about_remote_troubleshooting.help.txt

TOPIC
    about_Remote_Troubleshooting

SHORT DESCRIPTION
    Describes how to troubleshoot remote operations in Windows PowerShell.

LONG DESCRIPTION
    This section describes some of the problems that you might encounter when
    using the remoting features of Windows PowerShell that are based on 
    WS-Management technology and it suggests solutions to these problems.

    Before using Windows PowerShell remoting, see about_Remote and
    about_Remote_Requirements for guidance on configuration and basic use Also,
    the Help topics for each of the remoting cmdlets, particularly the parameter
    descriptions, have useful information that is designed to help you avoid
    problems.

    Updated versions of this topic, and other Windows PowerShell help topics, 
    can be found online in the Microsoft TechNet Library. To see the online
    version of this help topic, paste the following URL in your Internet
    browser:

	http://go.microsoft.com/fwlink/?LinkID=135188
 

    NOTE: On Windows Vista, Windows Server 2008, and later versions of Windows,
    to view or change settings for the local computer in the WSMan: drive,
    including changes to the session configurations, trusted hosts, ports, or
    listeners, start Windows PowerShell with the "Run as administrator" option. 



 TROUBLESHOOTING PERMISSION AND AUTHENTICATION ISSUES

    This section discusses remoting problems that are related to user and
    computer permissions and remoting requirements.


    HOW TO RUN AS ADMINISTRATOR
    ---------------------------
        ERROR: Access is denied. You need to run this cmdlet from an elevated
        process.

    To start a remote session on the local computer, or to view or change
    settings for the local computer in the WSMan: drive, including changes
    to the session configurations, trusted hosts, ports, or listeners,
    start Windows PowerShell with the "Run as administrator" option. 

    To start Windows PowerShell with the "Run as administrator option:

    -- Right-click a Windows PowerShell (or Windows PowerShell ISE) icon
       and then click "Run as administrator.


    To start Windows PowerShell with the "Run as administrator option in
    Windows 7 and Windows Server 2008 R2.

    -- In the Windows taskbar, right-click the Windows PowerShell icon,
       and then click "Run Windows PowerShell as admin."

    Note: In Windows Server 2008 R2, the Windows PowerShell icon is pinned
    to the taskbar by default. 



    HOW TO ENABLE REMOTING
    ----------------------
        ERROR:  ACCESS IS DENIED
        - or -
        ERROR: The connection to the remote host was refused. Verify that the
        WS-Management service is running on the remote host and configured to
        listen for requests on the correct port and HTTP URL. 

    No configuration is required to enable a computer to send remote
    commands. However, to receive remote commands, the computer must be
    configured for remoting. The configuration includes starting the WinRM
    service, setting the startup type for the WinRM service to Automatic,
    creating listeners for HTTP and HTTPS connections, and creating default
    session configurations.

    To configure a computer to receive remote commands, use the 
    Enable-PSRemoting cmdlet. The following command enables all required
    remote settings, enables the session configurations, and restarts the
    WinRM service to make the changes effective. 

        enable-psremoting

    To suppress all user prompts, type:

        enable-psremoting -force

    For more information, see Enable-PSRemoting.



    HOW TO ENABLE REMOTING IN AN ENTERPRISE
    ---------------------------------------
        ERROR:  ACCESS IS DENIED
        - or -
        ERROR: The connection to the remote host was refused. Verify that the
        WS-Management service is running on the remote host and configured to
        listen for requests on the correct port and HTTP URL. 

    To enable a single computer to receive remote Windows PowerShell commands
    and accept connections, use the Enable-PSRemoting cmdlets.

    To enable remoting for multiple computers in an enterprise, you can use the
    following scaled options.

    -- To configure listeners for remoting, enable the "Allow automatic
       configuration of listeners" group policy. For instructions, see 
       "How to Enable Listeners by Using a Group Policy" (below).
 
    -- To set the startup type of the Windows Remote Management (WinRM)
       to Automatic on multiple computers, use the Set-Service cmdlet. For
       instructions, see "How to Set the Startup Type of the WinrM Service"
       (below).

