{"id":67620,"date":"2016-09-05T15:45:08","date_gmt":"2016-09-05T15:45:08","guid":{"rendered":"https:\/\/www.simple-talk.com\/?p=67620"},"modified":"2026-05-08T15:12:56","modified_gmt":"2026-05-08T15:12:56","slug":"powershell-just-enough-administration","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/sysadmin\/powershell\/powershell-just-enough-administration\/","title":{"rendered":"PowerShell Just Enough Administration (JEA): Role Capabilities, Session Configurations, and Constrained Endpoints for Least-Privilege Admin"},"content":{"rendered":"\n<div id=\"callout-block_ec7a9b7827c6886341555418a3ff6a3b\" class=\"callout alignnone\">\n    <div class=\"child-last:mb-0 child-first:mt-0 bg-gray-50 dark:bg-gray-950 p-4xl my-3xl\">\n\n<p><strong>In summary:<\/strong> <b>PowerShell Just Enough Administration (JEA) is a Windows security feature that enables least-privilege delegated administration. Users can run a specific allow-listed set of PowerShell commands with elevated privileges, <em>without<\/em> granting them full local or domain administrator rights. <\/b><\/p>\n\n<\/div>\n<\/div> \n\n\n<p><b>Example scenario: <\/b>a helpdesk analyst needs to restart services on application servers but shouldn&#8217;t have admin access to those servers. Traditional approaches (add to local admins group, use runas, grant specific service rights via GPO) give too much or aren&#8217;t granular enough. JEA solution: define a role capability (which commands this role can run, with which parameters, against which targets), expose it via a session configuration as a constrained PowerShell remoting endpoint, and grant users access.<\/p>\n\n\n\n<p>When the user connects via Enter-PSSession -ConfigurationName YourJEAEndpoint, they get a constrained shell that only allows the permitted commands &#8211; they can&#8217;t launch cmd, can&#8217;t run Invoke-Expression, can&#8217;t escape the allowlist.<b> <\/b><\/p>\n\n\n\n<p>Commands run under a virtual admin account (or other designated service account), not the user&#8217;s own identity, so they have the access needed without the user being an admin. Introduced in Windows Management Framework 5.0, improved in later releases.<\/p>\n\n\n\n<p>Core components: role capability .psrc files (what commands are allowed), session configuration .pssc files (who gets which role, transcription settings, virtual account configuration), JEA endpoint deployment (Register-PSSessionConfiguration -Path &#8230;). Transcripts capture everything JEA users do for audit. Widely used for delegating SQL Server admin, AD account management, Exchange admin, file server admin to ops teams without making them full admins.<\/p>\n\n\n\n<p><strong>Continue reading to learn everything you need to know about PowerShell Just Enough Administration (JEA).<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-jea\">What is JEA?<\/h2>\n\n\n\n<p>PowerShell, with its numerous cmdlets, has made System administration very simple, but there are two problems still to solve before we can take advantage of this simplicity to allow a wider group of users to perform system management. The first problem is to prevent a user from accidentally harming another part of the system, and the other problem is security.<\/p>\n\n\n\n<p>The whole problem of managing access rights via PowerShell is sometimes forgotten or set aside in order to simplify the administration task. When you allow someone to access your system, you increase the risk of a user accidentally damaging part of the system, or the risk of a security breach. You can imagine what would happen if the administrator\u2019s credentials were stolen while a sysadmin was performing actions as administrator. Once that happens, your entire system is vulnerable.<\/p>\n\n\n\n<p>Basically, you need to assign just the sufficient rights to the user to achieve the particular admin task, and no wider rights than that. This is where &#8220;Just Enough Administration&#8221; intervenes &#8211; also known as \u201cJEA\u201d. You certainly know &#8220;Role-based access control&#8221; (RBAC)? RBAC is an approach to restricting system access to authorized users of a particular role. JEA provides a RBAC platform for Windows PowerShell that authorizes users to perform the rights to perform specific actions on your machines without giving them blanket administrative rights.