Session Configuration

Welcome Forums General PowerShell Q&A Session Configuration

This topic contains 1 reply, has 2 voices, and was last updated by

 
Keymaster
6 months, 1 week ago.

  • Author
    Posts
  • #98862

    Participant
    Points: 0
    Rank: Member

    I am testing customized endpoints for security and want to bypass the Constrained Language mode that is in place due to a Block App Data GPO policy. I want to bypass this for future projects where I may need to use .NET type of objects...for instance I may need to gather remote deskop profile paths within Active Directory.

    ON a Windows 2016 test server, I created a custom endpoint with Full Language mode enabled.

    @{
    
    # Version number of the schema used for this document
    SchemaVersion = '2.0.0.0'
    
    # ID used to uniquely identify this document
    GUID = 'bdd8a1fc-9f40-4e14-b1e3-5ddf1c43e2c9'
    
    # Author of this document
    Author = 'administrator'
    
    # Description of the functionality provided by these settings
    # Description = ''
    
    # Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
    SessionType = 'Default'
    
    LanguageMode = 'FullLanguage'
    
    # Directory to place session transcripts for this session configuration
    # TranscriptDirectory = 'C:\Transcripts\'
    
    # Whether to run this session configuration as the machine's (virtual) administrator account
    # RunAsVirtualAccount = $true
    
    # Scripts to run when applied to a session
    # ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'
    
    # User roles (security groups), and the role capabilities that should be applied to them when applied to a session
    # RoleDefinitions = @{ 'CONTOSO\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' }; 'CONTOSO\ServerMonitors' = @{ VisibleCmdlets = 'Get-Process' } } 
    
    }

    I then register the session file BCTEST.pssc and for testing give domain admin full access to the session using the –ShowSecurityDescriptorUI.

      PS C:\Windows\system32> Get-PSSessionConfiguration
    
    
    Name          : BCTEST
    PSVersion     : 5.1
    StartupScript :
    RunAsUser     :
    Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, XXXX\administrator
                    AccessAllowed
    
    Name          : microsoft.powershell
    PSVersion     : 5.1
    StartupScript :
    RunAsUser     :
    Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                    Management Users AccessAllowed
    
    Name          : microsoft.powershell.workflow
    PSVersion     : 5.1
    StartupScript :
    RunAsUser     :
    Permission    : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
    
    Name          : microsoft.powershell32
    PSVersion     : 5.1
    StartupScript :
    RunAsUser     :
    Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                    Management Users AccessAllowed
    
    Name          : microsoft.windows.servermanagerworkflows
    PSVersion     : 3.0
    StartupScript :
    RunAsUser     :
    Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed

    I set this session on server w16-tpbc, however when I create a remote session, and see what language mode I am in, I am still in Constrained language mode. Shouldn't I be in 'Full Language Mode' from within this session?

    PS C:\Windows\system32> Enter-PSSession -ComputerName w16-tpbc -ConfigurationName BCTEST
    [w16-tpbc]: PS C:\Users\administrator.TECHPRO\Documents> $ExecutionContext.SessionState.LanguageMode
    ConstrainedLanguage
    [w16-tpbc]: PS C:\Users\administrator.TECHPRO\Documents>
  • #98866

    Keymaster
    Points: 1,524
    Helping HandTeam Member
    Rank: Community Hero

    If I'm following you correctly, what you're encountering is by design. You're not meant to bypass GPO-assigned security settings. If you could, then any bad actor good, which would defeat the purpose.

The topic ‘Session Configuration’ is closed to new replies.