This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 79%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBP%3C/text%3E%3C/svg%3E)
I have a script which I can run locally on our ConnectionBroker, though the session has to be elevated, which manages our RDRemoteApp collections. We're trying to automate processes and remote the requirement of having someone actually log onto the ConnectionBroker to run scripts manually. To do so, we are trying to use Invoke-Command to run the script remotely.
Even though we pass credentials for a user that is in domain administrator group, the following script gives us an error when run remotely:
$server = "ConnectionBrokerName"
$collectionName ="OurCollection"
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("DOMAIN\domain_admin", $password)
$sb =
{
Import-Module RemoteDesktop
Import-Module RemoteDesktopServices
Get-RDRemoteApp -CollectionName $Using:$collectionName
}
Invoke-Command -Credential $cred -ComputerName $server -ScriptBlock $sb
This will return an error like:
A Remote Desktop Services deployment does not exist on ConnectionBrokerName.DOMAIN.COM. This operation can be performed after creating a deployment. For information about creating a
deployment, run "Get-Help New-RDVirtualDesktopDeployment" or "Get-Help New-RDSessionDeployment".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
The value of $collectionName needs to be passed as a parameter to the script block.
Try using (no pun intended) something like this:
$sb =
{
Import-Module RemoteDesktop
Import-Module RemoteDesktopServices
Get-RDRemoteApp -CollectionName $USING:collectionName
}
Thanks for pointing that out, but it's not the issue. I've replaced the variable substitution with hard coded variables and I get the same result. There seems to be an issue where Invoke-Command is not being run with elevated privileges, even though I'm passing credentials of user in the Domain Administrator group.
Here is my code snippet to test for elevation.
function Test-IsAdmin {
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
}
if (Test-IsAdmin) {
""
"You are running with Administrator access."
""
} else {
""
"You do not have admin access."
""
}
I am not familiar with Get-RDRemoteApp, but my guess would be that you are running into the infamous double hop authentication issue. Does that cmdlet reach out to additional servers? (Beyond the $server machine.)
I added your code to my script block, and it does appear that I'm running with administrative access. It could be a "double hop" issue even though all of the services run on a single machine, Get-RDRemoteApp may be attempting to "connect" even though it's the same machine.
Are you use a high-availabilty setup?
(Get-RDConnectionBrokerHighAvailability -ConnectionBroker).ActiveManagementServer
Does this work? And, if it does, do you get the name of the server you expect?
We do not use high-availability setup. The call Get-RDRemoteApp works when I run the same script on our Connection-Broker, in an elevated ISE.
Does it work when you run it through Invoke-Command.?
Run Process Monitor and trace the ISE process. Does it reach out to other servers?
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon