PART 2
Chapter 7: Understanding session configurations
In chapter 2, we saw that whenever PowerShell remoting is enabled, the default session configurations get registered. Also, Invoke-Command, Enter-PSSession and New-PSSession cmdlets have a – ConfigurationName parameter which can be used to specify a different session configuration than the default one. So, what are these session configurations?
So, in this part, we will look at all the PS session configuration cmdlets; discuss how to create custom PS
Session configurations and the need for it. Let us dive in to this now.
What is a PS Session configuration?
A session configuration can be used to define
When you enable PowerShell remoting using Enable-PSRemoting, you will see a final step performing Microsoft.PowerShell and Microsoft.PowerShell32 (on x64 systems) session configuration registrations. These default session configurations are used when the remote users connecting to local system do not specify a configuration name. By default, only members of administrators group have access to these two session configurations. Hence, only members of administrators group will be able to create remoting sessions by default.
Based on the above description, PowerShell session configurations can be used to
In this chapter, we will look at session configurations and see how we can create custom session configurations. We will discuss delegated administration at depth in a later chapter.
Cmdlets available to manage session configurations
The following cmdlets are available to manage session configuration.
1. Register-PSSessionConfiguration
2. Unregister-PSSessionConfiguration
3. Enable-PSSessionConfiguration
4. Disable-PSSessionConfiguration
5. Set-PSSessionConfiguration
6. Get-PSSessionConfiguration
Creating a new session configuration
Register-PSSessionConfiguration cmdlet can be used to create a new session configuration. You can use a C# assembly or a PowerShell script as a startup script for this new session configuration. This startup script can be used to customize the remoting experience. For example, create a script the imports Active Directory module using import-module cmdlet as shown here.
Import-Module ActiveDirectory
Save this script as startupscript.ps1 or any name of your choice on the local computer. Now, use the Register-PSSessionConfiguration cmdlet to create a new session configuration. This can be done by running
Register-PSSessionConfiguration -Name "ActiveDirectory" -StartupScript C:\scripts\StartupScript.ps1
You will be prompted to confirm this action and at the end to restart WinRM service on the local computer.
Note
List available session configurations
From the local computer
Get-PSSessionConfiguration cmdlet lists all the available session configurations on the local computer.
Figure 8 Get-PSSessionConfiguration
As you see in the above output, Get-PSSessionConfiguration lists all available session configurations on the local computer and who has permission to access the configuration. No permissions have been assigned yet to the new active directory configuration.
From a remote computer
Get-PSSessionConfiguration cmdlet cannot be used to access a list of PS Session configurations from a remote computer. However, we can use Get-WSManInstance cmdlet to achieve this.
Get-WSManInstance winrm/config/plugin -Enumerate -ComputerName SP2010-WFE | Where ` { $_.FileName -like '*pwrshplugin.dll'} | Select Name
This will list all the session configuration names as available on the remote computer. You can then use one of the session configurations to connect to the remote computer using PowerShell remoting.
Note
Custom permissions and PS Session configurations
You can use Set-PSSessionConfiguration to allow access to invoke the new session configuration. To do this,
Set-PSSessionConfiguration -Name ActiveDirectory -ShowSecurityDescriptorUI
This opens up the dialog to add permissions to invoke this session configuration. As you see in the screenshot here, administrators group has no invoke permission on this session configuration.
Figure 9 Security descriptor UI
Select Allow -> (Execute) Invoke permission and click OK. You will be prompted to restart the WinRM service. Now, an administrator or a member of administrators group will be able to use this session configuration. Similarly, you can add a non-administrator user to the list of users/groups and then assign appropriate permissions. This way, you can have non-administrator uses to remote in to the local computer using PowerShell remoting. You can read more on this in the next chapter.
Invoking a custom session configuration
You can use New-PSSession, Enter-PSSession and Invoke-Command cmdlets to load a session configuration other than the default configuration. The ConfigurationName parameter can be used to specify the session configuration. The following code snippet shows three different ways to invoke a remote session using a custom session configuration name.
$s = New-PSSession -ComputerName SP2010-WFE -ConfigurationName ActiveDirectory
Enter-PSSession -ComputerName SP2010-WFE -ConfigurationName ActiveDirectory
Invoke-Command -ComputerName SP2010-WFE -ConfigurationName ActiveDirectory -ScriptBlock {Get-Process}
Note
In an earlier chapter, we used Invoke-Command to load the active directory module within a persistent session and then use that persistent session to import active directory cmdlets in to local session. However, by using a session configuration that import active directory module as a startup script, we will have all the AD cmdlets available as soon as we connect to the remote session.
Disable a session configuration
You can use Disable-PSSessionConfiguration cmdlet to disable an existing session configuration and prevents users from connecting to the local computer by using this session configuration. You can use Name parameter to specify what session configuration you want to disable. If you do not specify a configuration name, the default Microsoft.PowerShell session configuration will be disabled.
The Disable-PSSessionConfiguration cmdlet adds a “deny all” setting to the security descriptor of one or more registered session configurations. As a result, you can unregister, view, and change the configurations, but you cannot use them in a session. Disable-PSRemoting cmdlet will disable all PS Session configurations available on the local computer.
Enable-PSSessionConfiguration cmdlet can be used to enable a disabled configuration. You can use Name parameter to specify what session configuration you need to enable.
Delete a session configuration
You can use Unregister-PSSessionConfiguration cmdlet to delete a previously defined session configuration. It is quite possible to delete the default session configuration — Microsoft.PowerShell — using this cmdlet. However, this default session configuration gets re-created if you re-run EnablePSRemoting cmdlet.
Summary
In this chapter, we looked at the basics of PowerShell session configurations and how to create custom configurations. We also looked at cmdlets to manage these session configurations. By default, it is necessary that you need to a part of local administrators group to remote in to computer. However, using custom session configuration and permissions assigned to these configurations, we can enable a non-administrator user to remote in to a computer using PowerShell remoting.