I’ve got my head around JEA and the thinking behind constrained endpoints vs traditional RBAC, but one thing still confuses me slightly. JEA controls cmdlets on the endpoint on which you’re carrying out a task and the permissions required on that box to run them, but what happens when you run a cmdlet/script that can require permissions on other servers to complete. Lets take DFS for example, think of this scenario.
You have two new web servers that require a shared IIS config, you use a script to build those and configure IIS on them. Within that script is the DFS part that has a dependency on you having the correct AD permissions to be able to create the new DFS shares locally and publish that namespace to AD. How does this work with JEA?
I think I know how it’ll work, I’d need to create an endpoint constraint on the Domain Controller restricting the use of DFS commands to the user. But will I then need to change the script to cater for JEA in that I now need to connect directly to a DC and run those commands? Or does JEA handle that?