none
Using GPO for blocking execution of unapproved PowerShell Cmdlets

All replies

  • Hi,

    As far as I know, we can use Software Restriction Policies (SRPs) or Applocker to restrict Powershell.exe from running only but there is not such an option to blacklist the unapproved PowerShell cmdlets. I will keep monitoring this requirement and give you an update if I get any useful information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 03, 2017 9:21 AM
    Moderator
  • Sounds like what you're after is a JEA (Just Enough Administration) implementation new in 2016 and back-ported (i believe) for server 2012, though i really haven't looked into this as much as i would like to due to time. it allows you to for example permit someone to restart the Print Spooler service but not the DNS service if that's what you want. you can restrict Get commands as well, though there's usually no harm in letting a reasonably wide range to run. 

    JEA is the way to go for delegating admin privileges, and if you combine it with JIT you get JIT JEA - Just In Time Just Enough Administration. I really want to try and get this configured as it looks awesome!

    Friday, March 03, 2017 10:25 PM
  • Yeah.  I am definitely interested in locking down PS usage but wanted to start with Cmdlets.  Thanks for the response.
    Saturday, March 04, 2017 12:26 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 13, 2017 6:25 AM
    Moderator
  • Have a go at this virtual lab, it happens to have some JEA stuff in the first few exercises (it is not advertised as a JEA lab), you might want to continue with the rest of it out of interest but the rest of the exercises focus on storage config and are not dependent on the JEA configuration.

    https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=22851&lod=true

    I've seen a few demos of this on the ignite 2016 videos and other online training site, it certainly looks interesting.

    Tuesday, March 21, 2017 8:54 PM