尝试为我们的 SMTP 集群编写一个监控脚本 (Powershell),该集群有时有 3 个节点。
当我在本地时,在 SMTP 集群上运行以下命令:
Get-NlbClusterNode
我得到了我需要的输出。
但是,如果我从远程服务器(相同的网络和域)尝试相同的操作,我会得到:
[smtp-s001a]: PS C:\> Get-NlbClusterNode
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo :
+ FullyQualifiedErrorId :
AccessDenied,Microsoft.NetworkLoadBalancingClusters.PowerShell.GetNlbClusterNode
这是为什么?只有“Get-NlbClusterNODE”命令才能让我访问被拒绝。以“Get-NlbCluster”为例,效果很好。
有什么建议吗?
我遇到过同样的问题。
我花了一段时间才弄清楚。我将 Powershell 作为我的服务中的一个进程运行。该服务在所有主机的同一用户帐户下运行,但密码是在每个主机/集群节点上随机生成的,这就是为什么我得到“拒绝访问...”一旦我将密码更改为相同,一切正常。
还要禁用 UAC 并重新启动机器。
我找到了一些解决方法。在远程会话中模拟管理员凭据
function EntryPoint()
{
ImportModule-Impersonate;
$impersonate = new-object UserSession.Impersonate;
try
{
if ($impersonate.Login("SKODA", "Administrator", "*****") -eq $false) {
throw new Exception("Invalid credentials");
}
Import-Module NetworkLoadBalancingClusters
Get-NlbClusterNode;
}
finally
{
$impersonate.Dispose();
}
};
function ImportModule-Impersonate {
$assem = @();
$source = @"
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;
namespace UserSession
{
public class Impersonate : IDisposable
{
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
private WindowsImpersonationContext _impersonationContext;
[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);
public bool Login(String domain, String userName, String password)
{
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if (RevertToSelf())
{
if (LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
WindowsIdentity tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
_impersonationContext = tempWindowsIdentity.Impersonate();
if (_impersonationContext != null)
{
CloseHandle(token);
CloseHandle(tokenDuplicate);
return true;
}
}
}
}
if (token != IntPtr.Zero)
{
CloseHandle(token);
}
if (tokenDuplicate != IntPtr.Zero)
{
CloseHandle(tokenDuplicate);
}
return false;
}
public void Logout()
{
if (_impersonationContext != null)
{
_impersonationContext.Undo();
_impersonationContext = null;
}
}
public void Dispose()
{
Logout();
}
}
}
"@;
Add-Type -ReferencedAssemblies $assem -TypeDefinition $source -Language CSharp
}
EntryPoint;
我有完全相同的问题。使用这些凭据访问和运行的用户Get-NlbClusterNode拥有正确的权限,但由于某种无法解释的原因,他得到了那个奇怪的错误。我放弃了调查并做了以下解决方法:
$username = "domain\user_name"
$securePassword = "secure_hash" | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
$result = Start-Process powershell.exe -WorkingDirectory $PSHome -Credential $credential -ArgumentList ("-File $PSScriptRoot\your-script.ps1") | Out-Null
如果your-script.ps1你在哪里输入:
Invoke-Command -ComputerName "your-remote-server" -ScriptBlock {
Get-NlbClusterNode
#Any other commands you want here
}
它按预期工作......