1
00:00:00,240 --> 00:00:03,760
Now this error that's caused by the remote machine

2
00:00:03,760 --> 00:00:06,740
executing it is to do with credentials.

3
00:00:06,740 --> 00:00:08,610
So if we look back at our command,

4
00:00:08,610 --> 00:00:12,640
so let me just clear this for a second, and we'll just enter the

5
00:00:12,640 --> 00:00:15,850
command here, you can see that we're invoking this command on the

6
00:00:15,850 --> 00:00:19,650
list of computers, and we're telling it to use credentials that I

7
00:00:19,650 --> 00:00:21,640
created on this machine.

8
00:00:21,640 --> 00:00:25,360
Now the problem is that when it gets from here to the other machines,

9
00:00:25,360 --> 00:00:28,830
so i.e., the servers, apart from Active Directory,

10
00:00:28,830 --> 00:00:34,650
it can't delegate the credentials that's been set up here on

11
00:00:34,650 --> 00:00:37,840
that machine, so we then get an access denied.

12
00:00:37,840 --> 00:00:42,040
So this is where we're able to do some simple configuration to get around this.

13
00:00:42,040 --> 00:00:45,520
So I'm going to just come off this line here, and this is done by

14
00:00:45,520 --> 00:00:52,410
using a new PowerShell cmdlet called WSManCredSSP.

15
00:00:52,410 --> 00:00:56,630
So what this does is allows me to say I want this machine that

16
00:00:56,630 --> 00:01:00,520
I'm working on to function as a client machine.

17
00:01:00,520 --> 00:01:04,270
And then the servers that I wish to execute against,

18
00:01:04,270 --> 00:01:08,160
I need them to work as a server.

19
00:01:08,160 --> 00:01:11,900
Now what this does when we actually do this is we're going to specify the role,

20
00:01:11,900 --> 00:01:15,380
and in this instance, I'm going to say this is the client.

21
00:01:15,380 --> 00:01:17,840
Once I've specified this is the client,

22
00:01:17,840 --> 00:01:22,690
I then need to say what the delegated computer would be.

23
00:01:22,690 --> 00:01:25,640
Now if this is a single one‑time instance,

24
00:01:25,640 --> 00:01:30,060
then I can go in and say this IP address or this fully‑qualified

25
00:01:30,060 --> 00:01:34,440
domain name, so this would be server1.domain.com.

26
00:01:34,440 --> 00:01:37,820
But what I can also do is actually just do a star here.

27
00:01:37,820 --> 00:01:42,540
So I'm going to say Enter and just say Yes, and this will go ahead and say

28
00:01:42,540 --> 00:01:47,380
I'm going to allow you, client machine, to take these credentials and post

29
00:01:47,380 --> 00:01:49,940
them all the way over to that other machine.

30
00:01:49,940 --> 00:01:51,920
Now, on the other machine,

31
00:01:51,920 --> 00:01:55,390
which is the servers, we need to run a similar command.

32
00:01:55,390 --> 00:01:57,330
Now I've already previously ran this,

33
00:01:57,330 --> 00:02:01,710
so I'm going to show you the command here. And what this will do is we say

34
00:02:01,710 --> 00:02:07,790
‑Role, and then we set to Server, and we execute this command on each of the

35
00:02:07,790 --> 00:02:12,070
servers that we wish to be able to enable. As part of that remote PowerShell

36
00:02:12,070 --> 00:02:16,640
configuration that we already did previously, this will allow us to send those

37
00:02:16,640 --> 00:02:19,040
credentials from one to another.

38
00:02:19,040 --> 00:02:21,560
So I'm going to just clear the screen. and what we'll do

39
00:02:21,560 --> 00:02:23,840
is just loop back through my commands.

40
00:02:23,840 --> 00:02:25,750
Now there is another thing we have to do,

41
00:02:25,750 --> 00:02:27,790
but before we do that, let's see if this works.

42
00:02:27,790 --> 00:02:29,340
So I'm going to press Enter.

43
00:02:29,340 --> 00:02:33,200
It's going to go ahead, and you'll see it's still giving me the same error.

44
00:02:33,200 --> 00:02:37,170
And that's because we need to tell the authentication

45
00:02:37,170 --> 00:02:39,880
process to work a little bit differently.

46
00:02:39,880 --> 00:02:41,710
So let's go back to my command.

47
00:02:41,710 --> 00:02:44,060
We're going to leave our computers in there. We're going

48
00:02:44,060 --> 00:02:45,740
to leave our credentials in there.

49
00:02:45,740 --> 00:02:49,140
But what we're going to do is actually add an authentication

50
00:02:49,140 --> 00:02:53,740
property, and then one of the options is Credssp.

51
00:02:53,740 --> 00:02:57,540
Now what this will do is say go ahead and use the credentials,

52
00:02:57,540 --> 00:03:00,690
connect to the remote machine, and use those credentials.

53
00:03:00,690 --> 00:03:03,060
But if you have a problem, which is going to be an

54
00:03:03,060 --> 00:03:05,020
access denied or unauthorized,

55
00:03:05,020 --> 00:03:07,710
then I want you to delegate those credentials to the

56
00:03:07,710 --> 00:03:09,960
other machine and allow it to execute.