    -- To enable a firewall exception, use the "Windows Firewall: Allow Local
       Port Exceptions" group policy. For instructions, see "How to Create a
       Firewall Exception by Using a Group Policy" (below).

 

    HOW TO ENABLE LISTENERS BY USING A GROUP POLICY
    ------------------------------------------------
        ERROR:  ACCESS IS DENIED
        - or -
        ERROR: The connection to the remote host was refused. Verify that the
        WS-Management service is running on the remote host and configured to
        listen for requests on the correct port and HTTP URL.

    To configure the listeners for all computers in a domain, enable the "Allow
    automatic configuration of listeners"  policy in the following Group Policy
    path:

        Computer Configuration\Administrative Templates\Windows Components
          \Windows Remote Management (WinRM)\WinRM service

    Enable the policy and specify the IPv4 and IPv6 filters. Wildcards (*) are
    permitted.



    HOW TO ENABLE A FIREWALL EXCEPTION BY USING A GROUP POLICY
    ----------------------------------------------------------
        ERROR:  ACCESS IS DENIED
        - or -
        ERROR: The connection to the remote host was refused. Verify that the
        WS-Management service is running on the remote host and configured to
        listen for requests on the correct port and HTTP URL.

    To enable a firewall exception for in all computers in a domain, enable the
    "Windows Firewall: Allow local port exceptions" policy in the following
    Group Policy path:

        Computer Configuration\Administrative Templates\Network
          \Network Connections\Windows Firewall\Domain Profile

    This policy allows members of the Administrators group on the computer to
    use Windows Firewall in Control Panel to create a firewall exception for 
    the Windows Remote Management service.



    HOW TO SET THE STARTUP TYPE OF THE WINRM SERVICE
    ------------------------------------------------
        ERROR:  ACCESS IS DENIED

    Windows PowerShell remoting depends upon the Windows Remote Management
    (WinRM) service. The service must be running to support remote commands.

    On Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2,
    the startup type of the Windows Remote Management (WinRM) service is
    Automatic. 

    However, on Windows XP, Windows Vista, and Windows 7, the WinRM service is
    disabled by default. 

    To set the startup type of a service on a remote computer, use the
    Set-Service cmdlet. 

    To run the command on multiple computers, you can create a text file or
    CSV file of the computer names.

    For example, the following commands get a list of computer names from the
    Servers.txt file and then sets the startup type of the WinRM service on all
    of the computers to Automatic.

        C:\PS> $servers = get-content servers.txt

        C:\PS> set-service WinRM -computername $servers -startuptype Automatic

    To see the results use the Get-WMIObject cmdlet with the Win32_Service object.
    For more information, see Set-Service.    

    

    HOW TO RECREATE THE DEFAULT SESSION CONFIGURATIONS
    --------------------------------------------------
        ERROR:  ACCESS IS DENIED

    To connect to the local computer and run commands remotely, the local
    computer must include session configurations for remote commands.

    When you use Enable-PSRemoting, it creates default session configurations
    on the local computer. Remote users use these session configurations
    whenever a remote command does not include the ConfigurationName parameter.

    If the default configurations on a computer are unregistered or deleted,
    use the Enable-PSRemoting cmdlet to recreate them. You can use this cmdlet
    repeatedly. It does not generate errors if a feature is already configured.

    If you change the default session configurations and want to restore the
    original default session configurations, use the
    Unregister-PSSessionConfiguration cmdlet to delete the changed session
    configurations and then use the Enable-PSRemoting cmdlet to restore them.
    Enable-PSRemoting does not change existing session configurations.

    Note: When Enable-PSRemoting restores the default session configuration, it
    does not create explicit security descriptors for the configurations.
    Instead, the configurations inherit the security descriptor of the RootSDDL,
    which is secure by default.

    To see the RootSDDL security descriptor, type:

        get-item wsman:\localhost\Service\RootSDDL

    To change the RootSDDL, use the Set-Item cmdlet in the WSMan: drive. To
    change the security descriptor of a session configuration, use the
    Set-PSSessionConfiguration cmdlet with the SecurityDescriptorSDDL or
    ShowSecurityDescriptorUI parameters. 

    For more information about the WSMan:...