It’s a bit of messy code but it works. I have a Powershell Studio gui tool which I have tested for a non administrative user. I set up the constrained session using the pssessionconfiguration commands mentioned earlier and gave auth users the read and invoke permissions. This was done on a member server which had the AD cmdlets installed (w2k8). My DCs are all w2k3 and some have the AD gateway services installed.
The code in the Form_Load event looks like this:
$Global:Session = New-PSSession -ComputerName W2K8MS -ConfigurationName Util
$RunUser = $env:username
$global:cred = Get-Credential "Contoso\$RunUser"
$PSDefaultParameterValues = @{
"Invoke-Command:Session" = $Global:Session
}
And a typical command looks like this - One of the first things I do is get the user object for the running user:
$global:user = invoke-command -ScriptBlock {
param ($cred,$user) Get-ADUser $user -properties * -credential $cred
} -ArgumentList $cred,$RunUser
Another example - I have to get a list of all groups the user is a member of but only those that manage other groups:
$ldapfilter = "(&(member:1.2.840.113556.1.4.1941:=$($user.DistinguishedName))(managedobjects=*))"
$Managegroups = invoke-command -ScriptBlock {
param ($cred,$lf) get-adgroup -ldapfilter ($lf) -Properties managedobjects -credential $cred
} -ArgumentList $cred, $ldapfilter
I think you get the idea…
Thanks heaps Don for your suggestions!