Session (endpoint) Configuration

[Brian Clanton Participant Topics: 68 Replies: 72 Points: 544Rank: Major Contributor]

My Goal is to create an endpoint to allow non-administrative users to invoke a remote session to a server but only allow them specific cmdlets to execute.

As a test, on my laptop, I created the ‘LockDown’ Session and only allowed the cmdlet ‘Get-Date’ to execute and gave the local account ‘BC’ Execute and Read Rights for the session.

PowerShell

Name : LockDown PSVersion : 5.1 RunAsUser : Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed, W10-BCLPT\BC AccessAllowed VisibleCmdlets : Get-Date

1 2 3 4 5 6

Name : LockDown PSVersion : 5.1 RunAsUser : Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed, W10-BCLPT\BC AccessAllowed VisibleCmdlets : Get-Date

As local administration, I test the session and it works.

PowerShell

PS C:\Windows\system32> $s = New-PSSession -ComputerName localhost -ConfigurationName LockDown PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {get-date} Saturday, April 25, 2020 7:20:25 AM

1 2	PS C:\Windows\system32> $s = New-PSSession -ComputerName localhost -ConfigurationName LockDown PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {get-date} Saturday, April 25, 2020 7:20:25 AM

When I try as the user ‘BC’, the command fails.

PowerShell

PS C:\Users\BC> $s = New-PSSession -ComputerName localhost -ConfigurationName LockDown New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message : The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:6 + $s = New-PSSession -ComputerName localhost -ConfigurationName LockDow ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2146959355,PSSessionOpenFailed

1 2 3 4 5 6 7 8 9 10

PS C:\Users\BC> $s = New-PSSession -ComputerName localhost -ConfigurationName LockDown New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message : The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:6 + $s = New-PSSession -ComputerName localhost -ConfigurationName LockDow ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2146959355,PSSessionOpenFailed

I have changed the rights for BC from Read and Execute to ‘Full’ and get the same error.  I have also recreated the local ‘BC’ account and still receive the same issue.   I’ve checked about_Remote_Troubleshooting and set my Trusted Hosts Value to ‘*’ (for troubleshooting purposes) and I still can’t get a non-admin to invoke a command.

 

 

[Doug Maurer Participant Topics: 9 Replies: 707 Points: 2,847Rank: Community Hero]

Brian, see if this article helps you.

https://helpcenter.gsx.com/hc/en-us/articles/202447926-How-to-Configure-Windows-Remote-PowerShell-Access-for-Non-Privileged-User-Accounts

[Author]

Posts