<\/p>\n\n\n\n<p>JEA works as a whitelist and not as a blacklist. This means that you must explicitly allow the actions that your users will be able to perform.<\/p>\n\n\n\n<p>I have thus summarized this in a diagram of the JEA concept. Take the example of a helpdesk operator who needs to reset the Active Directory account of a blocked user. Our operator will use PowerShell and its numerous cmdlets in order to resolve this incident. But this means that he can also delete the user account or restart the domain controller through ignorance or by a simple error.<\/p>\n\n\n\n<p>So, to avoid this kind of damage, we will use JEA to limit the actions of our operator by allowing him to use some pre-defined cmdlets.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2016\/09\/word-image-6.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p class=\"caption\">Figure 1 \u2013 Just Enough Administration<\/p>\n\n\n\n<p>The main advantages of JEA:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>Reduce the number of &#8220;administrator&#8221; accounts in your environment<\/li>\n\n\n\n<li>Easily limit access to the machines<\/li>\n\n\n\n<li>Check the actions made by your users<\/li>\n<\/ul>\n<\/div>\n\n\n<div class=\"note\">\n<p>Note: Some of you who use WMF 5.0 may know JEA as a DSC resource named &#8220;xJEA&#8221;: this is now fully implemented in Windows PowerShell.<\/p>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-prerequisites\">Prerequisites<\/h2>\n\n\n\n<p>Before implementing JEA infrastructure, certain prerequisites are needed. For machines whose operating system is &#8220;Windows Server\u201d, you must have either Windows Server 2016 Technical Preview 4 and later versions, or Windows Server 2012 R2, 2012 et 2008 R2 with&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=50395\">Windows Management Framework 5.0<\/a>&nbsp;installed.<\/p>\n\n\n\n<p>For the Windows client operating systems, you must have Windows 10 with the update of November (1511) installed or a previous version of Windows with Windows Management Framework 5.0 installed<\/p>\n\n\n\n<p>Finally, you must have administrator rights on the machine and this machine must be a member of an Active Directory domain.<\/p>\n\n\n\n<p>JEA occurs through PowerShell Remoting. The first step is to run the following command to verify that remote access is enabled on the machine:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">  PS &gt; Enable-PSRemoting\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-jea-works\">How JEA works<\/h2>\n\n\n\n<p>JEA is implemented as a Windows PowerShell session endpoint and is based on two items:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li><strong>PowerShell Session Configuration file:<\/strong> This file specifies who can connect to an endpoint. It is possible to use Windows users or groups. A PowerShell Session Configuration file is specific to each machine. It is therefore possible to configure these machines in a very fine-grained manner. These files are followed by their extension &#8220;.pssc&#8221;.<\/li>\n\n\n\n<li><strong>Role Capability file:<\/strong> There may be one or more Role Capability files. They allow the administrator to specify what actions can be done by each role. These files are recognized by their extension &#8220;.psrc&#8221;.