{"id":16481,"date":"2010-11-17T00:01:00","date_gmt":"2010-11-17T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/11\/17\/configure-remote-security-settings-for-windows-powershell\/"},"modified":"2010-11-17T00:01:00","modified_gmt":"2010-11-17T00:01:00","slug":"configure-remote-security-settings-for-windows-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/configure-remote-security-settings-for-windows-powershell\/","title":{"rendered":"Configure Remote Security Settings for Windows PowerShell"},"content":{"rendered":"

  <\/p>\n

Summary:<\/b> Microsoft Scripting Guy, Ed Wilson, teaches how to configure remote security settings for Windows PowerShell.<\/p>\n

 <\/p>\n

\"Hey,<\/span>Hey, Scripting Guy! I am a Help Desk Support Manager, and I have written a series of scripts that I want to allow the help desk support people to use. These scripts collect basic information, and output to a file that is then emailed to Tier 2 support when necessary. I have found this to be an effective way to streamline our help desk operation. The problem is that I do not want to make our Tier 1 support people Administrators on the remote machines. <\/p>\n

— LB<\/p>\n

 <\/p>\n

\"Hey,<\/span>Hello LB, Microsoft Scripting Guy Ed Wilson here. When I was scuba diving<\/a> in Little Cayman<\/a>, I had the opportunity to take pictures of Nassau Groupers<\/a>. These are beautiful and friendly fish as seen in the following figure, (although unfortunately endangered due to overfishing). Speaking of groupers, LB, the solution to your problem is to use groups. <\/p>\n

 <\/p>\n

 <\/p>\n

The first thing you need to do is to create a group, such as the one seen in the following figure.<\/p>\n

 <\/p>\n

 <\/p>\n

If you attempt to work with the Windows PowerShell session configuration information, and you do not start Windows PowerShell as an Administrator, an error will occur. Windows PowerShell will not allow you to retrieve session configuration information if you are not running as an Administrator. This error is seen here.<\/p>\n

<\/p>\n

 <\/p>\n

After you start the Windows PowerShell console with admin rights (right-click the Windows PowerShell icon<\/strong> and select Run as Administrator<\/b> from the Action<\/b> menu), you can use the Set-PSSessionConfiguration<\/b> Windows PowerShell cmdlet to modify the security configuration for Windows PowerShell remoting<\/a>. The easiest way to do this is to use the ShowSecurityDescriptorUI<\/i> switched parameter to force the cmdlet to display a graphical interface that allows you to add a Security Group to the access control list for the session. In addition to using the ShowSecurityDescriptorUI<\/i> switched parameter, you will also need to specify the name<\/i> parameter to indicate the application to be configured. In this example, use Microsoft.PowerShell. I also like to use the force<\/i><\/a> parameter to keep the cmdlet from prompting me. To me the prompt is annoying, and even a little misleading, as I have not changed or configured anything yet, and the prompt says that I am going to be “Performing operation “Set-PSSessionConfiguration<\/b>” on Target “Name: Microsoft.PowerShell.” This is one of those “Well, duh” moments that arise when I say “Of course I am going to run the cmdlet, I just told you to do so.” The prompt is shown here.<\/p>\n

PS C:\\Windows\\system32> Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Mi<\/span><\/p>\n

crosoft.PowerShell<\/span><\/p>\n

 <\/span><\/p>\n

Confirm<\/span><\/p>\n

Are you sure you want to perform this action?<\/span><\/p>\n

Performing operation “Set-PSSessionConfiguration” on Target “Name:<\/span><\/p>\n

Microsoft.PowerShell”.<\/span><\/p>\n

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help<\/span><\/p>\n

(default is “Y”):<\/span><\/p>\n

 <\/p>\n

The command, (which is typed on a single line, but is wrapped here for publication on the blog) incorporating the force<\/i> parameter is seen here. <\/p>\n

PS C:\\Windows\\system32> Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Mi<\/span><\/p>\n

crosoft.PowerShell -Force<\/span><\/p>\n

 <\/p>\n

Once the command runs, the following permissions dialog box appears. As seen in the following figure, I have added the PoshRemoteUsers<\/b> group and granted them full control. <\/p>\n

 <\/p>\n

 <\/p>\n

I now pop over to a remote computer, and attempt to run a script block on my mred1<\/b> computer – the computer to which I just made the Windows PowerShell session configuration change. The user nwtraders\\pshUser<\/b> is not a member of the PoshRemoteUsers<\/b> group, and therefore as a plain everyday user, does not have remote rights to my machine. When I run the following command an error arises. <\/p>\n

Invoke-command -computername mred1 -scriptblock {hostname} -credential nwtraders\\pshuser<\/span><\/p>\n

 <\/p>\n

If I execute the command as the nwtraders\\posh remoteuser<\/b> the command succeeds because the posh remoteuser<\/b> was added to the PoshRemoteUsers<\/b> group. Keep in mind, that posh remoteuser<\/b> is an ordinary user, and has no added group memberships other than membership in the PoshRemoteUsers<\/b> group and the Domain Users<\/b> group. This is seen in the following figure.<\/p>\n

 <\/p>\n

 <\/p>\n

To test things out, I open a Remote Desktop session on a remote Windows 7<\/a> desktop, open Windows PowerShell and attempt to make a connection to the Mred1<\/b> computer. Because the posh remoteuser<\/b> has a space in it, I thought there might be some confusion on using it from the Windows PowerShell console. Therefore I attempted different configurations of the name. The results are shown in this figure.<\/p>\n

 <\/p>\n

 <\/p>\n

LB, that is all there is to configuring security for Windows PowerShell remoting. Remoting week will continue tomorrow when I will talk about working with remote sessions. <\/p>\n

I invite you to follow me on Twitter<\/a> or Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a> or post them on the Official Scripting Guys Forum.<\/a>. See you tomorrow. Until then, peace.<\/p>\n

 <\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"

   Summary: Microsoft Scripting Guy, Ed Wilson, teaches how to configure remote security settings for Windows PowerShell.   Hey, Scripting Guy! I am a Help Desk Support Manager, and I have written a series of scripts that I want to allow the help desk support people to use. These scripts collect basic information, and output […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[51,57,3,4,45],"class_list":["post-16481","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-getting-started","tag-remoting","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell"],"acf":[],"blog_post_summary":"

   Summary: Microsoft Scripting Guy, Ed Wilson, teaches how to configure remote security settings for Windows PowerShell.   Hey, Scripting Guy! I am a Help Desk Support Manager, and I have written a series of scripts that I want to allow the help desk support people to use. These scripts collect basic information, and output […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/16481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=16481"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/16481\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=16481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=16481"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=16481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}