wmimgmt.msc-------打開windows管理體系結構(WMI)
啟用PowerShell遠程管理:
1)在本地計算機(需要管理遠程計算機的計算機)上運行Set-item wsman:localhost\client\trustedhosts –value *,添加trusthost列表
2)在遠程計算機(需要被遠程管理的計算機上)上運行Enable-PSremoting -force即可
=======================================================
$s="hello"
Invoke-Command 192.168.12.99 -Credential administrator {param ($s) write-host $s+"abc"} -ArgmentList $s
Enable-PSremoting
Disable-PSremoting
如果要啟用PS遠程管理,此時網絡位置不能被設置為public,因為Windows 防火牆例外不能在網絡位置是public時被啟用。
檢查遠程服務器上的WINRM服務是否在運行:
test-wsman -computername server01
test-wsman -authentication default
該命令等同於 winrm id -remote:server01
只是沒有返回OS版本
檢查winrm服務是否在本地計算機上運行,通過-authentication參數可以得出OS版本號
test-wsman -authentication default
檢查winrm服務是否在本地計算機上運行
test-wsman
Test-WSMan cmdlet 提交一個識別請求以確定 WinRM 服務是在本地計算機還是遠程計算機上運行。如果接受測試的計算機正在運行該服務,則該 cmdlet 將顯示被測服務的 WS-Management 標識方案、協議版本、產品供應商及產品版本
使用 authentication 參數進行測試以了解 WS-Management (WinRM) 服務是否正在本地計算機上運行。使用 authentication 參數可允許 Test-WSMan cmdlet 返回操作系統的版本
如果未執行過Enable-PSremoting,則運行 Test-wsman 會報錯
執行 Enter-PSSession localhost,如果未開啟psremoting,則會報錯
=================================================================
查看TrustedHost列表
gci wsman::localhost\client\trustedhosts
如果需要新加入trustedhost列表,計算機名和IP可以同時加入,則如下:
$a = (gci wsman::localhost\client\trustedhosts).value
$m=$a+",win9"
set-item wsman:localhost\client\trustedhosts -value $m
添加TrustedHost列表
Set-item wsman:localhost\client\trustedhosts –value *
Set-item wsman:localhost\client\trustedhosts –value sever1,server2
Set-item wsman:localhost\client\trustedhosts –value *.testj.com
如果需要連接遠程計算機IP,則需要將遠程IP加入到發出遠程連接的計算機的trustedhosts中,如果是 * 則不需要再更改
Set-item wsman:localhost\client\trustedhosts –value 192.168.12.1,win2012.testj.com
在通過IP連接遠程計算機時,必須顯示提供憑據,即使要使用當前憑據也如此,如下:
Enter-PSSession 192.168.12.99 -Credential administrator
Get: winrm get winrm/config
Set:
winrm g winrm/config
默認情況下,客戶端計算機要求對網絡流量加密。要允許客戶端計算機請求未加密流量,請執行以下命令:
winrm s winrm/config/Client @{AllowUnencrypted="true"} #Windows 2008 R2下運行
winrm s winrm/config/Client '@{AllowUnencrypted="true"}' #Windows 10下運行
TrustedHosts 是一個數組,用於指定可信的遠程計算機的列表。同一工作組中的其他計算機或不同域中的計算機均應添加到此列表中。
注意:TrustedHosts 列表中的計算機未經過身份驗證。
執行以下命令可將所有計算機都納入TrustedHosts。
winrm s winrm/config/Client @{TrustedHosts="*"}
基本身份驗證是以明文形式將用戶名和密碼發送給服務器或代理的方案。這是最不安全的身份驗證方法。默認值為True。
執行以下命令可將客戶端計算機設置為使用基本身份驗證:
winrm s winrm/config/Client/Auth @{Basic="true"}
在混合域環境中使用遠程管理
默認情況下,不同域下的用戶即使是本地管理員組的成員仍然不能連接到其他域中的主機。這是因為從其他域的遠程連接只是運行在獨立的用
戶權限之上。為了能使不同域的主機可以連接到本地計算機,用戶可以更改LocalAccountTokenFilterPolicy注冊表鍵值(設置為1)來允許其他
域的成員到本地計算機,如果曾執行過 enable-psremoting,則該值會被設置為1,再執行 disable-psremoting后,該值仍為1,
new-itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -
propertyType DWord -value 1
注:在本機以Administrator運行 Enable-psremoting -force時,如果提示“訪問被拒絕”,可以試試修改上面的注冊表鍵值,重啟WinRM服務(由於沒有重啟計算機,不知是否可行,該問題暫未解決 2014.7.31)
====================================================================================================
禁用遠程管理
