Session Configuration

Welcome Forums General PowerShell Q&A Session Configuration

This topic contains 1 reply, has 2 voices, and was last updated by

 
Keymaster
1 year, 1 month ago.

  • Author
    Posts
  • #98862

    Participant
    Topics: 42
    Replies: 44
    Points: 171
    Rank: Participant

    I am testing customized endpoints for security and want to bypass the Constrained Language mode that is in place due to a Block App Data GPO policy. I want to bypass this for future projects where I may need to use .NET type of objects...for instance I may need to gather remote deskop profile paths within Active Directory.

    ON a Windows 2016 test server, I created a custom endpoint with Full Language mode enabled.

    @{
    
    # Version number of the schema used for this document
    SchemaVersion = '2.0.0.0'
    
    # ID used to uniquely identify this document
    GUID = 'bdd8a1fc-9f40-4e14-b1e3-5ddf1c43e2c9'
    
    # Author of this document
    Author = 'administrator'
    
    # Description of the functionality provided by these settings
    # Description = ''
    
    # Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
    SessionType = 'Default'
    
    LanguageMode = 'FullLanguage'
    
    # Directory to place session transcripts for this session configuration
    # TranscriptDirectory = 'C:\Transcripts\'
    
    # Whether to run this session configuration as the machine's (virtual) administrator account
    # RunAsVirtualAccount = $true
    
    # Scripts to run when applied to a session
    # ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'
    
    # User roles (security groups), and the role capabilities that should be applied to them when applied to a session
    # RoleDefinitions = @{ 'CONTOSO\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' }; 'CONTOSO\ServerMonitors' = @{ VisibleCmdlets = 'Get-Process' } } 
    
    }

    I then register the session file BCTEST.pssc and for testing give domain admin full access to the session using the –ShowSecurityDescriptorUI.

      PS C:\Windows\system32> Get-PSSessionConfiguration
    
    
    Name          : BCTEST
    PSVersion     : 5.1
    StartupScript :
    RunAsUser     :
    Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, XXXX\administrator
                    AccessAllowed
    
    Name          : microsoft.powershell
    PSVersion     : 5.1
    StartupScript :
    RunAsUser     :
    Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                    Management Users AccessAllowed
    
    Name          : microsoft.powershell.workflow
    PSVersion     : 5.1
    StartupScript :
    RunAsUser     :
    Permission    : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
    
    Name          : microsoft.powershell32
    PSVersion     : 5.1
    StartupScript :
    RunAsUser     :
    Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                    Management Users AccessAllowed
    
    Name          : microsoft.windows.servermanagerworkflows
    PSVersion     : 3.0
    StartupScript :
    RunAsUser     :
    Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed

    I set this session on server w16-tpbc, however when I create a remote session, and see what language mode I am in, I am still in Constrained language mode. Shouldn't I be in 'Full Language Mode' from within this session?

    PS C:\Windows\system32> Enter-PSSession -ComputerName w16-tpbc -ConfigurationName BCTEST
    [w16-tpbc]: PS C:\Users\administrator.TECHPRO\Documents> $ExecutionContext.SessionState.LanguageMode
    ConstrainedLanguage
    [w16-tpbc]: PS C:\Users\administrator.TECHPRO\Documents>
  • #98866

    Keymaster
    Topics: 13
    Replies: 4872
    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    If I'm following you correctly, what you're encountering is by design. You're not meant to bypass GPO-assigned security settings. If you could, then any bad actor good, which would defeat the purpose.

The topic ‘Session Configuration’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort