Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, November 27, 2012 6:35 PM
First off I apologize but I am a complete newbie and powershell.
I have written a PS script that looks through a server's event logs and parses out WARNING/ERRORS and writes them to a text file on my primary domain controller's E:\ drive which I use to collect logs daily for review, the script writes to this location by doing \primaryDChostname\E$\filename.txt
The script runs great if its running locally on the machine (any machine) and it'll write the text file to the E: drive on the primary DC no problem.
I decided its not efficient to have the script on every server running as a scheduled task on every server so I wanted to clean it up a bit.
I decided to write another PS script that runs my eventlog script remotely on all the servers that way the script is on 1 machine only and only 1 scheduled task is needed on my server hosting the script.
THE PROBLEM:
Well the 2nd script works only on the backup domain controller, it creates the text files on my primaryDC E:\ drive with no issues, however, when the script hits the member servers it fails with the following:
Access to the path '\PRIMARYDC\E$\ApplogERRORS.txt' is denied
OpenError:(:)[], UnauthorizedAccessException
FileOpenFailure
Permissions on E: on my primary DC are wide open, EVERYONE full control. If I run my event log script locally on a member server it has no issues writing the text file to the E:\ drive on my Primary DC so I dont understand if its trully file permissions issue.
I'm assuming it works on my backup DC because there is a full trust between it and the primary DC that doesn't exist on the member servers? I'm guessing here...??
Here is the secondary script syntax that kicks off my eventlog script:
invoke-command -computername BACKUPDOMAINCONTROLLER, SERVER1, SERVER2, -filepath 'E:\Filterlogs.ps1's
So it works fine on the backupDC and the files are created on my primaryDC E:\drive but it failson SERVER1, SERVER2 ect...
I have run the following commands (as admin) on all machines:
Set-Executionpolicy unrestricted
Enable-PSRemoting -Force
Thoughts?
All replies (18)
Wednesday, November 28, 2012 11:52 PM ✅Answered
Sorry, but it still sounds like a double hop problem.
The enter-pssession test failure, then running the same script locally with success proves it.
I can reproduce that error in my environment the same way.
Next step would be to follow the instructions for setting up CREDSSP from the link I posted previously.
Or... create the logfiles on the remote machines then get the script to copy them to their final destination.
Or... Get-WinEvent has a -computername parameter, which indicates you can run this against all your machines without psremoting.
Get-WinEvent -Logname Application -ComputerName $computer |Where-Object{$_.Level -eq "2"} | Format-List > "E:\ApplicationLog_ERRORS_$computer.txt"
Admiral Ackbar says...
Tuesday, November 27, 2012 6:47 PM
Well first off the $ has a special meaning in powershell, so if you are using paths like \servername\c$\somefolder, you will fail, you need to escape the $ with a back tick ` so your UNC path should be \servername\e`$\file.txt
If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.
Tuesday, November 27, 2012 6:55 PM
Interesting I will try that and let you know.
That begs another question, how come it works as E$ right now?
Tuesday, November 27, 2012 7:05 PM
Sounds like a 'double-hop' issue... the scripting guys recently did an article on it...
A full explanation and fix can be found at the link.
Admiral Ackbar says...
Tuesday, November 27, 2012 7:11 PM
Will check that out, I did stumble across a similar article on CREDSSP Doublehop but I wasn't sure if that applied to me because I'm not going through 3 computers just two. Script on server1 runs a remote script on server2 that write a text file back to server 1.
But hey I'm new at this...will tinker.
Tuesday, November 27, 2012 7:15 PM
FYI using a single tick ( E'$ )on the E$ portion of the code completely breaks the script and it wont even run local.
Says the network name could not be found.
Tuesday, November 27, 2012 7:55 PM
Will check that out, I did stumble across a similar article on CREDSSP Doublehop but I wasn't sure if that applied to me because I'm not going through 3 computers just two. Script on server1 runs a remote script on server2 that write a text file back to server 1.
But hey I'm new at this...will tinker.
I think the 'double-hop' issue still applies because you're trying to use the same credentials to access a third location that requires credentials (even though it's on the originating computer)
Because you're using the credentials you ran the script with to access one computer, those credentials cannot be used again.
