我有一個 PowerShell 腳本,用於執行兩件事:檢查Last CheckedWindows Update 的值,以及枚舉遠端伺服器的所有磁碟機並檢查這些磁碟機上的剩餘空間。
此函數的預期輸出為:
servername
----------
Last Checked for Windows Update:
01/18/2021 08:12:46
Disk Size Free %Free
C: 501.46 238.06 47.47%
E: 300.00 140.15 46.72%
當在與我位於同一網域的電腦上執行時,該腳本的工作方式與預期完全一致。但是,我們有一些電腦不在同一網域中,並且使用本機管理員帳戶進行存取。當對其中一台電腦運行腳本時,Windows 更新部分失敗,但磁碟空間部分成功運行。
腳本的兩個部分共享相同的內容PsCredential,但磁碟空間部分是Get-WmiObject使用參數的函數-ComputerName,而 Windows 更新部分位於帶有和 的函數-Credential內部Invoke-Command-ComputerName-Credential
我不確定為什麼同樣的PsCredential方法對一個有效,而對另一個則失敗,也許是不同的身份驗證路線?
我從 Windows 更新部分得到的錯誤是:
[servername] Connecting to remote server servername failed with the following error message : WinRM cannot process the
request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We can't sign you
in with this credential because your domain isn't available. Make sure your device is connected to your organization's
network and try again. If you previously signed in on this device with another credential, you can sign in with that
credential.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (servername:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AuthenticationFailed,PSSessionStateBroken
腳本是:
$server = "servername"
$adminaccount = $server + "\localadminaccount"
$PASSWORD = ConvertTo-SecureString "localadminpassword" -AsPlainText -Force
$UNPASSWORD = New-Object System.Management.Automation.PsCredential $adminaccount, $PASSWORD
$out = ""
$out += $server + "`n----------`n"
$out += Invoke-Command -ComputerName $server -Credential $UNPASSWORD -ScriptBlock {
Function Get-LocalTime($UTCTime) {
$strCurrentTimeZone = (Get-WmiObject win32_timezone).StandardName;
$TZ = [System.TimeZoneInfo]::FindSystemTimeZoneById($strCurrentTimeZone);
Return [System.TimeZoneInfo]::ConvertTimeFromUtc($UTCTime, $TZ);
}
$updateInfo = "Last Checked for Windows Update: `n";
$updateInfo += Get-LocalTime $(New-Object -ComObject Microsoft.Update.AutoUpdate).Results.LastSearchSuccessDate;
$updateInfo += "`n`n"
Return $updateInfo
}
$out += "Disk`tSize`tFree`t%Free`n"
$disks = Get-WmiObject Win32_LogicalDisk -computername $server -filter DriveType=3 -Credential $UNPASSWORD
foreach ($objdisk in $disks)
{
$size = "{0:N2}" -f ($objDisk.Size/1GB)
$free = "{0:N2}" -f ($objDisk.FreeSpace/1GB)
$freePercent="{0:P2}" -f ([double]$objDisk.FreeSpace/[double]$objDisk.Size)
$out += $objDisk.DeviceID + "`t"
$out += $size + "`t"
$out += $free + "`t"
$out += $freePercent + "`n"
}
$out
答案1
據我所知,Invoke-Command如果電腦不在同一網域中,則需要將其設定為受信任的主機,因此解決方案是將電腦新增為受信任的主機。
為了避免不必要地干擾可信任主機,我以僅暫時影響可信任主機的方式實現了這個解決方案:
之前Invoke-Command(新增可信任主機):
$curHosts = (Get-ChildItem WSMan:\localhost\Client\TrustedHosts).Value
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $server -Concatenate -Force
之後Invoke-Command(重置受信任的主機):
Set-Item WSMan:\localhost\Client\TrustedHosts $curHosts -Force