2017年2月7日 星期二

PowerShell 將主機設定允許遠端管理

PowerShell 將主機設定允許遠端管理

要使用PowerShell進行遠端主機管理時,被管理端必須要允許可以進行遠端管理,可以參考下列網址說明:
https://technet.microsoft.com/en-us/library/ff700227.aspx

節錄該網站部分內容如下:

You can verify the availability of WinRM and configure a PowerShell for remoting by following these steps: 
1. Start Windows PowerShell as an administrator by right-clicking the Windows PowerShell shortcut and selecting Run As Administrator. 

2. The WinRM service is confi gured for manual startup by default. You must change the startup type to Automatic and start the service on each computer you want to work with. At the PowerShell prompt, you can verify that the WinRM service is running using the following command: 
get-service winrm
The value of the Status property in the output should be “Running”.

3. To configure Windows PowerShell for remoting, type the following command: 
Enable-PSRemoting –force

In many cases, you will be able to work with remote computers in other domains. However, if the remote computer is not in a trusted domain, the remote computer might not be able to authenticate your credentials. To enable authentication, you need to add the remote computer to the list of trusted hosts for the local computer in WinRM. To do so, type: 
winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'
Here, RemoteComputer should be the name of the remote computer, such as: 
winrm s winrm/config/client '@{TrustedHosts="CorpServer56"}'


另外,若是執行上述程序後,遠端連結到主機端,還是會出現 Access is denied (拒絕存取),很有可能是UAC的因素,依據網路上找到的說明,若是主機有啟用UAC,遠端連線控制所使用的帳戶,若是網域帳戶,且在Administrators群組,則不受影響,但若使用的帳戶是屬於LocalAccount,則UAC不允許遠端訪問WinRM服務,若需要使用,則需要建Registry中建置下列值DWORd設定為1,以允許LocalAccount執行WinRM服務

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy

或者透過系統管理員身分執行CMD,輸入下列指令新增Registry參數:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f" and then "winrm quickconfig