You Don’t Have to Be An Administrator to Run Remote PowerShell Commands

You Don’t Have to Be An Administrator to Run Remote PowerShell Commands

Rate This
  • Comments 11

I was just read blog entry which complained about having to have administrative access to execute PowerShell commands against a remote server.  This is not the case.

We are “secure by default” which means that if you want to do something that exposes a security risk to your machines, you have to make a conscious decision to do so.  We are secure by default so that you can feel confident in putting PowerShell on all your machines.  Your risks are a function of the decisions you make after  you install PowerShell and we’ll educate you about the risks and benefits of those decisions.  (Run “Get-Help about_Execution_Policies” to see a great example of that.)

That is why remoting is turned off by default and you have to run Enable-PSRemoting to turn it on. 

When you do this, we create the default PSSessionConfiguration called Microsoft.PowerShell with a SDDL which only allows people with administrative rights to execute remote commands on that machine.  You can see that by the following command:

PS> Get-PSSessionConfiguration |fl *

Name                   : microsoft.powershell
Filename               : %windir%\system32\pwrshplugin.dll
SDKVersion             : 1
XmlRenderingType       : text
lang                   : en-US
PSVersion              : 2.0
ResourceUri            :
http://schemas.microsoft.com/powershell/microsoft.powershell
SupportsOptions        : true
Capability             : {Shell}
xmlns                  :
http://schemas.microsoft.com/wbem/wsman/1/config/PluginConfiguration
Uri                    : http://schemas.microsoft.com/powershell/Microsoft.PowerShell
ExactMatch             : false
SecurityDescriptorSddl : O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
Permission             : BUILTIN\Administrators AccessAllowed

 

If you decide you want to allow others, what you do is run the command:

PS> Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

Confirm
Are you sure you want to perform this action?
Performing operation "Set-PSSessionConfiguration" on Target "Name: Microsoft.PowerShell".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

Notice that this action could have a serious impact on your system so we ask you to confirm that you really want to do this.(In general we assume you know what you are doing and only bring up these nag-messages when we think it is super important that you not sleep walk through this one.  You can always add a –FORCE switch to bypass this message.)  This brings up the following dialog box which allows you to give others the ability to run commands on that machine:

image

 

Experiment!  Enjoy!  Engage!

Jeffrey Snover [MSFT]
Distinguished Engineer
Visit the Windows PowerShell Team blog at:    http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at:  http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx

Leave a Comment
  • Please add 8 and 6 and type the answer here:
  • Post
  • Good to know. How exactly are read & write commands distinguished in 3rd party cmdlets though? At what level are these commands being detected / intercepted for access control?

    -Trevor Sullivan

  • I've been looking for this info, thanks for posting it!

  • Hi,

    Will granting a non-admin user permission to Execute (Invoke) allow them to only successfully execute non-admin commands (effectively impersonating) or will they be able to execute any command that the PS Remoting service can?

    Regards,

    Jason

  • Can you do a follow up post about how I could change those settings on all my domain workstations? ... possibly via PS remoting itself ;)

  • @Jason,

    I tested this.  An account requires *Full Control* to actually be able to remote in.

    That being said, you aren't overriding all other security features.

    For example, I started Notepad as an admin on the server, then remoted in.  I couldn't kill the Notepad process.

    Further to that, I could do "get-service eventlog", but got access denied errors (or not found) trying "get-service", "get-service winrm", "get-service w32time".

    So granting remote access using Full Control is just a part of the settings required to give a remote account full access...

  • @posh lover,

    Assuming you understand the basics of fan-out remoting, to do this for multiple servers, you would simply create a PsSession to each computer, and run something like:

    PS>Set-PSSessionConfiguration -Name Microsoft.PowerShell -SecurityDescriptorSddl $sddl -Force

    For $sddl, you should use the above method  in this blog post with -showSecurityDescriptorUI to visually set the security, then capture the resulting Sddl into a variable, something like this:

    PS>$sddl=Get-PSSessionConfiguration microsoft.powershell|Select -exp SecurityDescriptorSddl

    Now that does bring up a small challenge with how you're going to pass that local variable into all of your remote sessions...

    Something for me to think about and blog, maybe next week.

  • When c:\windows\system32\windowspowershell\v1.0\powershell.exe is accessed by Java process from within the Hyper-V Server 2008 R2, It throws 'The system cannot find the file specified'. However, I am able to execute the powershell through console window. In both the cases, only administrator execute the commands. I am not able to access the directory v1.0. It looks like more security permissions are added on it. When I try to change permissions on this folder using commands cacls/icacls, It could only change WindowsPowerShell directory not the v1.0. It failed saying 'Access denied'. I don't have any clue to proceed with this. Help please!

  • I've also tried remoting with Powershell from one server to another. Both in Domain. I start a new session with "New-PSSession -Computername vserver1 -Credential test\Super01". When this user Super01 is in the local administrators group of vserver1, I am then able to connect and start a new session.

    However if I remove Super01 from the local admin group on vserver1, and only granting Users rights, adding user to the showSecurityDescriptorUI dialog with Full Control, it gets me an error "Connecting to remote server failed with the following error message : Access is denied."

    Can you tell if it's possible to connect to a different server without having local admin rights on that target server?

  • Solved my previous question...

    there's a difference in

    Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

    -and-

    Set-PSSessionConfiguration -Name Microsoft.PowerShell32 -showSecurityDescriptorUI

  • Hi Jeffrey,

    thanks for your post. I use this action already for configuring my printservers and give execute-permissions to a special group for using my powershell-based create-printer-script, which is running via remote management-server. Because it's a huge environment, we create a lot of additional printservers via unattended setup, but the security descriptor has to be changed manually. How is it possible to give the execute-permissions via script in case of an unattended installation? Any idea?

    Many thanks

    Daniel

  • My domain account is added as a "power user" on a server.

    As you advised my power user account is included to get "full control" on powershell.

    The following query is used :

    Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

    This invoked a privilege window on which I included my Poweruser account.

    Whilst executing the following command, I am getting the following error message :

    Get-WmiObject win32_logicaldisk -computername myserver.domain.com | Where-Object { $_.DriveType -eq 3 } | Select-Object SystemName,DeviceID,VolumeName,FreeSpace,Size

    Error message :

    Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005

    (E_ACCESSDENIED))

    At line:1 char:1

    + Get-WmiObject win32_logicaldisk -computername myserver.domain.com |

    Where-Object ...

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       + CategoryInfo          : NotSpecified: (:) [Get-WmiObject], UnauthorizedA

      ccessException

       + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow

      erShell.Commands.GetWmiObjectCommand

    Kindly shed some light about the error and steps towards the solution. Thanks in advance.

Page 1 of 1 (11 items)