<\/li>\n<\/ul>\n<\/div>\n\n\n<p>On each machine, there is a default PowerShell Session Configuration. Each session can be restricted to give PowerShell just a limited set of functionality. To list them, use the <strong>Get-PSSessionConfiguration<\/strong> cmdlet:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS C:\\&gt; Get-PSSessionConfiguration\n\n\nName          : microsoft.powershell\nPSVersion     : 5.0\nStartupScript :\nRunAsUser     :\nPermission    : NT AUTHORITY\\INTERACTIVE AccessAllowed,\nBUILTIN\\Administrators AccessAllowed, BUILTIN\\Remote\n                Management Users AccessAllowed\n\nName          : microsoft.powershell.workflow\nPSVersion     : 5.0\nStartupScript :\nRunAsUser     :\nPermission    : BUILTIN\\Administrators AccessAllowed, BUILTIN\\Remote\nManagement Users AccessAllowed\n\nName          : microsoft.powershell32\nPSVersion     : 5.0\nStartupScript :\nRunAsUser     :\nPermission    : NT AUTHORITY\\INTERACTIVE AccessAllowed,\nBUILTIN\\Administrators AccessAllowed, BUILTIN\\Remote\n                Management Users AccessAllowed\n\nName          : microsoft.windows.servermanagerworkflows\nPSVersion     : 3.0\nStartupScript :\nRunAsUser     :\nPermission    : NT AUTHORITY\\INTERACTIVE AccessAllowed,\nBUILTIN\\Administrators AccessAllowed\n<\/pre>\n\n\n\n<p>We will add to this list a new session. So the next step is to create our own session file. These files use the &#8220;.pssc&#8221; extension and can be created via the <strong>New-PSSessionConfigurationFile<\/strong> cmdlet:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS &gt; New-Item -Path \"C:\\JEAConfig\" -ItemType Directory\nPS &gt; New-PSSessionConfigurationFile -Path C:\\JEAConfig\\JEADemo.pssc\"\n<\/pre>\n\n\n\n<p>Running this command provides the skeleton of a &#8220;.pssc&#8221; file containing the most common settings.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">@{\n\n# Version number of the schema used for this document\nSchemaVersion = '2.0.0.0'\n\n# ID used to uniquely identify this document\nGUID = '9fa70c54-5cfd-4d2d-88ca-5842b6de5353'\n\n# Author of this document\nAuthor = 'Admin'\n\n# Description of the functionality provided by these settings\n# Description = ''\n\n# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'\nSessionType = 'Default'\n\n# Directory to place session transcripts for this session configuration\n# TranscriptDirectory = 'C:\\Transcripts\\'\n\n# Whether to run this session configuration as the machine's (virtual) administrator account\n# RunAsVirtualAccount = $true\n\n# Groups associated with machine's (virtual) administrator account\n# RunAsVirtualAccountGroups = 'Remote Desktop Users', 'Remote Management Users'\n\n# Scripts to run when applied to a session\n# ScriptsToProcess = 'C:\\ConfigData\\InitScript1.ps1','C:\\ConfigData\\InitScript2.ps1'\n\n# User roles (security groups), and the role capabilities that should be applied to them when applied to a session\n# RoleDefinitions = @{ 'CONTOSO\\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' }; 'CONTOSO\\ServerMonitors' = @{ VisibleCmdlets ='Get-Process' } }\n\n} \n<\/pre>\n\n\n\n<p>By executing the following command, we can obtain the skeleton of a &#8220;.pssc&#8221; file containing all the settings:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">  PS &gt; New-PSSessionConfigurationFile -Path \"C:\\JEAConfig\\JEADemoFull.pssc\" -Full\n<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">@{\n\n# Version number of the schema used for this document\nSchemaVersion = '2.0.0.0'\n\n# ID used to uniquely identify this document\nGUID = '27df58a4-6150-412e-92f6-587f36617a34'\n\n# Author of this document\nAuthor = 'Admin'\n\n# Description of the functionality provided by these settings\n# Description = ''\n\n# Company associated with this document\nCompanyName = 'Unknown'\n\n# Copyright statement for this document\nCopyright = '(c) 2016 Admin. All rights reserved.'\n\n# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'\nSessionType = 'Default'\n\n# Directory to place session transcripts for this session configuration\n# TranscriptDirectory = 'C:\\Transcripts\\'\n\n# Whether to run this session configuration as the machine's (virtual) administrator account\n# RunAsVirtualAccount = $true\n\n# Groups associated with machine's (virtual) administrator account\n# RunAsVirtualAccountGroups = 'Remote Desktop Users', 'Remote Management Users'\n\n# Scripts to run when applied to a session\n# ScriptsToProcess = 'C:\\ConfigData\\InitScript1.ps1','C:\\ConfigData\\InitScript2.ps1'\n\n# User roles (security groups), and the role capabilities that should be applied to them when