Remove From My Forums

JEA and correct syntax

Question

Hello,

How can I properly set the RoleDefinitions and RequredGroup? It is correct syntax:

New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\disk.pssc' -SessionType RestrictedRemoteServer -TranscriptDirectory C:\Transcripts\ -RunAsVirtualAccount:$true -VisibleCmdlets "Get-disk" -RoleDefinitions @{ 'Domain\testuser' = @{ RoleCapabilities = 'disk' }} -RequiredGroups  @{ And = 'elevated-jea' }

I'm getting an error:

Could not convert the value of the 'domain\testuser' role entry to a hashtable. The 'Roles' entry must be a hashtable with group names for keys, where the value associated with
each key is another hashtable of session configuration properties for that role.
    + CategoryInfo          : InvalidOperation: (:) [New-PSSessionConfigurationFile], PSInvalidOperationException
    + FullyQualifiedErrorId : InvalidRoleEntryNotHashtable,Microsoft.PowerShell.Commands.NewPSSessionConfigurationFileCommand

Thank you in advance!

Tuesday, May 29, 2018 9:24 AM

Answers

You likely have a bad character in the spec. Try it like this:

$splat = @{
    Path = 'C:\Program Files\WindowsPowerShell\disk.pssc' 
    SessionType = 'RestrictedRemoteServer' 
    TranscriptDirectory = 'C:\Transcripts'
    RunAsVirtualAccount = $true 
    VisibleCmdlets = 'Get-disk'
    RoleDefinitions = @{ 'Domain\testuser' = @{ RoleCapabilities = 'disk' }} 
    RequiredGroups  = @{ And = 'elevated-jea' }
}
New-PSSessionConfigurationFile @splat

The above works fine for me.

\_(ツ)_/

Edited by jrv Tuesday, May 29, 2018 2:08 PM
Marked as answer by Anahaym Tuesday, May 29, 2018 2:23 PM

Tuesday, May 29, 2018 2:06 PM

All replies

You likely have a bad character in the spec. Try it like this:

$splat = @{
    Path = 'C:\Program Files\WindowsPowerShell\disk.pssc' 
    SessionType = 'RestrictedRemoteServer' 
    TranscriptDirectory = 'C:\Transcripts'
    RunAsVirtualAccount = $true 
    VisibleCmdlets = 'Get-disk'
    RoleDefinitions = @{ 'Domain\testuser' = @{ RoleCapabilities = 'disk' }} 
    RequiredGroups  = @{ And = 'elevated-jea' }
}
New-PSSessionConfigurationFile @splat

The above works fine for me.

\_(ツ)_/

Edited by jrv Tuesday, May 29, 2018 2:08 PM
Marked as answer by Anahaym Tuesday, May 29, 2018 2:23 PM

Tuesday, May 29, 2018 2:06 PM

0

Sign in to vote

it is not due to a bad character but because of some bug when you run this command in remote session. It works if you use the variables.

Tuesday, May 29, 2018 2:23 PM
0

Sign in to vote

It works fine for me in a remote session.

\_(ツ)_/

Tuesday, May 29, 2018 2:33 PM
0

Sign in to vote

do you mean it works without $splat?

Tuesday, May 29, 2018 2:51 PM
0

Sign in to vote

No - with the splat.
\_(ツ)_/

Tuesday, May 29, 2018 3:00 PM
0

Sign in to vote
No - with the splat.

\_(ツ)_/

yes, that I meant. I can run without any problems my command (without $splat) on local system, but if I connect remotely (Enter-Pssession) the same command doesn't work.
- Edited by Anahaym Tuesday, May 29, 2018 3:06 PM
Tuesday, May 29, 2018 3:02 PM
0

Sign in to vote

Remote sessions may not support all syntaxes. It depends on OS and some limitations of the endpoint architecture.

It may also be a bug. Report it to UserVoice if you think it is a bub.

\_(ツ)_/

Tuesday, May 29, 2018 3:05 PM
0

Sign in to vote

Remote sessions may not support all syntaxes. It may also be a bug.

I face it very often....

Tuesday, May 29, 2018 3:07 PM
0

Sign in to vote
one more question...

if the configuration file has "RequiredGroups = @{ And = 'elevated-jea' }" - it doesn't work:

Test-PSSessionConfigurationFile : A positional parameter cannot be found that accepts argument

Although the test is passed:

PS C:\> Test-PSSessionConfigurationFile -Path "C:\Program Files\WindowsPowerShell\disk.pssc" True

So, how can I get an elevated session? Some CMDlets are required the elevation. I found that, but it doesn't work.
Wednesday, May 30, 2018 10:04 AM
1

Sign in to vote

Did you create the group?

# Example 1: Connecting users must belong to a security group called "elevated-jea"
RequiredGroups = @{ And = 'elevated-jea' }

This does not cause elevation it just verifies that the user belongs to the group. The name is superfluous.

\_(ツ)_/

Wednesday, May 30, 2018 10:12 AM
0

Sign in to vote

Wednesday, May 30, 2018 10:32 AM
0

Sign in to vote

The name used for the group is bogus. Remoting does not require elevation. JEA can allow regular users access to Admin capabilities on a restricted basis. "Elevation" is not a correct term here.

\_(ツ)_/

Wednesday, May 30, 2018 10:37 AM
0

Sign in to vote

ok, I got it. Thanks!

Wednesday, May 30, 2018 10:44 AM
0

Sign in to vote
sorry, it was not a last question. Hope this will be:

I am trying to enter all CMDlets from Read-Host:

$cmdlet = (Read-Host "Enter all needed CMDlets") New-PSRoleCapabilityFile -Path file.psrc -VisibleCmdlets $cmdlet

There is no problem to add only one command, but how can I add multiply commands? The problem is that the file .psrc has the following format:

VisibleCmdlets = 'get-disk','get-volume'

What can I do with the apostrophe ?
Wednesday, May 30, 2018 11:00 AM

What apostrophe? There is no apostrophe.

$splat = @{
    Path = 'C:\Program Files\WindowsPowerShell\disk.pssc' 
    SessionType = 'RestrictedRemoteServer' 
    TranscriptDirectory = 'C:\Transcripts'
    RunAsVirtualAccount = $true 
    VisibleCmdlets = 'Get-disk','Get-Command','Get-Process'
    RoleDefinitions = @{ 'Domain\testuser' = @{ RoleCapabilities = 'disk' }} 
    RequiredGroups  = @{ And = 'elevated-jea' }
}
New-PSSessionConfigurationFile @splat

\_(ツ)_/

Wednesday, May 30, 2018 2:57 PM

0

Sign in to vote

What apostrophe? There is no apostrophe.

\_(ツ)_/

this is an apostrophe '

there is no any apostrophe in you code, but I will use Read-Host. But I would like to avoid always to type an apostrophe... like this: 'get-disk','get-volume'

Wednesday, May 30, 2018 3:05 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

JEA and correct syntax

Question

Answers

All replies