Creating new pswa Authorization rule

This topic contains 5 replies, has 2 voices, and was last updated by  Jason Helmick 4 years, 1 month ago.

  • Author
    Posts
  • #10883

    Amandeep Bhatia
    Participant

    Hello,

    I have configured the pwsa on a windows 2012 server. The virtual directory and everything got installed properly and I can browse to the Windows Powershell Web Access Login page.
    But I need to create the authorization rule before I can login.
    Running below cmdlet gives the error:
    Add-PswaAuthorizationRule –UserName Contoso\JSmith -ComputerName Contoso_214 -ConfigurationName NewAdminsOnly

    Add-PswaAuthorizationRule : The specified directory service attribute or value does not exist.
    At line:1 char:1
    + Add-PswaAuthorizationRule –UserName Contoso\JSmith -ComputerName Contoso_214 -ConfigurationName NewAdminsOnly
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Add-PswaAuthorizationRule], COMException
    + FullyQualifiedErrorId : AddRuleError,Microsoft.Management.PowerShellWebAccess.AddPswaAuthorizationRuleCommand

    Please help! NewAdminsOnly config has been already created.

  • #10892

    Jason Helmick
    Keymaster

    Hey Amandeep!

    Are you do the Add-PSWAAuthorizationRule using PowerShell Remoting? There is a multi-hop issue. Also, the computer name should be fully qualified.

    Try to fully qualify the computername — you can also create a couple of test rules to narrow down the issue such as Add-PSWAAuthorizationRule -Username * -ComputerName MyComp.Domain.Pri -ConfigurationNAme * — Of course, you will want to delete these test rules, but this cna help see exactly where the problem is.

    Let me know if this helped!

    Jason

  • #10904

    Amandeep Bhatia
    Participant

    Ok, first of all, thanks for replying. Here is what i am trying.

    I want to automate some stuff with powershell such as few members whom i give access could run those scripts using powershell web access(as they are the MAC users and not windows.). For this, i am setting a VM for windows 2012 standard edition server(It is not 2012 R2) with all my script modules installed there.

    As you suggested, i ran script with -UserName * and it worked and created the rule. However, it did not allow me to login giving authorization failure with that domain user for which i created the rule.

    Then, i created the rule with below command:
    Add-PswaAuthorizationRule –UserName * -ComputerName * -ConfigurationName *

    Giving access to everyone with every configuration. This allowed the domain user to login through the web console and issue commands.

    So, now i just need to see how can i give specific rights to specific users. And why the rule creation with specific username is failing. Please let me know if you have any further suggestions. Again, thanks for your anticipation.

    Thanks,
    Aman.

  • #10925

    Jason Helmick
    Keymaster

    Hi Aman!

    Check a couple of things – First – if the user is not an administrator, you will need to add them to the target remote servers local group "Remote Management Users". – Or create a new AD group and that group so you can easily add users.

    Here is an example of my rule for a regular user that has been added to that group.

    PS C:\> Add-PswaAuthorizationRule -UserName Company\Bobs -ComputerName s1.Company.Pri -ConfigurationName *

    Bobs is a regular user
    S1.Company.Pri is the remote computer I want Bobs to be able to use.

    Let me know how it goes!

    Jason

  • #10935

    Amandeep Bhatia
    Participant

    Thanks, Still struggling with it. Everything works with * for a username but soon as i give specific user i get the error. Also tried that User as Admin on required machine on which access is required.

    Just a blind guess, do I need to be a domain admin in order to run this command?Currently I am not.

  • #11021

    Jason Helmick
    Keymaster

    Are you standing at the server or using PowerShell remoting?

You must be logged in to reply to this topic.