applied to a session\n# RoleDefinitions = @{ 'CONTOSO\\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' }; 'CONTOSO\\ServerMonitors' = @{ VisibleCmdlets = 'Get-Process' } }\n\n# Language mode to apply when applied to a session. Can be 'NoLanguage' (recommended), 'RestrictedLanguage','ConstrainedLanguage', or 'FullLanguage'\nLanguageMode = 'FullLanguage'\n\n# Execution policy to apply when applied to a session\nExecutionPolicy = 'Restricted'\n\n# Version of the Windows PowerShell engine to use  when applied to a session\n# PowerShellVersion = '5.0.10586.117'\n\n# Modules to import when applied to a session\n# ModulesToImport = 'MyCustomModule', @{ ModuleName = 'MyCustomModule'; ModuleVersion = '1.0.0.0'; GUID ='4d30d5f0-cb16-4898-812d-f20a6c596bdf' }\n\n# Aliases to make visible when applied to a session\n# VisibleAliases = 'Item1', 'Item2'\n\n# Cmdlets to make visible when applied to a session\n# VisibleCmdlets = 'Invoke-Cmdlet1', @{ Name = 'Invoke-Cmdlet2';Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' },@{ Name = 'Parameter2'; ValidatePattern = 'L*' } }\n\n# Functions to make visible when applied to a session\n# VisibleFunctions = 'Invoke-Function1', @{ Name = 'Invoke-Function2';Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' },@{ Name = 'Parameter2'; ValidatePattern = 'L*' } }\n\n# External commands (scripts and applications) to make visible when applied to a session\n# VisibleExternalCommands = 'Item1', 'Item2'\n\n# Providers to make visible when applied to a session\n# VisibleProviders = 'Item1', 'Item2'\n\n# Aliases to be defined when applied to a session\n# AliasDefinitions = @{ Name = 'Alias1'; Value = 'Invoke-Alias1'}, @{Name = 'Alias2'; Value = 'Invoke-Alias2'}\n\n# Functions to define when applied to a session\n# FunctionDefinitions = @{ Name = 'MyFunction'; ScriptBlock = {param($MyInput) $MyInput } }\n\n# Variables to define when applied to a session\n# VariableDefinitions = @{ Name = 'Variable1'; Value = { 'Dynamic' +'InitialValue' } }, @{ Name = 'Variable2'; Value ='StaticInitialValue' }\n\n# Environment variables to define when applied to a session\n# EnvironmentVariables = @{ Variable1 = 'Value1'; Variable2 = 'Value2' }\n\n# Type files (.ps1xml) to load when applied to a session\n# TypesToProcess = 'C:\\ConfigData\\MyTypes.ps1xml','C:\\ConfigData\\OtherTypes.ps1xml'\n\n# Format files (.ps1xml) to load when applied to a session\n# FormatsToProcess = 'C:\\ConfigData\\MyFormats.ps1xml','C:\\ConfigData\\OtherFormats.ps1xml'\n\n# Assemblies to load when applied to a session\n# AssembliesToLoad = 'System.Web', 'System.OtherAssembly,Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'\n\n} \n<\/pre>\n\n\n\n<p>In our example, we will rename the first file to &#8220;HelpdeskOperator.pssc&#8221; and modify the following lines:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SessionType = 'RestrictedRemoteServer'\nTranscriptDirectory = \"C:\\JEAConfig\\Transcripts\"\nRunAsVirtualAccount = $true\nRoleDefinitions = @{'Domain\\HelpdeskOperator' = @{ VisibleCmdlets =  'Get-Service',\u2019Get-Process\u2019 }} \n<\/pre>\n\n\n\n<p>Here is the description of these four parameters:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li><strong>SessionType<\/strong>: sets predefined parameters by default to be used. The &#8220;<em>RestrictedRemoteServer<\/em>&#8221; value allows minimum cmdlets for remote management. This mode defines the execution policy equal to \u201cRemoteSigned\u201d and contains the following cmdlets:<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>Get-Command,<\/li>\n\n\n\n<li>Get-FormatData,<\/li>\n\n\n\n<li>Select-Object,<\/li>\n\n\n\n<li>Get-Help,<\/li>\n\n\n\n<li>Measure-Object,<\/li>\n\n\n\n<li>Exit-PSSession,<\/li>\n\n\n\n<li>Clear-Host,<\/li>\n\n\n\n<li>Out-Default.<\/li>\n<\/ul>\n<\/div><\/li>\n\n\n\n<li><strong>TranscriptDirectory<\/strong>: defines the location in which the PowerShell transcripts are saved after each remote session.<\/li>\n\n\n\n<li><strong>RunAsVirtualAccount<\/strong>: indicates that PowerShell must &#8220;run as&#8221; virtual account. By default, the virtual account is a member of the Administrators group.