Author Posts

December 15, 2016 at 7:24 am

Hi All,

My requirement was instead of giving full administrative rights, give some specific cmdlets right to a group of user. To perform this I am using JEA this works awesome in local machine with admin creds logged in i.e

Enter-PSSession -ComputerName localhost -ConfigurationName Clients

so through this i can see only limited cmdlets which i have given access to them, but when i am performing the same from remote machine its not working. i.e.

Enter-PSSession -ComputerName "TestServer" -ConfigurationName Clients [gives ERROR]

My question is do i need to pass admin creds to this bcz its working then

Enter-PSSession -ComputerName "TestServer" -Credentials "Administrator" -ConfigurationName Clients (This Works)

, but whats the point then i don't want to share admin creds with my clients. Kindly suggest on this. I only want the client group to provide the configuration name so that they can take pssession with it without passing admin creds.

December 15, 2016 at 2:03 pm

You will need to map the jea roles to users or groups so they can connect to the session you have setup.

For your reading pleasure https://msdn.microsoft.com/powershell/jea/session-configurations

December 15, 2016 at 2:38 pm

Are you able to post your session configuration file? What's the error you get when you try and enter-PSSession from a remote machine?

As Jon said, in your session configuration file you need to map your role capabilities to a group in Active Directory. See below for an example of what your PSSC file might look like.

SchemaVersion = '2.0.0.0'
GUID = 'GUID HERE'
SessionType = 'RestrictedRemoteServer'
RunAsVirtualAccount = $true
RoleDefinitions = @{
    DOMAIN\GROUP' = @{
        'RoleCapabilities' = 'Clients' } }
}