Search code examples
powershellleast-privilege

Just Enough Administration - Command returning 'Priviledge not held.'

I have registered a PowerShell Configuration for use but am running into some difficulties. The desire was to implement a configuration that would allow a service account to remote into a server and restart it without allowing it the ability to perform anything else, naturally JEA seemed like the best fit. I registered the configuration with the following:

#Create Role Capability file
$ServerRestartRole2012 = @{
    Path    = "$env:ProgramFiles\WindowsPowerShell\Modules\JEAServerRestart\RoleCapabilities\ServerRestarter.psrc"
    Author  = "xx"
    Company = "xx"
    VisibleCmdlets = 'Restart-Computer'
    ModulesToImport = 'Microsoft.PowerShell.Management'
}
New-PSRoleCapabilityFile @ServerRestartRole2012

#Create JEA Config
$ServerRestartConfig2012 = @{
    Path                = "$env:ProgramData\JEA\JEAServerRestart.pssc"
    Author              = "xx"
    Description         = "Allows for service account to reboot servers for Server Management Application"
    SessionType         = "RestrictedRemoteServer"
    TranscriptDirectory = "$env:windir\Logs"
    RunAsVirtualAccount = $true
    RoleDefinitions     = @{'xx\D7_APP_ServerRestart' = @{ RoleCapabilities = 'ServerRestarter'}}
}
New-PSSessionConfigurationFile @ServerRestartConfig2012

Register-PSSessionConfiguration -Name ServerRestarters -Path "$env:ProgramData\JEA\JEAServerRestart.pssc"
Restart-Service -Name WinRM

The registration is successful and I can enter the session with an account contained in the 'D7_APP_ServerRestart' group. Using Get-Command results in what I would expect, but when running Restart-Computer the message that is returned explains Privilege not held Am I missing part of the setup process?

The server with the registered EndPoint is a 2012R2

resulting output

Solution

  • As it turns out, after playing around a bit I found a resolution. Specifying a different protocol for the restart-computer cmdlet to use allowed it to restart the remote server.

    restart-computer -force fails with Permission not held

    restart-computer -protocol WSMan -force Performed a successful remote reboot

    I'm sure there is a valid reason for this, I just haven't been able to find the documentation to support it.

    Hopefully this will prevent future headaches for new JEA users.