Hi, I want to allow standard users (two colleagues from network department) to run PowerShell function which utilize PowerShell remoting to restart two particular services on any client Windows 7 machine (both 32-bit and 64-bit) in my domain. I could create custom endpoint but how to propagate that to all clients in domain? Using Register-PSSessionConfiguration -Path … line as startup script and deploy it with GPO where path to PSSessionConfigurationFile will be shared somewhere or there is specific settings for this in GPO thus avoiding script.
New-PSSessionConfigurationFile -Path d:\helpdesk.pssc -VisibleCmdlets ‘Get-Service’,‘Restart-Service’,‘Start-Service’,‘Write-Verbose’
Register-PSSessionConfiguration -Path d:\helpdesk.pssc -Name HelpDesk -SecurityDescriptorSddl ‘O:NSG:BAD:P(A;;GA;;;BA)(A;;GXGWGR;;;S-1-5-21-2110864988-1402720814-1268240735-1578)(A;;GXGWGR;;;S-1-5-21-2110864988-1402720814-1268240735-1572)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)’ -NoServiceRestart -RunAsCredential domainName\domainAdminAccount
Creating configuration file is straightforward but creating custom endpoint and distributing it to all client computers in domain is tricky, particularly since -RunAsCredential will prompt for password thus it will not be possible remotely. Again I need that custom endpoint on all client computers. Plus I have just checked - in PowerShell v2 running on all client computers (Windows 7) there is no -Path parameter for Register-PSSessionConfiguration cmdlet.
Rather than registering an endpoint on all the client machines I would have thought you could register one endpoint on a server using an account that has permissions to remotely restart services on client machines, then your network team could connect to that and run Get-Service -Computer | Stop-Service
You would want to do some filtering on the Computer parameter so they can only target the machines you want.
All cmdlets which use -ComputerName utilize RPC (DCOM) and port number on target computer is not fixed which is one of many flaws of RPC (not single well known port for this purpose). PowerShell function restarts services via PS Remoting (port 5985) which is always open on all target computers (I did that via GPO - enabling PS remoting). Unfortunately I do not have other way of doing this since network profile on target computers for some reason changes from domain to public and blocks myriad of ports including the RPC ports hence Get-Service -ComputerName TargetComputer -Name NlaSvc | Restart-Service will not work regardless of computer where command was run from. If RPC ports had not been blocked that would have been piece of cake - I would have delegated rights to start/stop/restart these two services to the network team and they would have been able to do that with their standard domain user account. Blocked ports for RPC leave me with PS remoting as only viable option but of course standard users do not have permission to make remoting session to any default PS endpoint.
I’m not certain if this would work, but could you register one endpoint on a server with DA credentials and allow the users to only run a script or function that would take the computer name as a parameter and then call Invoke-Command against that computer?
So you would be using PowerShell remoting from a remote endpoint - as I say, not sure if that would work or not.