- We have two option here, install all the RSAT tools you need on your utility servers.
- Configure Domain Controllers to 'allow' remote connection from Protected accounts.
Pre-Reqs
An Active Directory Organisational Unit (OU) with Delegated control to Domain Admins
An Active Directory Group in the 'Protected' OU
An User account with a complex non-dictionary password as a member of the 'Protected' group
If you don't already have a Organisational Unit in the root of your Domain with Delegated Control to Domain Admins only this might be more of a benefit that you might think. This gives you an OU where you can store AD Objects which only Domain Admins can create, edit or delete. Think about creating one?
Create a new Security Group called 'Admin-PowerShellRemoting-DCS' - this is the group we are going to grant access to our Domain Controllers.
Create a User account and make it a member of the 'Admin-PowerShellRemoting-DCS' group.
On your Domain controller we now need to check the permissions of the Microsoft.PowerShell PSSessionConfiguration using
(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
and the result tells us that only BUILTIN\Administrators has access. No real surprise with a Domain Controller.
Lets update the permissions in the PSSessionConfiguration to include our new AD Group we created above.
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
Answer Yes to making Configuration changes
Add grant Read and Execute permissions to the AD Group above.
Once you click Apply and OK you will be prompted again to Confirm the changes in your PowerShell window.
If we re-run,
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
We can see all members of the Admin-PowerShellRemoting-DCS group now have permissions to connect to a Domain Controller and run commands using PSRemoting.
No comments:
Post a Comment