Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / PowerShell / PowerShell Remoting via WinRM for Non-Admin Users

April 25, 2017 PowerShell

PowerShell Remoting via WinRM for Non-Admin Users

By default, to connect to a remote computer using PowerShell (PowerShell Remoting) you need the administrator privileges. In this article we’ll show how to allow remote connection using PowerShell Remoting (WinRM) for common users (without the administrator privileges) with the help of a security group, a Group Policy and modification of PoSh session descriptor.

Contents:
  • Remote Access to WinRM and Remote Management Users Group
  • Security Descriptor of PowerShell Session
  • Remote Hyper-V Management Also Needs WinRM Privileges

When trying to create a PowerShell session with a remote computer as a non-privileged user account (Enter-PSSession lon-srv1) an access error occurs:

Enter-PSSession : Connecting to remote server lon-srv1 failed with the following error message : Access is denied.

Enter-PSSession : Connecting to remote server lon-srv1 failed with the following error message : Access is denied

 

Remote Access to WinRM and Remote Management Users Group

Check the standard permissions of the PoSh session:

(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission

As you can see, the access is allowed for the following built-in groups:

  1. BUILTIN\Administrators — AccessAllowed,
  2. BUILTIN\Remote Management Users — AccessAllowed

So, to let a user to connect to a remote machine through WinRM, it’s enough to be a member of the built-in local group of administrators or Remote Management Users security group (this group is created by default starting from PowerShell 4.0). This group also has access to WMI resources via management protocols (e.g., WS-Management)

A user can be added to the group using Computer Management snap-in:

Remote Management Users built-in Group

or using the command:

net localgroup "Remote Management Users" /add jsmith

If  you need to provide such permissions on multiple computers, you can use Group Policy. To do this, assign the GPO to the computers you need, and add the new Remote Management Users group to the Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups policy. Add to the policy users or groups that need to be granted access to WinRM.

restricted groups gpo

After a user becomes a member of Remote Management Users group, he can create a remote PowerShell session using Enter-PSSession or run commands using Invoke-Command. User privileges in this session will be limited to user rights on this machine.

Make sure if the remote connection is established.

enter-pssession

Security Descriptor of PowerShell Session

Another way to quickly give a user permission to use PowerShell Remoting without including him to the local security group Remote Management Users is to modify the security descriptor of the current Microsoft.PowerShell session on the local computer. This method will allow to quickly grant temporary (till the next restart) remote connection rights to a user via PowerShell.

The following command displays the list of current permissions:

Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

In this dialog window, add a user or group and grant them Execute (Invoke) permissions.

Set-PSSessionConfiguration-Name Microsoft.PowerShell-showSecurityDescriptorUI

After you save the changes, the system will prompt for confirmation and restart of WinRM service.

If you have to automatically modify the security descriptor (without GUI), you will need to make changes manually first and then to get the current access descriptor in SDDL format.

(Get-PSSessionConfiguration -Name "Microsoft.PowerShell").SecurityDescriptorSDDL

In our case, the command returned the following descriptor:

O:NSG:BAD:P(A;;GA;;;BA)(A;;GXGR;;;S-1-5-21-2323243421-3342677354-2633435451-55422122)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

Get-PSSessionConfiguration

Then you can use this SDDL string to grant access to PowerShell on any other server or workstation.

$SDDL = “O:NSG:BAD:P(A;;GA;;;BA)(A;;GXGR;;;S-1-5-21-2323243421-3342677354-2633435451-55422122)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)”
Set-PSSessionConfiguration -Name Microsoft.PowerShell -SecurityDescriptorSddl $SDDL

Remote Hyper-V Management Also Needs WinRM Privileges

In Windows 10 /Windows Server 2016 to connect to a Hyper-V server remotely using Hyper-V Manager, PowerShell Remoting began to be used. Thus, by default remote users without the administrator privileges won’t be able to manage Hyper-V server, even if they have the corresponding permissions in Hyper-V.

When trying to connect to the Hyper-V server as a common user from a computer running Windows 10, the following error appears:

An error occurred while attempting to connect to server “server1”, Check that the Virtual Machine Management service is running and that you are authorized to connect to the server

Hyper-V An error occurred while attempting to connect to server “server1”, Check that the Virtual Machine Management service is running and that you are authorized to connect to the server

To allow a remote connection to the console, it’s enough to add a Hyper-V user to the local group Remote Management Users in the same way.

1 comment
0
Facebook Twitter Google + Pinterest
previous post
Exchange Error “452 4.3.1 Insufficient system resources”
next post
Using WMI Filter to Apply Group Policy to IP Subnet

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

How to Find Inactive Computers and Users in...

January 29, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

1 comment

TrixM September 4, 2019 - 8:29 am

The advice to copy the new SDDL and simply apply it to other computers is a bad idea. What you want to do is capture the part of the SDDL that corresponds to the new user/group and then APPEND it to the existing SDDL on other computers

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Invoke-WebRequest: Parsing HTML Webpages with Powershell
  • Changing TimeZone in Windows via Command Line and PowerShell
  • How to Export (Backup) and Restore Device Drivers in Windows 10 and 8.1
  • How To Monitor AD Group Changes Using PowerShell
  • How to Check Who Reset the Password of a User in Active Directory
  • Hyper-V PowerShell Direct in Windows Server 2016
  • How to Get My Public IP Address Using PowerShell
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top