My domain controllers are all on Powershell Version 5.1 and dotnet 4.8. I have developed Powershell code for auditing the current state of the Domain Controllers including the following area’s…..

OS Information
System information such as physical bios or vm version
CPU
Ram
Local storage
Network Information
Domain
AD OU
AD site

And in this is list of information is get-hotfix to return patching information in the OS Info phase.

When I logon to my Domain Controller with my domain admin account, and run my powershell code locally, I get the expected results of a full audit of the local machine.

When I open powershell as different user using service account from another Domain and run the code I am missing a bunch of info.

What I have found is that the Get-HotFix is returning NULL and breaking the remaining Code. This information is sort of relevant to my question. I have confirmed this by moving that section to the end of the list and seeing more data coming thru.

To provide the most basic test scenario, log on to my domain controller and open a PS as different user using the account from the other Domain and execute Get-Hotfix, I get data. When I use invoke-commmand -computername -scriptblock {get-hotfix}, the result is NULL. If I add the domain account to the BuiltInAdministrator Group, I get results as I did on my first test.

DomainAService_Account account provisioning
Member of following DomainB sec groups…
BuiltInDistributed Com Users
BuiltInRemote Management Users
BuiltInServer Operators

Open WMIMgmt and provide Enable and Remote Enable permissions to RootCIVM2

Open DComCFNG, locate My Comptuter and open permissions, Com Security, and edit Access Permissions and Launch and Activation Permissoins. Now I clicked the Edit Links button and not the Edit Default of each item. Added my Distributed Com SG to each allowing all.

As said above, at this point I can get data locally when opening ps as different user with domainA service account. But when using invoke-command locally, it fails.

Based on the result change when adding to builtinadministrators where the code works correctly, I believe there is another permission which needs to be addressed.

Its been suggested that the UAC may be blocking remote execution and there is a registry key I may want to add to disable UAC.

The other suggestion is to use GPO to add the account or sec group to the Impersonate permissions.

What else am I missing?

Thanks,
John