Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / Using PowerShell Just Enough Administration (JEA) to Delegate Privileges to Non-Admin Users

May 6, 2021 PowerShellWindows Server 2016Windows Server 2019

Using PowerShell Just Enough Administration (JEA) to Delegate Privileges to Non-Admin Users

The Just Enough Administration (JEA) feature is available starting from PowerShell version 5.0 and allows you to delegate administrative privileges to anything you can manage with PowerShell. The main purpose of PowerShell JEA is to limit privileges. JEA allows you to grant non-admin users permissions to perform specific administrative tasks without giving them server or service administrator rights (AD, Exchange, SharePoint, etc.). Using JEA, you can set which users can run specific cmdlets, functions or PowerShell scripts with admin privileges and log all actions (similar to PowerShell command history).

How to implement PowerShell Just Enough Administration?

An administrator creates a PowerShell session configuration file on a server containing commands a user can run. Based on the files, a JEA endpoint is created a user can connect to and execute any of the commands or programs available to him.

Here we will show an example how to grant non-admin users permission to reboot a domain controller, and restart DNS and ADDS services on it.

In this case, you don’t have grant RDP access to the domain controller for users, delegate them administrative privileges in AD, assign rights on Windows services, or server restart according to the guides following the links. All necessary restrictions are set in the configuration of Just Enough Administration.

First of all, create a configuration file of a PowerShell session (*.pssc). To do it, run this command on your domain controller:

New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\dc_manage.pssc'

Open the PSSC file using the Notepad.

New-PSSessionConfigurationFile - create JEA template file

The PSSC file sets who may connect to this JEA endpoint and under what account the commands in the JEA session will run.

Modify the following values:

  • SessionType from Default to RestrictedRemoteServer. This mode allows to use the following PowerShell cmdlets: Clear-Host, Exit-PSSession, Get-Command, Get-FormatData, Get-Help, Measure-Object, Out-Default or Select-Objectl
  • Specify a folder (create it) in the TranscriptDirectory parameter. Here you will log all JEA user actions: TranscriptDirectory = C:\PS\JEA_logs
  • The RunAsVirtualAccount option allows to run commands under a virtual administrator account (member of the local Administrator or Domain Administrator group): RunAsVirtualAccount = $true
You can use a group managed service account (gMSA) to access network resources: GroupManagedServiceAccount = 'woshub\gMSAJEAUser'

In the RoleDefinitions directive, specify the AD security group allowed to connect to the PowerShell session and the name of the JEA role (it must match the PSRC file name we are going to create later).

For example:

RoleDefinitions = @{‘woshub.com\HelpDesk' = @{ RoleCapabilities = 'HelpDesk_admins' }}

PowerShell Just Enough Administration - roledefinitions

Save the session configuration file.

Prior to moving ahead, make sure that there are no errors in the configuration file:

Test-PSSessionConfigurationFile -Path  'C:\Program Files\WindowsPowerShell\dc_manage.pssc'

Test-PSSessionConfigurationFile

Create a new directory to keep the JEA configuration file, for example:

New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities ' -ItemType Directory

PSRC files must always be located in the RoleCapabilities subfolder of the corresponding module.

Then create a configuration PSRC file with the role description (use the file name from the PSSC configuration above).

New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\HelpDesk_admins.psrc'

The PSRC file specifies what is allowed to do in the current JEA session. In the VisibleCmdlets directive, you may specify the cmdlets (and their valid parameters) allowed to be used for a given user group.

In the VisibleExternalCommands option, you can specify external commands and EXE files allowed to run.

For example, the following configuration allows HelpDesk users to restart the domain controller using the shutdown command or the Restart-Computer cmdlet, as well as restart DNSServer and Active Directory Domain Services using the Restart-Service cmdlet.

