Managing Windows Servers Centrally with Powershell

Hi,

Can anyone help with ‘best practice’ around having a centralized server that has access to an entire server estate via WinRM, the idea is that we can do reporting on the various elements of the estate and in general manage it this way.

My issue is how I correctly permission a user account that will be scheduled to run some of these reports, the reports themselves need WMI access etc. I’ve done a bit of reading up and as I don’t want to assign it the admin privilege, it looks like this could get complicated. Just wondering if there is someone out there who has been through this? Is it best to use constrained endpoints?

Thanks

Nick

 

 

Hey there Nick,

You’re on the right path. Constrained endpoints or JEA would probably be your best option. The PowerShell team did a blog sometime back on some of the differences. https://blogs.msdn.microsoft.com/powershell/2017/11/02/powershell-constrained-language-mode/

[quote quote=138197]Hey there Nick,

You’re on the right path. Constrained endpoints or JEA would probably be your best option. The PowerShell team did a blog sometime back on some of the differences. https://blogs.msdn.microsoft.com/powershell/2017/11/02/powershell-constrained-language-mode/

[/quote]
Thanks, I’ve just spent the last hour playing about with JEA, it’s a perfect fit I think, as I can use a non-admin service account with JEA running the virtual admin at the other end, seems the most simple option. Just need to make sure that any scripts we scheduled have access to the cmdlets required.

I’ll have a read of that blog you posted.