用戶可以使用Disable-PSRemoting在本地主機上禁用遠程管理。Disable-PSRemoting將會使線程配置信息失效,這樣的操作並不會移除所有
Enable-PSRemoting創建的配置,包括WinRM的啟用狀態和為PS遠程管理創建的監聽器。
如果在本機上沒有任何服務或組件需要WinRM服務,用戶可以通過執行下列命令禁用WinRM服務:
Set-Service winrm -StartupType Manual
Stop-Service winrm
為了移除默認情況下WinRM在5985端口設置的監聽器可以執行的下述命令:
Get-ChildItem WSMan:\localhost\Listener –Recurse | Foreach-Object { $_.PSPath } | Where-Object { (Get-Item "$_\Port").Value
-eq 5985 } | Remove-Item
====================================================================================================
默認情況下,WinRM只啟用http傳輸用於接收遠程請求。用戶可以使用winrm命令或New-WSManIntance cmdlet手動啟用https傳輸。
默認情況下,PowerShell遠程管理使用5985(http)和5986(https)端口。可以通過使用Set-Item cmdlet修改wsman:\Localhost\listener
\listener*\port對端口號進行設置,需要注意的是這樣的操作將會改變系統中每個WinRM監聽器端口號。
可以通過組策略啟用客戶端遠程管理
計算機配置\管理模板\Windows 組件\Windows 遠程管理(WinRM)\WinRM 服務
計算機配置\管理模板\網絡\網絡連接\Windows 防火牆\域配置文件
=====================================
Enable-PSRemoting = Set-WSManQuickConfig = winrm quickconfig
運行Enable-PSRemoting,提示如下:
WinRM 快速配置
正在運行命令“Set-WSManQuickConfig”,以便通過 Windows 遠程管理(WinRM)服務對該計算機進行遠程管理。
其中包括:
1. 啟動或重新啟動(如果已啟動) WinRM 服務
2. 將 WinRM 服務啟動類型設置為“自動”
3. 創建偵聽程序以接受任意 IP 地址上的請求
4. 為 WS-Management 通信啟用 Windows 防火牆入站規則例外(僅適用於 http)。
運行 winrm quickconfig,提示如下:
執行配置操作以使此計算機能夠進行遠程管理。
其中包括:
1. 啟動 WinRM 服務
2. 將 WinRM 服務類型設置為自動啟動
3. 創建偵聽程序以接受任意 IP 地址上的請求
4. 為 WS-Management 通信啟用防火牆例外(僅適用於 http)
查看WinRM正在偵聽的特定IP:
winrm enumerate winrm/config/listener
=====================================================================================================
在本地服務器上以Administrator運行“Enable-Psremoting 、 Winrm Quickconfig 、 Set-WSManQuickConfig”,均提示“訪問被拒絕”,可能的原因如下:
1.在工作組計算機上,確認組策略: secpol.msc > Local Policies > Security Options > Network Access: Sharing and security model for local accounts - change to classic
2.修改注冊表:Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 –Type DWord
3.確認WinRM服務是否正在運行,Windows Firewall服務是否正在運行,網絡位置是否不是“公用”(在Windows Server 2008上是否為“公用”不受影響,Win7中可以重新更改)
4.Telnet localhost 47001是否可以連通
5.運行 winrm get winrm/config 是否會提示“訪問被拒絕”
6.Administrator密碼不能為空
在Windows Server 2008上最后成功的解決方法為:
runas /user:administrator powershell,在新打開的PowerShell窗口下,再次運行 Enable-PSremoting -force 成功
===========================================================
http://blogs.msdn.com/b/wmi/archive/2009/07/24/powershell-remoting-between-two-workgroup-machines.aspx
If you’re an IT Pro, PowerShell remoting is a great tool for doing quick, ad hoc management tasks on computers from the comfort of your own home or office. However, before you can log into a machine, you have to make sure that it’s properly configured to grant you access – for safety’s sake, the default settings don’t allow remote access. If the machine you’re trying to log into is in a Workgroup, which doesn’t have the same stringent security requirements and infrastructure of a typical Domain setting, you’ll have to modify a few additional settings in order to get this done.
