Session (endpoint) Configuration

Welcome Forums General PowerShell Q&A Session (endpoint) Configuration

Viewing 1 reply thread
  • Author
    Posts
    • #222387
      Participant
      Topics: 66
      Replies: 71
      Points: 510
      Rank: Major Contributor

      My Goal is to create an endpoint to allow non-administrative users to invoke a remote session to a server but only allow them specific cmdlets to execute.

      As a test, on my laptop, I created the ‘LockDown’ Session and only allowed the cmdlet ‘Get-Date’ to execute and gave the local account ‘BC’ Execute and Read Rights for the session.

      Name : LockDown
      PSVersion : 5.1
      RunAsUser :
      Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
      Management Users AccessAllowed, W10-BCLPT\BC AccessAllowed
      VisibleCmdlets : Get-Date

      As local administration, I test the session and it works.

      PS C:\Windows\system32> $s = New-PSSession -ComputerName localhost -ConfigurationName LockDown PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {get-date}
      Saturday, April 25, 2020 7:20:25 AM

      When I try as the user ‘BC’, the command fails.

      PS C:\Users\BC> $s = New-PSSession -ComputerName localhost -ConfigurationName LockDown
      New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message : The WSMan
      service could not launch a host process to process the given request. Make sure the WSMan provider host server and
      proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic.
      At line:1 char:6
      + $s = New-PSSession -ComputerName localhost -ConfigurationName LockDow ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
      gTransportException
      + FullyQualifiedErrorId : -2146959355,PSSessionOpenFailed

      I have changed the rights for BC from Read and Execute to ‘Full’ and get the same error.  I have also recreated the local ‘BC’ account and still receive the same issue.   I’ve checked about_Remote_Troubleshooting and set my Trusted Hosts Value to ‘*’ (for troubleshooting purposes) and I still can’t get a non-admin to invoke a command.

       

       

    • #223536
      Participant
      Topics: 3
      Replies: 342
      Points: 1,130
      Helping Hand
      Rank: Community Hero
Viewing 1 reply thread
  • You must be logged in to reply to this topic.