question

MohamedSayed-4462 avatar image
0 Votes"
MohamedSayed-4462 asked JiaYou-MSFT commented

PowerShell on remote server 2016 error: Cannot open Service Control Manager on computer 'xxx.xxx.xxx.xxx'. This operation might require other privileges.[0]

Hi Gurus,
I have a PowerShell script used to stop/start services on a remote 2016 server running from another 2016 server.
I enabled PS remoting, enabled File and Printer sharing in Firewall, I have a domain user which has Domain Admin permission.

When I run the script from Task Scheduler using that account, I get the below error:
Cannot open Service Control Manager on computer 'xxx.xxx.xxx.xxx'. This operation might require other privileges.[0]

When I use Administrators group in the Task Scheduler, it works fine when triggered manually (and of course it doesnt trigger automatically because I cannot change the checkbox for "Run whether User is logged in or not").

When I run the script from PowerShell As Administrator, it works fine too.
When I run the script manually from PowerShell using the domain account (Run As Different user), it works fine as well.

What could be wrong with Task Scheduler?

windows-server-2016
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI

This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.

0 Votes 0 ·

Thank you Jia,
I'm waiting for your response please.

I also checked in the target server for WinRM configuration:

PS C:\Windows\system32> winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.

What else should I check?

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered MohamedSayed-4462 edited

When I use Administrators group in the Task Scheduler, it works fine when triggered manually (and of course it doesnt trigger automatically because I cannot change the checkbox for "Run whether User is logged in or not").

That's because Administrators (plural) is a group and not a user. A group cannot logon. If task scheduler is running with that group then it is really using whatever account that you are logged on with.

When I run the script from PowerShell As Administrator, it works fine too.

Does that mean that you logged on to the machine with the account named Administrator or does that mean that you selected the "Run as administrator" option to elevate the process for UAC access?


I have a domain user which has Domain Admin permission.

For example, lets call that account MyDomain\MyAdmin. And you have machine AAA where the script runs and you are trying to query the services on machine BBB. Are you able to logon (RDP) to both machines using the MyDomain\MyAdmin and perform administrative tasks? (To verify that both machines see that account as a member of the administrators group.)

Using that account on machine AAA run these commands. Do they work?

 get-service -ComputerName BBB
 invoke-command -ComputerName BBB -ScriptBlock {Get-service} 

Cannot open Service Control Manager on computer 'xxx.xxx.xxx.xxx'.

Are you using the computer name or the IP address on your Powershell commands? I would recommend using the computer name. In fact you may want to try using the fully qualified name, BBB.MyDomain.Com.

Finally, on the task definition you will see a checkbox labeled "Run with the highest privileges". Make sure that is checked. The task should run as your MyDomain\MyAdmin account.










· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Moto, thanks for taking time to reply :)

That's because Administrators (plural) is a group and not a user. A group cannot logon. If task scheduler is running with that group then it is really using whatever account that you are logged on with.

I already know this and I mentioned about it in my first question :)

Does that mean that you logged on to the machine with the account named Administrator or does that mean that you selected the "Run as administrator" option to elevate the process for UAC access?

Yes, I mean "Run As Administrator" to elevate the process :)

Using that account on machine AAA run these commands. Do they work?

get-service -ComputerName BBB
invoke-command -ComputerName BBB -ScriptBlock {Get-service}


Yes, both works fine. But I didnt try RDP because this account does not need RDP permission, it will be used only for running remote jobs.






0 Votes 0 ·

Are you using the computer name or the IP address on your Powershell commands? I would recommend using the computer name. In fact you may want to try using the fully qualified name, BBB.MyDomain.Com.

Finally, on the task definition you will see a checkbox labeled "Run with the highest privileges". Make sure that is checked. The task should run as your MyDomain\MyAdmin account.


The checkbox labeled "Run with the highest privileges" is checked.
Actually I'm using IP address and when I tried FQDN it worked very fine :)

Thanks Moto.

0 Votes 0 ·
JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered JiaYou-MSFT edited

HI MohamedSayed-4462,

0.Do you have below condition?
We create a task scheduler on local server 2016, in this task scheduler and insert "powershellscript" on local server 2016. This "powershellscript" will be triggered to stop/start service running on remote server 2016.


"I have a domain user which has Domain Admin permission."
1.Can you check if this domain user account is in domain admin user group like picture?
102312-capture.png
2.Could you please check if this domain user account is in local administrators group of remote server 2016?
102277-2.png

3."PowerShell script used to stop/start services"
Could you share the simple powershell command for us to test your issue?

4.Are both local server 2016(task scheduler launched machine) and remote server 2016 in the same AD domain?





capture.png (69.8 KiB)
2.png (40.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MohamedSayed-4462 avatar image
0 Votes"
MohamedSayed-4462 answered JiaYou-MSFT converted comment to answer

Thanks Jia for taking the time to search and reply.

1.Can you check if this domain user account is in domain admin user group like picture?

Yes, it is in the domain admin group

2.Could you please check if this domain user account is in local administrators group of remote server 2016?

No, it is not in the Administrators group. I understand that as long as the account is created in AD then all permissions are pushed from AD to the server, so I dont need to add it to the Local Administrators group in the target server, should I?

3."PowerShell script used to stop/start services"
Could you share the simple powershell command for us to test your issue?

foreach ($SERVER in $SQERVERS)
{
$arrS = Get-Service -Name " Monitoring" -ComputerName $SERVER
if ($arrS.Status -eq "Stopped")
{
$arrS | Start-Service
}

}


4. Both servers are in the same AD domain.


Problem was solved after using FQDN instead of IPs*


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered JiaYou-MSFT edited

HI

I insert below ps script in task scheduler on my local 2016 server.
$arrs = get-service -name "print spooler" -computer 192.168.0.24
if($arrs.status -eq "stopped")
{
$arrs|start-service
}

II created a taskscheduler with name test1, the detail information like below:
107288-1.png
107344-2.png
107220-3.png
107303-4.png
107361-5.png
107280-6.png
No matter the logon account is "Administrators group" or "specified domain admin", the task scheduler run fine.
So could you please logon the remote server to stop "printer spooler service" on remote server, then create a new test taskscheduler like above example, will the same issue happen?

2.Does the same issue happen on other server which can be created the same task scheduler?



3.Did you set winrm trusted host for the ip address of destination remote server on local server?
for example:
Set-Item wsman:\localhost\Client\TrustedHosts -value 192.168.3.*


1.png (70.9 KiB)
2.png (49.5 KiB)
3.png (54.8 KiB)
4.png (87.9 KiB)
5.png (96.4 KiB)
6.png (148.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered

HI MohamedSayed-4462,

Is there any progress on your question?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered JiaYou-MSFT commented

HI MohamedSayed-4462,

Is there anything I can help you?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI MohamedSayed-4462,

Is there anything I can help you?

0 Votes 0 ·