Reputation: 31
Powershell 4.0 Remoting with Non Admin Domain Account
I'm looking for help to properly configure PowerShell Remoting for non-admins on a group of servers. Right now we have a working configuration that allows Admin Domain accounts to successfully connect to the servers with no error. The authentication method we are using is Credssp, using SSL and this works perfectly for a Domain admin account.
On the other hand I have this User Domain Account userTest. This account is mapped to a Domain Group that maps locally (on each server) to the Remote Desktop User Groups. This allows for this user to RDP successfully to this server but has no administrator privileges. It is going to stay that way and it is not an option to make it Local Administrator.
The purpose of this user is to allow non-admin accounts to execute a set of scripts against the server using a Restricted Session, which connecting with a Domain Admin Account. The problem comes when I'm trying to connect with the userTest account. The server responds with a Access is Denied error:
[ServerA] Connecting to remote server ServerA failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (ServerA:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
Going trough the Analytic EventLogs I found an error message as follows:
The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered.
This is the configuration that I have already setup:
Created a PSSessionConfiguration named RemoteDesktopUsers
Register-PSSessionConfiguration -Name RemoteDesktopUsers -StartupScript C:\Start.ps1
Set-PSSessionConfiguration -Name RemoteDesktopUsers -ShowSecurityDescriptorUI (Added Remote Desktop Users group to this SessionConfiguration)
So yeah, basically from what I have already Googled, this should be all the necessary configuration that you need to able to PSRemote with non-admin accounts. As I already mentioned using a Domain Admin Account connecting to this SessionConfiguration works fine, so I was thinking that I'm missing some kind of permission/privilege/SDDL that allows this user to access:
Windows Server 2008 R2 SP1
Powershell 4.0
Winrm ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 3.0
Upvotes: 3
Views: 1665
Answers (1)
Reputation: 13537
You're probably running into this problem because of using CredSSP
Any particular reason you have to use CredSSP? The most popular use of CredSSP is provided for situations in which you need to configure a jump server to remote from one machine, into another, and from there out again to another server. It's well-known as Second-Hop funtionality and is such a huge security hole that the CredSSP is kind of a pain to configure, intentionally.
You have to configure CredSSP in three places, once on your machine from which you'll be remoting, then again on the machine you'll be jumping to, and finally on each machine you'll be connecting to from the jump server.
If you really have to use CredSSP, follow this great guide here on The Scripting Guy's blog.
If you don't need CredSSP
Try this whole process using Default/WSman authorization, and I bet the problems will go away.
Upvotes: 1
Related Questions
- Powershell Remoting with credential
- Powershell Remote PSSession Failing - Domain Administrator Account
- Powershell remoting - Policy does not allow the delegation of user credentials
- Powershell remoting only with domain account
- Run .bat file with Administrative rights
- PowerShell remoting using a remote local account on a computer on the same domain
- Powershell remoting does not have the correct permissions
- Enter remote machine with administrative rights
- Add domain machine user to local admins
- Powershell v2 remoting and delegation