<\/li>\n\n\n\n<li><strong>RoleDefinitions:<\/strong>\u00a0defines actions available to any user attempting to establish a connection based on their group membership.<\/li>\n<\/ul>\n<\/div>\n\n\n<p>Now we just have to register the configuration via the &#8220;<strong>Register-PSSessionConfiguration<\/strong>&#8221; cmdlet:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS &gt; Register-PSSessionConfiguration -Name 'HelpdeskOperator' -Path \"C:\\JEAConfig\\HelpdeskOperator.pssc\"\n\nWARNING: Register-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has\nrecently been unregistered, certain system data structures may still be cached. In that case, a restart of WinRM may be\n required.\nAll WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session\nconfigurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.\n\n   WSManConfig: Microsoft.WSMan.Management\\WSMan::localhost\\Plugin\n\nType            Keys                                Name\n----            ----                                ----\nContainer       {Name=HelpdeskOperator}             HelpdeskOperator\n\nWARNING: Set-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has\nrecently been unregistered, certain system data structures may still be cached. In that case, a restart of WinRM may be\n required.\nAll WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session\nconfigurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.\nWARNING: Register-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has\nrecently been unregistered, certain system data structures may still be cached. In that case, a restart of WinRM may be\n required.\nAll WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session\nconfigurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.<\/pre>\n\n\n\n<p>The <strong>-Name<\/strong> parameter is used by users when connecting to this configuration. At this time, the session is configured. Let us view the available sessions on our machine to note that a new session is clearly visible:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS C:\\&gt; Get-PSSessionConfiguration\n\n\nName          : HelpdeskOperator\nPSVersion     : 5.0\nStartupScript :\nRunAsUser     :\nPermission    : Domain\\HelpdeskOperator AccessAllowed\n\nName          : microsoft.powershell\nPSVersion     : 5.0\nStartupScript :\nRunAsUser     :\nPermission    : NT AUTHORITY\\INTERACTIVE AccessAllowed,BUILTIN\\Administrators AccessAllowed, BUILTIN\\Remote\n                Management Users AccessAllowed\n\nName          : microsoft.powershell.workflow\nPSVersion     : 5.0\nStartupScript :\nRunAsUser     :\nPermission    : BUILTIN\\Administrators AccessAllowed, BUILTIN\\Remote Management Users AccessAllowed\n\nName          : microsoft.powershell32\nPSVersion     : 5.0\nStartupScript :\nRunAsUser     :\nPermission    : NT AUTHORITY\\INTERACTIVE AccessAllowed,BUILTIN\\Administrators AccessAllowed, BUILTIN\\Remote\n                Management Users AccessAllowed\n\nName          : microsoft.windows.servermanagerworkflows\nPSVersion     : 3.0\nStartupScript :\nRunAsUser     :\nPermission    : NT AUTHORITY\\INTERACTIVE AccessAllowed,BUILTIN\\Administrators AccessAllowed \n<\/pre>\n\n\n\n<p>Your users can now connect via the <strong>Enter-PSSession<\/strong> cmdlet:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS &gt; $HelpdeskOperatorCred = Get-Credential\nPS &gt; Enter-PSSession -ComputerName . -ConfigurationName HelpdeskOperator -Credential $HelpdeskOperatorCred\n[localhost]: PS&gt;Get-Command\n\nCommandType     Name           Version    Source\n-----------     ----           -------    ------\nFunction        Clear-Host\nFunction        Exit-PSSession\nFunction        Get-Command\nFunction        Get-FormatData\nFunction        Get-Help\nFunction        Measure-Object\nFunction        Out-Default\nFunction        Select-Object\nCmdlet          Get-Process    3.0.0.0    Microsoft.PowerShell.Management\nCmdlet          Get-Service    3.0.0.0    Microsoft.PowerShell.Management\n\n\n[localhost]: PS&gt;Get-Date\nThe term 'Get-Date' is not recognized as the name of a cmdlet,function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the pathis correct and try again.