A Layman's Guide to PowerShell 2.0 Remoting by Revikanth Chaganti & Jan Egil Ring - HTML preview

PLEASE NOTE: This is an HTML preview only and some elements such as links or page numbers may be incorrect.
Download the book in PDF, ePub, Kindle for a complete version.

PART 2

Chapter 7: Understanding session configurations

In chapter 2, we saw that whenever PowerShell remoting is enabled, the default session configurations get registered. Also, Invoke-Command, Enter-PSSession and New-PSSession cmdlets have a – ConfigurationName parameter which can be used to specify a different session configuration than the default one. So, what are these session configurations?

So, in this part, we will look at all the PS session configuration cmdlets; discuss how to create custom PS

Session configurations and the need for it. Let us dive in to this now.  

What is a PS Session configuration?

A session configuration can be used to define

  • Who can create a Windows PowerShell session on the local computer
  • What level of access — to cmdlets, scripts and PowerShell language — they have on the local computer, etc.

When you enable PowerShell remoting using Enable-PSRemoting, you will see a final step performing Microsoft.PowerShell and Microsoft.PowerShell32 (on x64 systems) session configuration registrations. These default session configurations are used when the remote users connecting to local system do not specify a configuration name. By default, only members of administrators group have access to these two session configurations. Hence, only members of administrators group will be able to create remoting sessions by default.

Based on the above description, PowerShell session configurations can be used to 

  • customize the remoting experience for users
  • delegate administration by creating session configuration with varying levels of access to system

In this chapter, we will look at session configurations and see how we can create custom session configurations. We will discuss delegated administration at depth in a later chapter.

Cmdlets available to manage session configurations

The following cmdlets are available to manage session configuration. 

1. Register-PSSessionConfiguration

2. Unregister-PSSessionConfiguration

3. Enable-PSSessionConfiguration

4. Disable-PSSessionConfiguration

5. Set-PSSessionConfiguration

6. Get-PSSessionConfiguration  

Creating a new session configuration

Register-PSSessionConfiguration cmdlet can be used to create a new session configuration. You can use a C# assembly or a PowerShell script as a startup script for this new session configuration. This startup script can be used to customize the remoting experience. For example, create a script the imports Active Directory module using import-module cmdlet as shown here.  

Import-Module ActiveDirectory

Save this script as startupscript.ps1 or any name of your choice on the local computer. Now, use the Register-PSSessionConfiguration cmdlet to create a new session configuration. This can be done by running  

Register-PSSessionConfiguration -Name "ActiveDirectory" -StartupScript C:\scripts\StartupScript.ps1

You will be prompted to confirm this action and at the end to restart WinRM service on the local computer. 

Note

img9.png

List available session configurations

From the local computer

Get-PSSessionConfiguration cmdlet lists all the available session configurations on the local computer. 

img10.png

Figure 8 Get-PSSessionConfiguration

As you see in the above output, Get-PSSessionConfiguration lists all available session configurations on the local computer and who has permission to access the configuration. No permissions have been assigned yet to the new active directory configuration. 

From a remote computer

Get-PSSessionConfiguration cmdlet cannot be used to access a list of PS Session configurations from a remote computer. However, we can use Get-WSManInstance cmdlet to achieve this. 

Get-WSManInstance winrm/config/plugin -Enumerate -ComputerName SP2010-WFE | Where ` { $_.FileName -like '*pwrshplugin.dll'} | Select Name

This will list all the session configuration names as available on the remote computer. You can then use one of the session configurations to connect to the remote computer using PowerShell remoting. 

Note

img11.png

Custom permissions and PS Session configurations

You can use Set-PSSessionConfiguration to allow access to invoke the new session configuration. To do this,  

Set-PSSessionConfiguration -Name ActiveDirectory -ShowSecurityDescriptorUI

This opens up the dialog to add permissions to invoke this session configuration. As you see in the screenshot here, administrators group has no invoke permission on this session configuration.  

img12.png

Figure 9 Security descriptor UI

Select Allow -> (Execute) Invoke permission and click OK. You will be prompted to restart the WinRM service. Now, an administrator or a member of administrators group will be able to use this session configuration. Similarly, you can add a non-administrator user to the list of users/groups and then assign appropriate permissions. This way, you can have non-administrator uses to remote in to the local computer using PowerShell remoting. You can read more on this in the next chapter.

Invoking a custom session configuration

You can use New-PSSession, Enter-PSSession and Invoke-Command cmdlets to load a session configuration other than the default configuration. The ConfigurationName parameter can be used to specify the session configuration. The following code snippet shows three different ways to invoke a remote session using a custom session configuration name.

$s = New-PSSession -ComputerName SP2010-WFE -ConfigurationName ActiveDirectory           

Enter-PSSession -ComputerName SP2010-WFE -ConfigurationName ActiveDirectory           

Invoke-Command -ComputerName SP2010-WFE -ConfigurationName ActiveDirectory -ScriptBlock {Get-Process}

Note

img13.png

In an earlier chapter, we used Invoke-Command to load the active directory module within a persistent session and then use that persistent session to import active directory cmdlets in to local session. However, by using a session configuration that import active directory module as a startup script, we will have all the AD cmdlets available as soon as we connect to the remote session.

Disable a session configuration

You can use Disable-PSSessionConfiguration cmdlet to disable an existing session configuration and prevents users from connecting to the local computer by using this session configuration. You can use Name  parameter to specify what session configuration you want to disable. If you do not specify a configuration name, the default Microsoft.PowerShell session configuration will be disabled. 

The Disable-PSSessionConfiguration cmdlet adds a “deny all” setting to the security descriptor of one or more registered session configurations. As a result, you can unregister, view, and change the configurations, but you cannot use them in a session. Disable-PSRemoting cmdlet will disable all PS Session configurations available on the local computer. 

Enable-PSSessionConfiguration cmdlet can be used to enable a disabled configuration. You can use Name parameter to specify what session configuration you need to enable.

Delete a session configuration

You can use Unregister-PSSessionConfiguration cmdlet to delete a previously defined session configuration. It is quite possible to delete the default session configuration — Microsoft.PowerShell — using this cmdlet. However, this default session configuration gets re-created if you re-run EnablePSRemoting cmdlet.

Summary

In this chapter, we looked at the basics of PowerShell session configurations and how to create custom configurations. We also looked at cmdlets to manage these session configurations. By default, it is necessary that you need to a part of local administrators group to remote in to computer. However, using custom session configuration and permissions assigned to these configurations, we can enable a non-administrator user to remote in to a computer using PowerShell remoting.