VisibleCmdlets = 'Restart-Computer', @{ Name = 'Restart-Service'; Parameters = @{ Name = 'Name'; ValidateSet = 'DNS', 'NTDS' }}
VisibleExternalCommands = 'c:\windows\system32\shutdown.exe'

Save your PSRC file.

powershell jea: setting allowed to run cmdlets

Then register a new PSSession configuration for your PSSC file:

Register-PSSessionConfiguration –Name testHelpDesk -Path 'C:\Program Files\WindowsPowerShell\dc_manage.pssc'

and restart WinRM:

Restart-Service WinRM

Register-PSSessionConfiguration - register JEA endpoint

You can list the available JEA endpoints:

Get-PSSessionConfiguration|ft name

Get-PSSessionConfiguration - get jea endpoints

Let’s see how our new Just-Enough-Administration (JEA) configuration works. You can connect to the created JEA endpoint under a user account from the security group specified in the configuration file. Connect to the domain controller using PowerShell Remoting (you must specify the JEA endpoint name):

Enter-PSSession -ComputerName dc01 -ConfigurationName testHelpDesk

View the list of available cmdlets in your PowerShell session:

Get-Command

As you can see, a small number of commands is available, including Restart-Service and Restart-Computer. A user can only do what he is allowed to do.

Try to restart the DNS service:

Restart-Service dns

The service has been restarted successfully (the command is run as a privileged user with the domain admin permissions).

If you try to restart any other service that is not described in the JEA configuration file, the following error message appears:

Cannot validate argument on parameter 'Name'. The argument "spooler" does not belong to the set "DNS,NTDS" specifiedby the ValidateSet attribute. Supply an argument that is in the set and then try the command again. + CategoryInfo : InvalidData: (:) [Restart-Service], ParameterBindingValidationException

testing Just Enough Administration

The history of all user actions in the JEA PowerShell session is logged to the files in C:\PS\JEA_logs.

Just Enough Administration log file with PowerShell Remote Sessions

So, JEA allows you to granularly grant users access to run specific PowerShell cmdlets, scripts or programs as an administrator.

2 comments
3
Facebook Twitter Google + Pinterest
previous post
Could not Reconnect All Mapped Network Drives on Windows 10
next post
Using Managed Service Accounts (MSA and gMSA) in Active Directory

Related Reading

How to Run Program without Admin Privileges and...

March 24, 2023

Configure Network Settings on Windows with PowerShell: IP...

March 24, 2023

Exchange Offline Address Book Not Updating in Outlook

March 21, 2023

How to Restore Deleted Users in Azure AD...

March 16, 2023

Fix: Remote Desktop Services Is Currently Busy

March 15, 2023

2 comments

JohnDone April 13, 2022 - 6:36 pm

Instead Restart-Computer dns, should be Restart-Service dns

Reply
admin April 15, 2022 - 11:36 am

🙂 thks

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • How to Run Program without Admin Privileges and Bypass UAC Prompt?

    March 24, 2023
  • Configure Network Settings on Windows with PowerShell: IP Address, DNS, Default Gateway, Static Routes

    March 24, 2023
  • Exchange Offline Address Book Not Updating in Outlook

    March 21, 2023
  • Attaching Host USB Devices to WSL or Hyper-V VM

    March 20, 2023
  • Sending an E-mail to a Microsoft Teams Channel

    March 17, 2023
  • How to Restore Deleted Users in Azure AD (Microsoft 365)?

    March 16, 2023
  • Fix: Remote Desktop Services Is Currently Busy

    March 15, 2023
  • Send-MailMessage: Sending E-mails with PowerShell

    March 14, 2023
  • Clear Cache and Temp Files in User Profiles on Windows (RDS) with PowerShell and GPO

    March 13, 2023
  • Prevent Users from Creating New Groups in Microsoft 365 (Teams/Outlook)

    March 6, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Installing RSAT Administration Tools on Windows 10 and 11
  • Configuring Port Forwarding in Windows
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Adding Drivers into VMWare ESXi Installation Image
  • How to Hide Installed Programs in Windows 10 and 11?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top