My Goal is to create an endpoint to allow non-administrative users to invoke a remote session to a server but only allow them specific cmdlets to execute.
As a test, on my laptop, I created the ‘LockDown’ Session and only allowed the cmdlet ‘Get-Date’ to execute and gave the local account ‘BC’ Execute and Read Rights for the session.
Name : LockDown PSVersion : 5.1 RunAsUser : Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed, W10-BCLPT\BC AccessAllowed VisibleCmdlets : Get-Date
As local administration, I test the session and it works.
PS C:\Windows\system32> $s = New-PSSession -ComputerName localhost -ConfigurationName LockDown PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {get-date} Saturday, April 25, 2020 7:20:25 AM
When I try as the user ‘BC’, the command fails.
PS C:\Users\BC> $s = New-PSSession -ComputerName localhost -ConfigurationName LockDown New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message : The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:6 + $s = New-PSSession -ComputerName localhost -ConfigurationName LockDow ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2146959355,PSSessionOpenFailed
I have changed the rights for BC from Read and Execute to ‘Full’ and get the same error. I have also recreated the local ‘BC’ account and still receive the same issue. I’ve checked about_Remote_Troubleshooting and set my Trusted Hosts Value to ‘*’ (for troubleshooting purposes) and I still can’t get a non-admin to invoke a command.