Learning Powershell step one - enable remote access
-
In efforts to learn powershell better, I'm trying to enable it globally within my domain.
I've created a GPO that enables the inbound firewall ports
https://i.imgur.com/Uj3eZDH.pngand the WinRM service
https://i.imgur.com/fg2ckVk.pngBoth of these settings are applying, and about half my machines are now working.
The other half are generating one of the following errors:
Connecting to remote server computername failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returnedby a HTTP server that does not support the WS-Management protocol. For more information, see theabout_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (computername:String) [], PSRemotingTransportException + FullyQualifiedErrorId : URLNotAvailable,PSSessionStateBrokenConnecting to remote server computername failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (computername:String) [], PSRemotingTransportException + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBrokenFor full disclosure, about 1/2 of the machines that have an error, have an can't resolve error, I'll look at those at another time - it's likely most of them (being laptops) are simply offline - or machines that no longer exist.
-
Starting with this one
Connecting to remote server computername failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returnedby a HTTP server that does not support the WS-Management protocol. For more information, see theabout_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (computername:String) [], PSRemotingTransportException + FullyQualifiedErrorId : URLNotAvailable,PSSessionStateBroken.
.
.Using screen connect (because I can't use a remote powershell session) I run
winrm e winrm/config/listsenerAnd the Output:
Listener [Source="GPO"] Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = ::1, fe80::ad99:8e4d:c356:9939%5, fe80::c0a1:571b:2955:87be%7, fe80::cda4:4841:5bff:7b5c%8, fe80::f902:5ea5:2d74:a154%3Interesting - the server is only listening on IPv6 addresses.
-
ListeningOn = ::1, fe80::ad99:8e4d:c356:9939%5, fe80::c0a1:571b:2955:87be%7, fe80::cda4:4841:5bff:7b5c%8, fe80::f902:5ea5:2d74:a154%3Interesting - the server is only listening on IPv6 addresses.
Turns out IPvX filters are for the addresses that are listening (i.e. the local IP on the machine you are trying to remote into).
I set a filter like this 10.0.0.1-10.0.5.254 (where my admin machines would live).
Unfortunately, since this isn't an incoming filter (that's the firewall's job) this filter wasn't large enough to cover all of my production networks. I had 10.1.0.1-10.1.0.254 that wasn't inside the above range, and of course keep the machine from listening on it's IPv4 (the IPv6 was listening because I just left it wide open - testing, not using IPv6 in general, so left it as default (*))So tweaking my filter to 10.0.0.1-10.0.5.254, 10.1.0.1-10.1.0.254 solved my problem.
