Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / PowerShell Remoting via WinRM for Non-Admin Users

April 25, 2017 PowerShell

PowerShell Remoting via WinRM for Non-Admin Users

By default, to connect to a remote computer using PowerShell (PowerShell Remoting) you need the administrator privileges. In this article we’ll show how to allow remote connection using PowerShell Remoting (WinRM) for common users (without the administrator privileges) with the help of a security group, a Group Policy and modification of PoSh session descriptor.

Contents:
  • Remote Access to WinRM and Remote Management Users Group
  • Security Descriptor of PowerShell Session
  • Remote Hyper-V Management Also Needs WinRM Privileges

When trying to create a PowerShell session with a remote computer as a non-privileged user account (Enter-PSSession lon-srv1) an access error occurs:

Enter-PSSession : Connecting to remote server lon-srv1 failed with the following error message : Access is denied.

Enter-PSSession : Connecting to remote server lon-srv1 failed with the following error message : Access is denied

 

Remote Access to WinRM and Remote Management Users Group

Check the standard permissions of the PoSh session:

(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission

As you can see, the access is allowed for the following built-in groups:

  1. BUILTIN\Administrators — AccessAllowed,
  2. BUILTIN\Remote Management Users — AccessAllowed

So, to let a user to connect to a remote machine through WinRM, it’s enough to be a member of the built-in local group of administrators or Remote Management Users security group (this group is created by default starting from PowerShell 4.0). This group also has access to WMI resources via management protocols (e.g., WS-Management)

A user can be added to the group using Computer Management snap-in:

Remote Management Users built-in Group

or using the command:

net localgroup "Remote Management Users" /add jsmith

If  you need to provide such permissions on multiple computers, you can use Group Policy. To do this, assign the GPO to the computers you need, and add the new Remote Management Users group to the Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups policy. Add to the policy users or groups that need to be granted access to WinRM.

restricted groups gpo

After a user becomes a member of the Remote Management Users group, he can create a remote PowerShell session using Enter-PSSession or run commands using the Invoke-Command cmdlet. User privileges in this session will be limited to user rights on this machine.

Make sure if the remote connection is established.

enter-pssession

Security Descriptor of PowerShell Session

Another way to quickly give a user permission to use PowerShell Remoting without including him to the local security group Remote Management Users is to modify the security descriptor of the current Microsoft.PowerShell session on the local computer. This method will allow to quickly grant temporary (till the next restart) remote connection rights to a user via PowerShell.

The following command displays the list of current permissions:

Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

In this dialog window, add a user or group and grant them Execute (Invoke) permissions.

Set-PSSessionConfiguration-Name Microsoft.PowerShell-showSecurityDescriptorUI

After you save the changes, the system will prompt for confirmation and restart of WinRM service.

If you have to automatically modify the security descriptor (without GUI), you will need to make changes manually first and then to get the current access descriptor in SDDL format.

(Get-PSSessionConfiguration -Name "Microsoft.PowerShell").SecurityDescriptorSDDL

In our case, the command returned the following descriptor:

O:NSG:BAD:P(A;;GA;;;BA)(A;;GXGR;;;S-1-5-21-2323243421-3342677354-2633435451-55422122)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

Get-PSSessionConfiguration

Then you can use this SDDL string to grant access to PowerShell on any other server or workstation.

$SDDL = “O:NSG:BAD:P(A;;GA;;;BA)(A;;GXGR;;;S-1-5-21-2323243421-3342677354-2633435451-55422122)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)”
Set-PSSessionConfiguration -Name Microsoft.PowerShell -SecurityDescriptorSddl $SDDL

Remote Hyper-V Management Also Needs WinRM Privileges

In Windows 10 /Windows Server 2016 to connect to a Hyper-V server remotely using Hyper-V Manager, PowerShell Remoting began to be used. Thus, by default remote users without the administrator privileges won’t be able to manage Hyper-V server, even if they have the corresponding permissions in Hyper-V.

When trying to connect to the Hyper-V server as a common user from a computer running Windows 10, the following error appears:

An error occurred while attempting to connect to server “server1”, Check that the Virtual Machine Management service is running and that you are authorized to connect to the server

Hyper-V An error occurred while attempting to connect to server “server1”, Check that the Virtual Machine Management service is running and that you are authorized to connect to the server

To allow a remote connection to the console, it’s enough to add a Hyper-V user to the local group Remote Management Users in the same way.

1 comment
0
Facebook Twitter Google + Pinterest
previous post
Exchange Error “452 4.3.1 Insufficient system resources”
next post
Using WMI Filter to Apply Group Policy to IP Subnet

Related Reading

Using PowerShell Behind a Proxy Server

July 1, 2022

Checking Windows Activation Status on Active Directory Computers

June 27, 2022

Configuring Multiple VLAN Interfaces on Windows

June 24, 2022

How to Disable or Enable USB Drives in...

June 24, 2022

FAQ: Licensing Microsoft Exchange Server 2019/2016

June 14, 2022

1 comment

TrixM September 4, 2019 - 8:29 am

The advice to copy the new SDDL and simply apply it to other computers is a bad idea. What you want to do is capture the part of the SDDL that corresponds to the new user/group and then APPEND it to the existing SDDL on other computers

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Using PowerShell Behind a Proxy Server

    July 1, 2022
  • How to Access VMFS Datastore from Linux, Windows, or ESXi?

    July 1, 2022
  • How to Deploy Windows 10 (11) with PXE Network Boot?

    June 27, 2022
  • Checking Windows Activation Status on Active Directory Computers

    June 27, 2022
  • Configuring Multiple VLAN Interfaces on Windows

    June 24, 2022
  • How to Disable or Enable USB Drives in Windows using Group Policy?

    June 24, 2022
  • Adding Domain Users to the Local Administrators Group in Windows

    June 23, 2022
  • Viewing a Remote User’s Desktop Session with Shadow Mode in Windows

    June 23, 2022
  • How to Create a Wi-Fi Hotspot on your Windows PC?

    June 23, 2022
  • Configuring SSH Public Key Authentication on Windows

    June 15, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Invoke-WebRequest: Parsing HTML Webpages with Powershell
  • How to Get My Public IP Address Using PowerShell
  • How to Check Who Reset the Password of a User in Active Directory
  • How to See Number of Active User Sessions on IIS site?
  • How To Monitor AD Group Changes Using PowerShell
  • Run MySQL Queries from PowerShell
  • Troubleshooting Active Directory Replication Using PowerShell
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top