\n    + CategoryInfo          : ObjectNotFound: (Get-Date:String) [],CommandNotFoundException\n    + FullyQualifiedErrorId : CommandNotFoundException\n\n[localhost]: PS&gt;Get-Service\n\nStatus   Name               DisplayName\n------   ----               -----------\nStopped  AeLookupSvc        Application Experience\nStopped  ALG                Application Layer Gateway Service\nRunning  AppHostSvc         Application Host Helper Service\nStopped  AppIDSvc           Application Identity\nStopped  Appinfo            Application Information\nRunning  AppMgmt            Application Management \n\n[localhost]: PS&gt; Exit-PSSession\n<\/pre>\n\n\n\n<p>Excellent! Only few cmdlets are visible: <strong>Get-Service<\/strong> and <strong>Get-Process<\/strong> correspond with the cmdlets that we have authorized. For the other cmdlets, these are minimal cmdlets authorized in JEA via the &#8220;RestrictedRemoteServer&#8221; mode.<\/p>\n\n\n\n<p>Navigate to the following directory C:\\JEAConfig\\Transcripts and open the file named &#8220;PowerShell_Transcript_xxxx.txt&#8221;. This contains all the commands entered by your user.<\/p>\n\n\n\n<p>Note that a modification in a &#8220;.pssc&#8221; file does not take effect until the session exists. So you have to destroy the session and recreate it:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">  PS &gt; Unregister-PSSessionConfiguration -Name JEADemo2 -ErrorAction Stop\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-to-go-further-with-rolecapabilities\">To go further with RoleCapabilities<\/h2>\n\n\n\n<p>Why do we need to work with roles? Because it\u2019s easier! The management will be simplified. Indeed, a role defines what a user can do. This may involve, at the least, the use of some cmdlets and some applications.<\/p>\n\n\n\n<p>We thus speak of RBAC functionality!<\/p>\n\n\n\n<p>For PowerShell to detect roles, simply place them in a &#8220;<strong>RoleCapabilities<\/strong>&#8221; folder in a valid PowerShell module. This module will be loaded automatically when the PowerShell console is opened. This is a real advantage because when editing a &#8220;.psrc&#8221; file, it will be analyzed each time you open the PowerShell console. No need to destroy and recreate the session. Let&#8217;s start with:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>Create our module<\/li>\n\n\n\n<li>Create the manifest<\/li>\n\n\n\n<li>Create the &#8220;RoleCapabilities&#8221; folder<\/li>\n\n\n\n<li>And finally create our &#8220;.psrc&#8221; file<\/li>\n<\/ul>\n<\/div>\n\n\n<pre class=\"wp-block-preformatted\">PS &gt; New-Item -Path 'C:\\Program Files\\WindowsPowerShell\\Modules\\JEAHelpdeskOperator' -ItemType Directory\n\nPS &gt; New-ModuleManifest -Path 'C:\\Program Files\\WindowsPowerShell\\Modules\\JEAHelpdeskOperator\\JEAHelpdeskOperator.psd1' -RootModule JEAHelpdeskOperator.psm1\n\nPS &gt; New-Item -Path 'C:\\Program Files\\WindowsPowerShell\\Modules\\JEAHelpdeskOperator\\JEAHelpdeskOperator.psm1' -ItemType File\n\nPS &gt; New-Item -Path 'C:\\Program Files\\WindowsPowerShell\\Modules\\JEAHelpdeskOperator\\RoleCapabilities' -ItemType Directory\n\nPS &gt; New-PSRoleCapabilityFile -Path 'C:\\Program Files\\WindowsPowerShell\\Modules\\JEAHelpdeskOperator \\RoleCapabilities\\JEAHelpdeskOperator.psrc' \n<\/pre>\n\n\n\n<p>Now, we will adapt this &#8220;psrc&#8221; file in our environment. I allow the operator:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>To use all the cmdlets starting with &#8220;Get-&#8220;,<\/li>\n\n\n\n<li>To restart the machine,<\/li>\n\n\n\n<li>To restart a single Windows service whose name is &#8220;Spooler&#8221;,<\/li>\n\n\n\n<li>To use the external command &#8220;Cmd.exe&#8221;,<\/li>\n\n\n\n<li>To use the following aliases &#8220;Dir&#8221; and &#8220;Ls&#8221;<\/li>\n\n\n\n<li>And finally to use the &#8220;FileSystem&#8221; provider otherwise aliases and the Get-ChildItem cmdlet will not work.