Q. How can I create a restricted alternate PowerShell session configuration for remote usage?
A. By default a server has a number of session configurations that can be connected to for remote execution and the default allows only local administrators and remote management user group members. It is possible to add additional session configurations that could have alternate users allowed to connect.
Register-PSSessionConfiguration -Name "DCMs"
Set-PSSessionConfiguration -Name "DCMs" -ShowSecurityDescriptorUI
Get-PSSessionConfiguration -Name "DCMs"
Note you will be shown the graphical interface to set the permissions on who can access. It's also possible to do this via script:
$pssc = Get-PSSessionConfiguration -Name "DCMs"
$psscSd = New-Object System.Security.AccessControl.CommonSecurityDescriptor($false, $false, $pssc.SecurityDescriptorSddl)
$Principal = "savilltech\DCMs"
$account = New-Object System.Security.Principal.NTAccount($Principal)
$accessType = "Allow"
$accessMask = 268435456
$inheritanceFlags = "None"
$propagationFlags = "None"
$psscSd.DiscretionaryAcl.AddAccess($accessType,$account.Translate([System.Security.Principal.SecurityIdentifier]),$accessMask,$inheritanceFlags,$propagationFlags)
Set-PSSessionConfiguration -Name "DCMs" -SecurityDescriptorSddl $psscSd.GetSddlForm("All") -Force
To use the configuration specify it as a parameter, e.g.
Enter-PSSession -ComputerName server1 -ConfigurationName DCMs
0 comments
Hide comments