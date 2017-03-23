Q. How can I create a restricted alternate PowerShell session configuration for remote usage?

A. By default a server has a number of session configurations that can be connected to for remote execution and the default allows only local administrators and remote management user group members. It is possible to add additional session configurations that could have alternate users allowed to connect.

Register-PSSessionConfiguration -Name "DCMs"

Set-PSSessionConfiguration -Name "DCMs" -ShowSecurityDescriptorUI

Get-PSSessionConfiguration -Name "DCMs"

Note you will be shown the graphical interface to set the permissions on who can access. It's also possible to do this via script:

$pssc = Get-PSSessionConfiguration -Name "DCMs"

$psscSd = New-Object System.Security.AccessControl.CommonSecurityDescriptor($false, $false, $pssc.SecurityDescriptorSddl)



$Principal = "savilltech\DCMs"

$account = New-Object System.Security.Principal.NTAccount($Principal)

$accessType = "Allow"

$accessMask = 268435456

$inheritanceFlags = "None"

$propagationFlags = "None"

$psscSd.DiscretionaryAcl.AddAccess($accessType,$account.Translate([System.Security.Principal.SecurityIdentifier]),$accessMask,$inheritanceFlags,$propagationFlags)



Set-PSSessionConfiguration -Name "DCMs" -SecurityDescriptorSddl $psscSd.GetSddlForm("All") -Force

To use the configuration specify it as a parameter, e.g.