<\/li>\n<\/ul>\n<\/div>\n\n\n<pre class=\"wp-block-preformatted\">VisibleCmdlets = 'Restart-Computer', 'Get-*'\n\n                 @{\n                     Name = 'Restart-Service'\n                     Parameters = @{ Name = 'Name'; ValidateSet = 'Spooler' }\n                 }\n\nVisibleExternalCommands = 'C:\\Windows\\system32\\cmd.exe' \n\nVisibleAliases = 'Dir',\u2019ls\u2019\n\nVisibleProviders = 'FileSystem\u2019\n<\/pre>\n\n\n\n<p>I will not detail all of these options because it is relatively intuitive.<\/p>\n\n\n\n<p>The last thing to do is to indicate in the &#8220;pssc&#8221; file the next line that will combine this role with our user (or group):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">RoleDefinitions = @{'Domain\\HelpdeskOperator' = @{ RoleCapabilities = 'JEAHelpdeskOperator' }}<\/pre>\n\n\n\n<div class=\"note\">\n<p>Note: Think of destroying the previous session that was used for our test.<\/p>\n<\/div>\n\n\n\n<pre class=\"wp-block-preformatted\">[localhost]: PS&gt;get-command\n\nCommandType     Name                          Version    Source\n-----------     ----                          -------    ------\nFunction        Clear-Host\nFunction        Exit-PSSession\nFunction        Get-Command\nFunction        Get-FormatData\nFunction        Get-Help\nFunction        Get-Verb\nFunction        Measure-Object\nFunction        Out-Default\nFunction        Restart-Service\nFunction        Select-Object\nCmdlet          Get-Acl                       3.0.0.0    Microsoft.PowerShell.Security\nCmdlet          Get-Alias                     3.0.0.0    Microsoft.PowerShell.Utility\nCmdlet          Get-AuthenticodeSignature     3.0.0.0    Microsoft.PowerShell.Security\nCmdlet          Get-ChildItem                 3.0.0.0    Microsoft.PowerShell.Management\n\n[localhost]: PS&gt;cmd\nMicrosoft Windows [Version 6.3.9600]\n(c) 2013 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32&gt;\n[localhost]: PS&gt;\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-jea-helper-tool\">JEA Helper Tool<\/h2>\n\n\n\n<p>If you have any difficulties with \u201cpssc\u201d and \u201cpsrc\u201d files, you will be relieved to hear that there is a tool to make it easy to start with JEA. This tool is called \u201cJEA Helper Tool\u201d and let you create, in graphical mode, the Session Configuration File and the Role Capability File.<\/p>\n\n\n\n<p>This tool can be downloaded from this address: <a href=\"https:\/\/blogs.technet.microsoft.com\/privatecloud\/2015\/12\/20\/introducing-the-updated-jea-helper-tool\/\">JEA Helper Tool<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-\"><strong><figure><img decoding=\"async\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2016\/09\/word-image-15.png\"><\/figure><\/strong><\/h2>\n\n\n\n<p class=\"caption\">Figure 2 \u2013 JEA Helper Tool<\/p>\n\n\n\n<p>In this tab, I load my &#8220;<em>psrc<\/em>&#8221; file in the \u201c<em>JEA Helper Tool<\/em>\u201d that shows me the cmdlets that I have authorized. You can also use the following command to get this information:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">  PS &gt; Get-PSSessionCapability -Username 'Domain\\HelpdeskOperator' -ConfigurationName JEAHelpdeskOperator\n<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2016\/09\/word-image-20.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p class=\"caption\">Figure 3 \u2013 JEA Helper Tool<\/p>\n\n\n\n<p>Finally in this tab, the tool detects my &#8220;<em>HelpdeskOperator<\/em>&#8221; session associated with the &#8220;<em>JEAHelpdeskOperator<\/em>&#8221; role.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-reporting-on-jea\">Reporting on JEA<\/h2>\n\n\n\n<p>As with any system, it is important to monitor and trace every action performed on your machines. JEA equally backs-up the actions made by your users into the Windows Event Logs. Activation can be done manually on each machine or by &#8220;Group Policy Object&#8221; (GPO).