Enter-PSSession : Connecting to Remote Server Failed

Enter-PSSession Error Message: Access is Denied

You may receive the following error when trying to create a remote PowerShell session:

Enter-PSSession : Connecting to remote server DC-01 failed with the following error message :
Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession DC-01
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (DC-01:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

The error message means that your user account does not have access to create a remote PowerShell session from system A to system B.

To allow your account to perform remote PowerShell commands on System B, you must configure proper permissions on System B.

Log in to system B and run the following command:

Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell

This command will open up the security settings for PowerShell sessions:

PowerShell remote access settings

The account used on system A to establish the remote PowerShell session needs to have Full Control on this object to run remote PowerShell commands.

You can either assign Full Control directly to your account or add it to the Remote Management Users domain group.

Adding your user account directly to the access control list could look like this:

PowerShell Remote Access DACL

When this has been configured on system B you can return to system A and test again:

PS C:\Users\adm.server.joe> Enter-PSSession DC-01
[DC-01]: PS C:\Users\adm.server.joe\Documents>

As you see, this time, the remote session is established successfully, and you’re ready to fire off remote PowerShell commands.

Even Better Management

If you need to set this up for multiple systems and users, you may want to create custom domain groups for this.

Using custom domain groups (e.g., “Server01-RemotePS”) allows you to manage remote PowerShell access via AD group membership instead of adding users directly to the PowerShell session ACL.

If you’re specifically using remote PowerShell to trigger Azure AD synchronization, you should consider using Easy365Manager instead.

Easy365Manager is a lightweight snap-in for AD Users & Computers, that allows you to manage Office 365 mailboxes and licenses as part of your AD user management.

With Easy365Manager, you can trigger an Azure AD Connect synchronization directly from user properties:

one-click synchronization of azure ad conncect

Easy synchronization of Azure AD Connect is just one of many features available in Easy365Manager.

Download your 30-day unrestricted trial here. It doesn’t make any changes to your AD and only takes a couple of minutes to download, install and configure:

Did you like this post? Maybe your friends will too!