 1
注:在本机以Administrator运行 Enable-psremoting -force时,如果提示“访问被拒绝”,可以试试修改上面的注册表键值,重启WinRM服务(由于没有重启计算机,不知是否可行,该问题暂未解决 2014.7.31)
====================================================================================================
禁用远程管理
用户可以使用Disable-PSRemoting在本地主机上禁用远程管理。Disable-PSRemoting将会使线程配置信息失效,这样的操作并不会移除所有
Enable-PSRemoting创建的配置,包括WinRM的启用状态和为PS远程管理创建的监听器。
如果在本机上没有任何服务或组件需要WinRM服务,用户可以通过执行下列命令禁用WinRM服务:
Set-Service winrm -StartupType Manual
Stop-Service winrm
为了移除默认情况下WinRM在5985端口设置的监听器可以执行的下述命令:
Get-ChildItem WSMan:\localhost\Listener –Recurse | Foreach-Object { $_.PSPath } | Where-Object { (Get-Item "$_\Port").Value
-eq 5985 } | Remove-Item
====================================================================================================
默认情况下,WinRM只启用http传输用于接收远程请求。用户可以使用winrm命令或New-WSManIntance cmdlet手动启用https传输。
默认情况下,PowerShell远程管理使用5985(http)和5986(https)端口。可以通过使用Set-Item cmdlet修改wsman:\Localhost\listener
\listener*\port对端口号进行设置,需要注意的是这样的操作将会改变系统中每个WinRM监听器端口号。
可以通过组策略启用客户端远程管理
计算机配置\管理模板\Windows 组件\Windows 远程管理(WinRM)\WinRM 服务
计算机配置\管理模板\网络\网络连接\Windows 防火墙\域配置文件
=====================================
Enable-PSRemoting = Set-WSManQuickConfig = winrm quickconfig
运行Enable-PSRemoting,提示如下:
WinRM 快速配置
正在运行命令“Set-WSManQuickConfig”,以便通过 Windows 远程管理(WinRM)服务对该计算机进行远程管理。
其中包括:
1. 启动或重新启动(如果已启动) WinRM 服务
2. 将 WinRM 服务启动类型设置为“自动”
3. 创建侦听程序以接受任意 IP 地址上的请求
4. 为 WS-Management 通信启用 Windows 防火墙入站规则例外(仅适用于 http)。
运行 winrm quickconfig,提示如下:
执行配置操作以使此计算机能够进行远程管理。
其中包括:
1. 启动 WinRM 服务
2. 将 WinRM 服务类型设置为自动启动
3. 创建侦听程序以接受任意 IP 地址上的请求
4. 为 WS-Management 通信启用防火墙例外(仅适用于 http)
查看WinRM正在侦听的特定IP:
winrm enumerate winrm/config/listener
=====================================================================================================
在本地服务器上以Administrator运行“Enable-Psremoting 、 Winrm Quickconfig 、 Set-WSManQuickConfig”,均提示“访问被拒绝”,可能的原因如下:
1.在工作组计算机上,确认组策略: secpol.msc > Local Policies > Security Options > Network Access: Sharing and security model for local accounts - change to classic
2.修改注册表:Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 –Type DWord
3.确认WinRM服务是否正在运行,Windows Firewall服务是否正在运行,网络位置是否不是“公用”(在Windows Server 2008上是否为“公用”不受影响,Win7中可以重新更改)
4.Telnet localhost 47001是否可以连通
5.运行 winrm get winrm/config 是否会提示“访问被拒绝”
6.Administrator密码不能为空
在Windows Server 2008上最后成功的解决方法为:
runas /user:administrator powershell,在新打开的PowerShell窗口下,再次运行 Enable-PSremoting -force 成功
===========================================================
http://blogs.msdn.com/b/wmi/archive/2009/07/24/powershell-remoting-between-two-workgroup-machines.aspx
If you’re an IT Pro, PowerShell remoting is a great tool for doing quick, ad hoc management tasks on computers from the comfort of your own home or office. However, before you can log into a machine, you have to make sure that it’s properly configured to grant you access – for safety’s sake, the default settings don’t allow remote access. If the machine you’re trying to log into is in a Workgroup, which doesn’t have the same stringent security requirements and infrastructure of a typical Domain setting, you’ll have to modify a few additional settings in order to get this done.
Below I’ve listed the steps required to configure two Workgroup machines so that you can remotely access one from the other using PowerShell. The computer you’re sitting in front of is called the client machine, while the computer you’re trying to remotely access is called the server machine.
First, configure the server machine to allow access. To do this, open a PowerShell command prompt (be sure to run as Administrator) and run the following cmdlet:
Enable-PSRemoting –force
If one of the network cards on your computer has the network connection type set to “Public” then the required port won’t be opened in your firewall settings. If you’d rather not change your network connection type, you’ll have to manually configure your firewall to allow traffic through. If you plan on connecting using a specific port, be sure to set your firewall rules appropriately. If you’re just using the default ports, see this recent blog post to figure out which ports to open.
Make sure that the password for your Administrator account is not empty! If it is, you won’t be able to log in remotely.
Now you’ll need to configure your client machine. First you’ll have to enable WinRM local access so that you can modify the proper settings. To do this, start the WinRM service and enable the local account token filter policy (see this Microsoft support article for details on this machine-wide policy). Run these commands in an elevated PowerShell prompt:
Start-Service WinRM
Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 –Type DWord
Both of those steps are unnecessary if you’ve already run the Enable-PSRemoting cmdlet on your client machine.
If you’re running on Windows XP, you also need to set the network access policy “Sharing and security model for local accounts” to Classic (see this Microsoft support article for more details):
Set-ItemProperty –Path HKLM:\System\CurrentControlSet\Control\Lsa –Name ForceGuest –Value 0
Now that WinRM local access is enabled, you’ll need to add the name of your server machine to the TrustedHosts setting in the WinRM configuration, which enables your client machine to connect to your server machine using an authentication mechanism that does not authenticate the server (like Kerberos does):
Set-Item WSMan:\localhost\Client\TrustedHosts –Value <ServerMachineName> -Force
Note: This command replaces any previous value that was stored in TrustedHosts! If there is an existing list of servers and you don’t want to remove then, use the –Concatenate parameter:
Set-Item WSMan:\localhost\Client\TrustedHosts –Value <ServerMachineName> -Force -Concatenate
If you want to use your server machine’s IP address instead of its name, you must specify explicit credentials when you connect.
A word of caution: by adding a server to the TrustedHosts list, you are allowing your credential information to be sent to a server without verifying its identity. Only add a server to this list if you know that the network path from your client machine to the server machine is secure.
You can now manage your server machine using PowerShell remoting!
Just in case things don’t work out perfectly the first time, here are some useful commands to check on the relevant configuration settings.
To check if the WinRM service is running:
Get-Service WinRM
To check the version of WinRM that’s installed:
Test-WSMan –Auth default
To check the remoting configuration for PowerShell:
Get-PSSessionConfiguration
To verify that local WinRM access is working:
New-PSSession
To check if the local account token filter policy is enabled (on Windows Vista and Windows Server 2008):
Get-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy*
To check if the network access policy “Sharing and security model for local accounts” is set to Classic (on Windows XP):
Get-ItemProperty –Path HKLM:\System\CurrentControlSet\Control\Lsa –Name ForceGuest*
To check the WinRM listener settings:
winrm enumerate winrm/config/listener
For additional help and troubleshooting steps:
Get-Help about_remote_troubleshooting