<\/p>\n\n\n\n<p>Open the Group Policy Editor MMC and navigate to:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>Computer Configuration<\/li>\n\n\n\n<li>Administrative Templates<\/li>\n\n\n\n<li>Windows Components<\/li>\n\n\n\n<li>Windows PowerShell<\/li>\n<\/ul>\n<\/div>\n\n\n<p>Now, double click on &#8220;<em>Turn on Logging Module<\/em>&#8221; and select &#8220;<em>Enabled<\/em>&#8220;. Click on &#8220;<em>Show<\/em>&#8221; next to module names and if you want to log commands from all PowerShell modules then type &#8220;<em>*<\/em>&#8221; in the pop up window.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2016\/09\/word-image-24.png\" alt=\"logging\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p class=\"caption\">Figure 4 \u2013 Enable PowerShell Module Logging<\/p>\n\n\n\n<p>In addition, it will be very easy to see the actions performed on your machines by a user with the Transcript Directory. PowerShell will automatically record a transcript of all actions taken in a given session. This parameter is configured via the following line:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">  TranscriptDirectory = \"C:\\JEAConfig\\Transcripts\"\n<\/pre>\n\n\n\n<p>I use a basic script to display the available sessions on the machine in HTML format:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2016\/09\/word-image-31.png\" alt=\"https:\/\/gallery.technet.microsoft.com\/site\/view\/file\/157979\/1\/jea.png\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p class=\"caption\">Figure 5 \u2013 JEA reporting<\/p>\n\n\n\n<p>You can download my script on the <a href=\"https:\/\/gallery.technet.microsoft.com\/Generate-JEA-PowerShell-4973874b\">technet gallery<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n\n<p>We have seen, in this article, a new concept for PowerShell users called JEA &#8211; Just Enough Administration. This allows you to implement a RBAC infrastructure via PowerShell to limit administrators\u2019 accesses to your environment.<\/p>\n\n\n\n<p>JEA is extremely powerful and very useful to not only secure and control your environment but also, equally, to limit the actions that can performed by the users. Keep in mind that PowerShell is also very powerful and an error is quickly made. To err is human so it pays to be preventive and secure your environment.<\/p>\n\n\n\n<p>JEA allows limited access to certain cmdlets, applications, environment variables and so on. Managing JEA is relatively simple, but you should allow plenty of time to implement it as you will have to precisely list the actions that your users will be able to perform on the systems.<\/p>\n\n\n\n<p>It requires privileged access to machines for a user to perform certain actions that are required to manage the machines via PowerShell. This is an inevitable security risk and you must, inevitably, trust the system administrators. To minimize the risk, Microsoft recommends that you implement the &#8220;Just Enough Administration\u201d (JEA) infrastructure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>PowerShell Just Enough Administration (JEA) &#8211; implementing least-privilege delegated administration with role capability files, session configuration files, and constrained JEA endpoints. Allows specific users to run a limited set of commands elevated, without granting full administrator access.&hellip;<\/p>\n","protected":false},"author":158223,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[35],"tags":[],"coauthors":[6804],"class_list":["post-67620","post","type-post","status-publish","format-standard","hentry","category-powershell"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/67620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/158223"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=67620"}],"version-history":[{"count":10,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/67620\/revisions"}],"predecessor-version":[{"id":110428,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/67620\/revisions\/110428"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=67620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=67620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=67620"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=67620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}