JEA with Powershell

This topic contains 2 replies, has 3 voices, and was last updated by  Monte Hazboun 10 months ago.

  • Author
    Posts
  • #60216

    Amar Helloween
    Participant

    Hi All,

    My requirement was instead of giving full administrative rights, give some specific cmdlets right to a group of user. To perform this I am using JEA this works awesome in local machine with admin creds logged in i.e

    Enter-PSSession -ComputerName localhost -ConfigurationName Clients

    so through this i can see only limited cmdlets which i have given access to them, but when i am performing the same from remote machine its not working. i.e.

    Enter-PSSession -ComputerName "TestServer" -ConfigurationName Clients [gives ERROR]

    My question is do i need to pass admin creds to this bcz its working then

    Enter-PSSession -ComputerName "TestServer" -Credentials "Administrator" -ConfigurationName Clients (This Works)

    , but whats the point then i don't want to share admin creds with my clients. Kindly suggest on this. I only want the client group to provide the configuration name so that they can take pssession with it without passing admin creds.

  • #60223

    Jonathan Warnken
    Participant

    You will need to map the jea roles to users or groups so they can connect to the session you have setup.

    For your reading pleasure https://msdn.microsoft.com/powershell/jea/session-configurations

  • #60225

    Monte Hazboun
    Participant

    Are you able to post your session configuration file? What's the error you get when you try and enter-PSSession from a remote machine?

    As Jon said, in your session configuration file you need to map your role capabilities to a group in Active Directory. See below for an example of what your PSSC file might look like.

    SchemaVersion = '2.0.0.0'
    GUID = 'GUID HERE'
    SessionType = 'RestrictedRemoteServer'
    RunAsVirtualAccount = $true
    RoleDefinitions = @{
        DOMAIN\GROUP' = @{
            'RoleCapabilities' = 'Clients' } }
    }
    

You must be logged in to reply to this topic.