Using PowerShell Remoting for Interactive Remote Shells

Almost anytime I teach a class, I ask how many admins in the room use Remote Desktop as a primary means of managing their servers. I'm often depressed by the result - last time, two-thirds of the room raised their hand. And I'm not talking about admins tasks thatrequire console access - stuff like setting the IP address, which I understand is pretty much impractical to do remotely through any other means. I'm talking about day-to-day stuff, like creating users in Active Directory. "Why," I moaned, "don't you just use the AD console on your local machine?"

Remote Desktop does put some additional overhead on your servers. After all, the server has to not only maintain a connection, but it also has to construct the entire graphical user environment, which takes up memory and CPU. Of course, most folks crank the user experience up to full, insisting on 24-bit color, the whole works. Sigh. One person's reasonable answer was "version mismatch." Many of their domain controllers are Win2008R2, and he couldn't get the R2 management tools running on his Windows XP workstation. Okay, fair enough - "but wouldn't you rather create and modify users from the command line?" I asked. "Of course!" they all said. This was a PowerShell class, after all! "But we can't install the AD module on our XP workstations, either!"

Ah, but who cares? One day, I hope we'll install few, if any, admin tools on our desktops. Let the admin tools live on the servers, and let administration become a service that the server provides. But you don't need Remote Desktop: You just need PowerShell Remoting, a much lighter-weight, lower-overhead way of remotely controlling a server. Any server, by the way, all the way back to Win2003. Just make sure PowerShell v2 is installed (it comes with 2008R2). Log onto the server console one last time and run Enable-PSRemoting - you could also configure this globally through a GPO, if you preferred.

Once that's done, you can get a remote shell anytime you like - it's very similar to something like SSH, although under the hood it works quite differently.

Enter-PSSession -computername Server-R2

Will connect you to the server named Server-R2. That Enable-PSRemoting should have configured and started the Windows Remote Management (WinRM) service, as well as put the appropriate exception into the Windows Firewall, if you have it enabled. Provided you and the server are in the same (or trusting) domains, and that you ran PowerShell as a Domain Admin, you should be good to go. PowerShell's prompt will even change to let you know you're on a remote machine:

[SERVER-R2] PS C:\>

Run whatever commands you like. You can import modules located on that server (like Import-Module ActiveDirectory
) and use commands from those modules. When you're done, run:

Exit-PSSession

And you'll return home, close the connection, and be finished. GPO settings for "Windows Remote Shell" let you control the maximum number of connections a single admin can hold, amongst other settings, so you can finally control how much overhead you're willing to devote to remote administration. All of this works on any machine running PowerShell v2 - including WIndows XP - and you only have to run Enable-PSRemoting on the machines that need to accept incoming connections (although being able to "SSH" into your client computers can be tremendously useful, and I see a lot of folks enabling remoting on all of their computers). 

There's a lot more you can do with PowerShell remoting, but this is probably the simplest, most straightforward place to start. If you'd like to learn a bit more, hop over to http://www.windowsitpro.com/blogs/PowerShellwithaPurpose/tabid/2248/entryid/13059/Default.aspx, where until September 30, 2010, you can download a longer article on remoting, view a demo video, and even provide some feedback to help shape the book that this article will become a part of.

Discuss this Blog Entry 7

JT (not verified)
on Sep 17, 2010
Unfortunately, in the environment I work in, they have the firewalls so locked down between all the security areas that it becomes impossible to use this remoting feature. The only remote administration that we have available to us is "section-specific." For instance, I work in a few MOSS 2007 farms. They can see each other, and I use Powershell to aggregate information across those machines from one of the machines in a particular farm. Unfortunately, I cannot, from my workstation, access that same information on the servers because of the firewall port lockdowns. The only port allowed for remote administration to the servers is RDP.
Jeff Hicks (not verified)
on Sep 16, 2010
Certainly, if you have to manage any number of non-Windows platforms remotely, you are going to want something like SSH. But the point Don is trying to make is that for Windows admins, PowerShell remoting should be a no-brainer. In addition to using interactive shells, the remoting feature allows you to run background jobs as well as scripted commands on 1 to 1000 remote machines. The ability to reach out and manage 1000 machines simultaneously is heady stuff.

About the only time I use an RDP session is when I need to troubleshoot something and I need some GUI based tools. Or I need to see something that is ON the console.

on Sep 17, 2010
JT, it's funny that they'd allow RDP but not WinRM, isn't it? Same basic thing! That's IT security these days!
on Sep 16, 2010
Wow, Bewc - "should be avoided by most admins" is pretty harsh. I wasn't claiming that PowerShell was cross-platform nirvana - but it's an extremely useful tool within the Windows environment. I guess I disagree with you about "avoid." The ability to invoke a command on multiple remote machines in parallel, managing a communications stack and queue, is something SSH doesn't natively offer - and, as you say, SSH doesn't come with Windows. Admins are obviously welcome to use whatever tools work for them, and it's great that you've found SSH to be so useful (I like it, too), but it seems crazy to ignore native tools (which PowerShell is, now) that offer useful functionality.

Oh, and PowerShell absolutely can transfer files between Windows systems (I use it to deploy content across a Web farm), and it definitely offers certificate-based authentication (in the form of "Kerberos," which admittedly only works in a domain environment, but AD domains are pretty common in Windows shops); if you were under the impression that it transmitted passwords for authentication, you may want to revisit that. PowerShell (and WinRM) actually have to have a configuration change to enable password-based authentication - it isn't turned on by default.

Still, you're absolutely entitled to use whatever tools work for you! If you'd like to see SSH included in PowerShell, I hope you'll take the time to communicate that to the PowerShell team through connect.microsoft.com. They do pay attention to feedback from their users.



realdealbiehl (not verified)
on Sep 16, 2010
We use this heavily in our Automated testing environments. The ability to run test scripts remotely on multiple machines has greatly decreased the amount of manual testing we have to do an has opened up new ways of testing our product automagically.
Bewc (not verified)
on Sep 15, 2010
PowerShell remoting doesn't work with other operating systems, can't transfer files (between windows systems or with other operating systems), can't perform key/certificate/password-less authentication, and isn't compatible with SSH. In short, it's not a very good solution and should be avoided by most admins (IMHO).

SSH is a highly useful, and a great admin skill to acquire. It comes on every OS except Windows. Like many services (telnet, ftp, or PowerShell remoting), you need a client and a server. Luckily, there are free and commercial versions of SSH clients and SSH Servers for windows.

SSH can run scripts, transfer files, and more. Some people have taken this to all kinds of levels. Just web search for PowerShell SSH and learn more.

Hopefully, Microsoft will include SSH into the next Windows and PowerShell.







on Apr 29, 2014

Good & Easy way to do day to day task. Thanks Jones..
I tried its work seem we open power shell on respective server.

Please or Register to post comments.

What's PowerShell with a Purpose Blog?

Don Jones demystifies Windows PowerShell.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×