I was recently working with a client who wanted their service desk to be able to improve administration by administering a server but not giving the users local administrative permissions or the ability to logon remotely to the Windows 2016 server.
There is a perfect solution to this issue…. Just Enough Administration (JEA). JEA is a built-in feature of Windows Server 2016+ and Windows 10 1607+ (and can be installed on other servers/client OS. See pre-reqs https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/prerequisites?view=powershell-7)
JEA helps to create constrained management endpoints using role based access controls to help manage Windows Server 2016. With JEA, a non-administrator can run specific commands, scripts, and executables as if they were an administrator on the machine.
My client wanted the ability for users to:
Restart-Service/Stop-Service/Start-Service
Restart-Computer
Get-WinEvent/Get-EventLog
PowerShell Session Configuration file
The first thing to do is create a Role Capability Parameter file with New-PSRoleCapabilityFile -Path SRVRoleCapability.psrc
This file contained the VisibleCmdlets = ‘Restart-Service’, ‘Stop-Service’ , ‘Start-Service’ , ‘Restart-Computer’,’Get-WinEvent’,’Get-EventLog
Role Capability files
I then created a security group in Active Directory. This would be used to add/remove users who had the ability to use the capability file and registered a PSSession on the machine. Register-PSSessionConfiguration -Name JEA_OperatorSession -Path “$env:ProgramData\JEAConfiguration\SRV.pssc”
Enter-PSSession -ComputerName <COMPUTERNAMETOMANAGE> -ConfigurationName JEA_OperatorSession -Credential $credential