Admiral Ackbar says...
Wednesday, November 28, 2012 3:35 AM
it works because the "$" is followed by a character that is not a legal variable name character, "\. And/or it is single-quoted or used in a context where it need not be quoted.
Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.
Wednesday, November 28, 2012 3:38 AM
probably because it was not contained in a double-quoted string. We can't really say what might be wrong with a snippet of script without actually seeing it.
Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.
Wednesday, November 28, 2012 10:26 PM
$computer = gc env:computernameGet-WinEvent -Logname Application|Where-Object{$_.Level -eq "2"} | Format-List > "\\DCSERVER1\E$\ApplicationLog_ERRORS_$computer.txt"Get-WinEvent -Logname Application|Where-Object{$_.Level -eq "3"} | Format-List > "\\DCSERVER1\E$\ApplicationLog_WARNINGS_$computer.txt"Get-WinEvent -Logname System|Where-Object{$_.Level -eq "2"} | Format-List > "\\DCSERVER1\E$\SystemLog_ERRORS_$computer.txt"Get-WinEvent -Logname System|Where-Object{$_.Level -eq "3"} | Format-List > "\\DCSERVER1\E$\SystemLog_WARNINGS_$computer.txt"
Thats dumps warnings/errors into a text file on the domain controller via UNC path. It works fine via scheduled task if I copy this script local to every server.
Wednesday, November 28, 2012 10:30 PM
invoke-command -computername DCSERVER2, FILESERVER1, FILSERVER2 -filepath 'E:\Event Log Scripts\FilteredLogs.ps1'
This is the script that doesn't work, except when accessing the backup domain controller. This script resides on the primary domain controller and is run locally that's why its E:\ instead of a UNC path , I want it to reach out to all my servers and collect logs.
Even if i reduce the server list to say FILESERVER1 and nothing else it doesnt work, but it DOES work accessing DCSERVER2 and only it. I find that odd that it works on domain controllers and not member servers. Surely if it was a "doublehop" issue it should fail every time no matter what right?
Wednesday, November 28, 2012 10:41 PM
"Surely if it was a "doublehop" issue it should fail every time no matter what right?"
Fair enough. Can you successfully enter a pssession on the failing servers?
enter-pssession FILESERVER1
Are all your server the same OS?
Are you running the invoke-command in a powershell session started by a domain admin?
Admiral Ackbar says...
Wednesday, November 28, 2012 11:00 PM
All servers are WINDOWS 2008R2 Enterprise
I can do a PSSESSION to the failing servers.
I am logged in as myself which is a domain admin account and I am running powershell by right clicking on it 'run as administator'
I just tried rebooting the domain controllers to see if something was going on there, it didnt help. Time is also syncd perfectly between servers and the DC's
Wednesday, November 28, 2012 11:26 PM
Try this from DCSERVER1...
enter-pssession FILESERVER1
Get-WinEvent -Logname Application|Where-Object{$_.Level -eq "2"} | Format-List > "\DCSERVER1\E$\ApplicationLog_ERRORS_FILESERVER1.txt"
does that produce the same error?
Admiral Ackbar says...
Wednesday, November 28, 2012 11:31 PM
Yes, same error.
If I take that same snippet of code and log into FILESERVER1 and execute it there is no issue and it creates the text file on DCSERVER1 as expected.
I also tried creating a folder sharing it out to the world (and I do mean to the world with crazy wide open permissions no one in their right mind would ever do) and I still get the access denied message to member servers.
Thursday, November 29, 2012 12:37 PM
Excellent I will try modifing the Get-WinEvent function.
Will let you know how it goes, again much appreciated for the assistance so far!
Thursday, November 29, 2012 1:07 PM
Thank you Riffy!
Using the -Computername flag on Get-WinEvent worked perfectly! I can now remotely collect all the logs by only running the script off my domain controller. Logs get dumped via UNC path to my domain controller for easy daily reviews.
I'm embarrassed how easy it turned out to be..but hey this is my first attempt at powershell!
Cheers!
Thursday, November 29, 2012 5:43 PM
I'm glad you found a solution that works for you!
Admiral Ackbar says...