How can I create a restricted alternate PowerShell session configuration

How can I create a restricted alternate PowerShell session configuration

Q. How can I create a restricted alternate PowerShell session configuration for remote usage?

A. By default a server has a number of session configurations that can be connected to for remote execution and the default allows only local administrators and remote management user group members. It is possible to add additional session configurations that could have alternate users allowed to connect.

Register-PSSessionConfiguration -Name "DCMs"
Set-PSSessionConfiguration -Name "DCMs" -ShowSecurityDescriptorUI
Get-PSSessionConfiguration -Name "DCMs"

Note you will be shown the graphical interface to set the permissions on who can access. It's also possible to do this via script:

$pssc = Get-PSSessionConfiguration -Name "DCMs"
$psscSd = New-Object System.Security.AccessControl.CommonSecurityDescriptor($false, $false, $pssc.SecurityDescriptorSddl)

$Principal = "savilltech\DCMs"
$account = New-Object System.Security.Principal.NTAccount($Principal)
$accessType = "Allow"
$accessMask = 268435456
$inheritanceFlags = "None"
$propagationFlags = "None"
$psscSd.DiscretionaryAcl.AddAccess($accessType,$account.Translate([System.Security.Principal.SecurityIdentifier]),$accessMask,$inheritanceFlags,$propagationFlags)

Set-PSSessionConfiguration -Name "DCMs" -SecurityDescriptorSddl $psscSd.GetSddlForm("All") -Force

To use the configuration specify it as a parameter, e.g.

Enter-PSSession -ComputerName server1 -ConfigurationName DCMs

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish