Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / Using PowerShell Just Enough Administration (JEA) to Delegate Privileges to Non-Admin Users

May 6, 2021 PowerShellWindows Server 2016Windows Server 2019

Using PowerShell Just Enough Administration (JEA) to Delegate Privileges to Non-Admin Users

The Just Enough Administration (JEA) feature is available starting from PowerShell version 5.0 and allows you to delegate administrative privileges to anything you can manage with PowerShell. The main purpose of PowerShell JEA is to limit privileges. JEA allows you to grant non-admin users permissions to perform specific administrative tasks without giving them server or service administrator rights (AD, Exchange, SharePoint, etc.). Using JEA, you can set which users can run specific cmdlets, functions or PowerShell scripts with admin privileges and log all actions (similar to PowerShell command history).

How to implement PowerShell Just Enough Administration?

An administrator creates a PowerShell session configuration file on a server containing commands a user can run. Based on the files, a JEA endpoint is created a user can connect to and execute any of the commands or programs available to him.

Here we will show an example how to grant non-admin users permission to reboot a domain controller, and restart DNS and ADDS services on it.

In this case, you don’t have grant RDP access to the domain controller for users, delegate them administrative privileges in AD, assign rights on Windows services, or server restart according to the guides following the links. All necessary restrictions are set in the configuration of Just Enough Administration.

First of all, create a configuration file of a PowerShell session (*.pssc). To do it, run this command on your domain controller:

New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\dc_manage.pssc'

Open the PSSC file using the Notepad.

New-PSSessionConfigurationFile - create JEA template file

The PSSC file sets who may connect to this JEA endpoint and under what account the commands in the JEA session will run.

Modify the following values:

  • SessionType from Default to RestrictedRemoteServer. This mode allows to use the following PowerShell cmdlets: Clear-Host, Exit-PSSession, Get-Command, Get-FormatData, Get-Help, Measure-Object, Out-Default or Select-Objectl
  • Specify a folder (create it) in the TranscriptDirectory parameter. Here you will log all JEA user actions: TranscriptDirectory = C:\PS\JEA_logs
  • The RunAsVirtualAccount option allows to run commands under a virtual administrator account (member of the local Administrator or Domain Administrator group): RunAsVirtualAccount = $true
You can use a group managed service account (gMSA) to access network resources: GroupManagedServiceAccount = 'woshub\gMSAJEAUser'

In the RoleDefinitions directive, specify the AD security group allowed to connect to the PowerShell session and the name of the JEA role (it must match the PSRC file name we are going to create later).

For example:

RoleDefinitions = @{‘woshub.com\HelpDesk' = @{ RoleCapabilities = 'HelpDesk_admins' }}

PowerShell Just Enough Administration - roledefinitions

Save the session configuration file.

Prior to moving ahead, make sure that there are no errors in the configuration file:

Test-PSSessionConfigurationFile -Path  'C:\Program Files\WindowsPowerShell\dc_manage.pssc'

Test-PSSessionConfigurationFile

Create a new directory to keep the JEA configuration file, for example:

New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities ' -ItemType Directory

PSRC files must always be located in the RoleCapabilities subfolder of the corresponding module.

Then create a configuration PSRC file with the role description (use the file name from the PSSC configuration above).

New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\HelpDesk_admins.psrc'

The PSRC file specifies what is allowed to do in the current JEA session. In the VisibleCmdlets directive, you may specify the cmdlets (and their valid parameters) allowed to be used for a given user group.

In the VisibleExternalCommands option, you can specify external commands and EXE files allowed to run.

For example, the following configuration allows HelpDesk users to restart the domain controller using the shutdown command or the Restart-Computer cmdlet, as well as restart DNSServer and Active Directory Domain Services using the Restart-Service cmdlet.

VisibleCmdlets = 'Restart-Computer', @{ Name = 'Restart-Service'; Parameters = @{ Name = 'Name'; ValidateSet = 'DNS', 'NTDS' }}
VisibleExternalCommands = 'c:\windows\system32\shutdown.exe'

Save your PSRC file.

powershell jea: setting allowed to run cmdlets

Then register a new PSSession configuration for your PSSC file:

Register-PSSessionConfiguration –Name testHelpDesk -Path 'C:\Program Files\WindowsPowerShell\dc_manage.pssc'

and restart WinRM:

Restart-Service WinRM

Register-PSSessionConfiguration - register JEA endpoint

You can list the available JEA endpoints:

Get-PSSessionConfiguration|ft name

Get-PSSessionConfiguration - get jea endpoints

Let’s see how our new Just-Enough-Administration (JEA) configuration works. You can connect to the created JEA endpoint under a user account from the security group specified in the configuration file. Connect to the domain controller using PowerShell Remoting (you must specify the JEA endpoint name):

Enter-PSSession -ComputerName dc01 -ConfigurationName testHelpDesk

View the list of available cmdlets in your PowerShell session:

Get-Command

As you can see, a small number of commands is available, including Restart-Service and Restart-Computer. A user can only do what he is allowed to do.

Try to restart the DNS service:

Restart-Service dns

The service has been restarted successfully (the command is run as a privileged user with the domain admin permissions).

If you try to restart any other service that is not described in the JEA configuration file, the following error message appears:

Cannot validate argument on parameter 'Name'. The argument "spooler" does not belong to the set "DNS,NTDS" specifiedby the ValidateSet attribute. Supply an argument that is in the set and then try the command again. + CategoryInfo : InvalidData: (:) [Restart-Service], ParameterBindingValidationException

testing Just Enough Administration

The history of all user actions in the JEA PowerShell session is logged to the files in C:\PS\JEA_logs.

Just Enough Administration log file with PowerShell Remote Sessions

So, JEA allows you to granularly grant users access to run specific PowerShell cmdlets, scripts or programs as an administrator.

2 comments
3
Facebook Twitter Google + Pinterest
previous post
Could not Reconnect All Mapped Network Drives on Windows 10
next post
Using Managed Service Accounts (MSA and gMSA) in Active Directory

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

2 comments

JohnDone April 13, 2022 - 6:36 pm

Instead Restart-Computer dns, should be Restart-Service dns

Reply
admin April 15, 2022 - 11:36 am

🙂 thks

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configuring Port Forwarding in Windows
  • Installing RSAT Administration Tools on Windows 10 and 11
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Hide Installed Programs in Windows 10 and 11?
  • Adding Drivers into VMWare ESXi Installation Image
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top