INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Management With PowerShell

How to Enable PSRemoting when SPN values are missing by markdmac
Posted: 19 Jan 15

While working on a project for work to automate the removal of SCOM 2007 agents to prepare for 2012 agent installations, we encountered a problem whereby several servers were not configured for PSRemoting. WSMan QuickConfig and Enable-PSRemoting both would fail on just a few of our 2008R2 or 2012 servers. After a little investigation we discovered that there were missing SPN records.

Servers should have four SPN records that would look like this:

servername http/servername
servername https/servername
servername http/servername.domain.com
servername https/servername.domain.com

In checking how the SETSPN utility works, if you try to add an entry that already exists, SETSPN simply ignores it. That was good news for me since I really didn't know which servers were messed up (we have several hundred). I wrote the following script which we push out and execute via GPO to run and it adds needed SPN records if missing, then enables PSRemoting. The script will also check if it is being run elevated (required to enable PSRemoting) and if not it relaunches itself elevated as admin.

The script automatically pulls both machine name and domain name, so no modification should be needed.
Note that the script verifies that the server it is executing on is running 2008 server or higher. SETSPN does not exist on 2003 servers.

CODE -->

#==========================================================================
#
# Script: FixSPN-EnablePSRemoting.ps1
#
# AUTHOR:  Mark D. MacLachlan, The Spider's Parlor 
# Date: 01/19/2015 11:13:49
#
#    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
#    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
#    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
#    PARTICULAR PURPOSE.
#
#    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS 
#    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
#    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
#    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
#    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
#    OF THIS CODE OR INFORMATION.
#
#
# COMMENT: Adds SPN records needed to enable PS Remoting
#   
#
#==========================================================================

$ErrorAction = "SilentlyContinue"

function Use-RunAs 
{    
    # Check if script is running as Adminstrator and if not use RunAs 
    # Use Check Switch to check if admin 
     
    param([Switch]$Check) 
     
    $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()` 
        ).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") 
         
    if ($Check) { return $IsAdmin }     
 
    if ($MyInvocation.ScriptName -ne "") 
    {  
        if (-not $IsAdmin)  
        {  
            try 
            {  
                $arg = "-file `"$($MyInvocation.ScriptName)`"" 
                Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList $arg -ErrorAction 'stop'  
            } 
            catch 
            { 
                Write-Warning "Error - Failed to restart script with runas"  
                break               
            } 
            exit # Quit this session of powershell 
        }  
    }  
    else  
    {  
        Write-Warning "Error - Script must be saved as a .ps1 file first"  
        break  
    }  
} 
 
Use-RunAs 

#Get OS version and verify 2008+ 
$OS = [environment]::OSVersion.Version
If ($OS.Major -eq 6){
#Get PC Name and domain info
$Computer = $Env:ComputerName
$Domain = (gwmi WIN32_ComputerSystem).Domain
#Add our needed SPF Records
Invoke-Expression "SETSPN -A http/$Computer.$Domain $Computer"
Invoke-Expression "SETSPN -A http/$Computer $Computer"
Invoke-Expression "SETSPN -A https/$Computer.$Domain $Computer"
Invoke-Expression "SETSPN -A https/$Computer $Computer"
}
#Enable PSRemoting, use Force to prevent confirmation
Invoke-Expression "Enable-PSRemoting -Force" 

Back to PowerShell (Microsoft) FAQ Index
Back to PowerShell (Microsoft) Forum

My Archive

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close