57
00:03:09,960 --> 00:03:12,850
Now, of course, before we do that because I've just run this, I need to

58
00:03:12,850 --> 00:03:16,980
remove my TRAININGADVM one, so just delete that. We don't need that, and

59
00:03:16,980 --> 00:03:21,010
minimize, and then I'm going to execute this command. So this is going to

60
00:03:21,010 --> 00:03:22,970
go ahead to each of the machines,

61
00:03:22,970 --> 00:03:27,830
pass the credentials across, and then execute that PowerShell script,

62
00:03:27,830 --> 00:03:30,830
and now you'll notice it says that we have four files.

63
00:03:30,830 --> 00:03:35,520
So let's go back to the file structure, and sure enough, I have four reports.

64
00:03:35,520 --> 00:03:38,880
If I double‑click one of them here, you can see it gives me details.

65
00:03:38,880 --> 00:03:40,860
There's my TRAININGSRV01.

66
00:03:40,860 --> 00:03:45,860
If I click on TRAININGSRV03, TRAININGSRV03, TRAININGSRV02,

67
00:03:45,860 --> 00:03:48,240
and then my Active Directory server.

68
00:03:48,240 --> 00:03:53,800
So, a simple change will allow us to pass credentials from one location to

69
00:03:53,800 --> 00:03:57,580
another location to allow things to execute correctly.

70
00:03:57,580 --> 00:04:01,330
As you can see from running this one, it works really well.

71
00:04:01,330 --> 00:04:05,180
Now, of course, what I did here was I used a local file path

72
00:04:05,180 --> 00:04:08,040
for execution of that PowerShell script.

73
00:04:08,040 --> 00:04:11,590
Now what about if I wanted to store that PowerShell script somewhere

74
00:04:11,590 --> 00:04:15,550
else? So let's go back to my folder structure here.

75
00:04:15,550 --> 00:04:18,860
I'm going to delete my Report files from my devices.

76
00:04:18,860 --> 00:04:20,440
We'll just do this.

77
00:04:20,440 --> 00:04:23,690
I'm going to click into the share a little bit more, and you

78
00:04:23,690 --> 00:04:26,700
can see I've got the Scripts folder. And sure enough, I've got

79
00:04:26,700 --> 00:04:29,440
that Report file that's there.

80
00:04:29,440 --> 00:04:35,230
So what I'm going to do is get a copy of that UNC path. And what we'll

81
00:04:35,230 --> 00:04:40,880
do is clear the screen a little bit here, and we'll reissue that same

82
00:04:40,880 --> 00:04:47,340
command, but I'm actually going to use a UNC path for that PowerShell

83
00:04:47,340 --> 00:04:49,540
script instead of running it locally.

84
00:04:49,540 --> 00:04:52,980
So I think what happened the first time, I ran the command, and

85
00:04:52,980 --> 00:04:56,530
I'd copied the Report.ps1 file to my machine, so

86
00:04:56,530 --> 00:05:00,890
C:\Code\Report.ps1, and then I was basically rendering it in the

87
00:05:00,890 --> 00:05:03,240
client here and then pushing it out.

88
00:05:03,240 --> 00:05:06,990
What I want to do now is just say my report script is on a network

89
00:05:06,990 --> 00:05:10,360
share, so think of the logic. You want to run a script against

90
00:05:10,360 --> 00:05:13,440
multiple machines, but you don't want to copy it to the machines

91
00:05:13,440 --> 00:05:15,120
or have it on one machine.

92
00:05:15,120 --> 00:05:17,750
You want to just store it centrally and then execute.

93
00:05:17,750 --> 00:05:22,070
So I'm going to use the same process again. I'm using my Credssp,

94
00:05:22,070 --> 00:05:24,720
and I'm using the credentials, and I'm using my list of

95
00:05:24,720 --> 00:05:27,590
computers, so I'm going to press Enter. This is now going to call

96
00:05:27,590 --> 00:05:34,530
across to that network share, load that PS1 file remotely, and then execute.

97
00:05:34,530 --> 00:05:37,720
And sure enough, it says it's created my files, so

98
00:05:37,720 --> 00:05:41,760
let's go back to my file share again, go back to my Devices.

99
00:05:41,760 --> 00:05:43,480
And sure enough, my files are here.

100
00:05:43,480 --> 00:05:47,440
If I open up VM1, you'll see my same details.

101
00:05:47,440 --> 00:05:51,130
So a couple of different ways of being able to execute either

102
00:05:51,130 --> 00:05:54,090
sessions against single or multiple machines,

103
00:05:54,090 --> 00:05:57,580
either running static commands or even just running

104
00:05:57,580 --> 00:06:00,540
PowerShell scripts themselves against the machine.

105
00:06:00,540 --> 00:06:05,290
Obviously, PowerShell scripts remotely that are stored either

106
00:06:05,290 --> 00:06:09,640
locally or on a UNC path such as a file share.

107
00:06:09,640 --> 00:06:17,000
So a simple process. The key is obviously to make sure that we have the delegation of credentials in order for that to work.