Below I’ve listed the steps required to configure two Workgroup machines so that you can remotely access one from the other using PowerShell. The computer you’re sitting in front of is called the client machine, while the computer you’re trying to remotely access is called the server machine.
First, configure the server machine to allow access. To do this, open a PowerShell command prompt (be sure to run as Administrator) and run the following cmdlet:
Enable-PSRemoting –force
If one of the network cards on your computer has the network connection type set to “Public” then the required port won’t be opened in your firewall settings. If you’d rather not change your network connection type, you’ll have to manually configure your firewall to allow traffic through. If you plan on connecting using a specific port, be sure to set your firewall rules appropriately. If you’re just using the default ports, see this recent blog post to figure out which ports to open.
Make sure that the password for your Administrator account is not empty! If it is, you won’t be able to log in remotely.
Now you’ll need to configure your client machine. First you’ll have to enable WinRM local access so that you can modify the proper settings. To do this, start the WinRM service and enable the local account token filter policy (see this Microsoft support article for details on this machine-wide policy). Run these commands in an elevated PowerShell prompt:
Start-Service WinRM
Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 –Type DWord
Both of those steps are unnecessary if you’ve already run the Enable-PSRemoting cmdlet on your client machine.
If you’re running on Windows XP, you also need to set the network access policy “Sharing and security model for local accounts” to Classic (see this Microsoft support article for more details):
Set-ItemProperty –Path HKLM:\System\CurrentControlSet\Control\Lsa –Name ForceGuest –Value 0
Now that WinRM local access is enabled, you’ll need to add the name of your server machine to the TrustedHosts setting in the WinRM configuration, which enables your client machine to connect to your server machine using an authentication mechanism that does not authenticate the server (like Kerberos does):
Set-Item WSMan:\localhost\Client\TrustedHosts –Value <ServerMachineName> -Force
Note: This command replaces any previous value that was stored in TrustedHosts! If there is an existing list of servers and you don’t want to remove then, use the –Concatenate parameter:
Set-Item WSMan:\localhost\Client\TrustedHosts –Value <ServerMachineName> -Force -Concatenate
If you want to use your server machine’s IP address instead of its name, you must specify explicit credentials when you connect.
A word of caution: by adding a server to the TrustedHosts list, you are allowing your credential information to be sent to a server without verifying its identity. Only add a server to this list if you know that the network path from your client machine to the server machine is secure.
You can now manage your server machine using PowerShell remoting!
Just in case things don’t work out perfectly the first time, here are some useful commands to check on the relevant configuration settings.
To check if the WinRM service is running:
Get-Service WinRM
To check the version of WinRM that’s installed:
Test-WSMan –Auth default
To check the remoting configuration for PowerShell:
Get-PSSessionConfiguration
To verify that local WinRM access is working:
New-PSSession
To check if the local account token filter policy is enabled (on Windows Vista and Windows Server 2008):
Get-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy*
To check if the network access policy “Sharing and security model for local accounts” is set to Classic (on Windows XP):
Get-ItemProperty –Path HKLM:\System\CurrentControlSet\Control\Lsa –Name ForceGuest*
To check the WinRM listener settings:
winrm enumerate winrm/config/listener
For additional help and troubleshooting steps:
Get-Help about_remote_troubleshooting