locked
JEA and correct syntax RRS feed

  • Question

  • Hello,

    How can I properly set the RoleDefinitions and RequredGroup? It is correct syntax:

    New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\disk.pssc' -SessionType RestrictedRemoteServer -TranscriptDirectory C:\Transcripts\ -RunAsVirtualAccount:$true -VisibleCmdlets "Get-disk" -RoleDefinitions @{ 'Domain\testuser' = @{ RoleCapabilities = 'disk' }} -RequiredGroups  @{ And = 'elevated-jea' }

    I'm getting an error:

    Could not convert the value of the 'domain\testuser' role entry to a hashtable. The 'Roles' entry must be a hashtable with group names for keys, where the value associated with
    each key is another hashtable of session configuration properties for that role.
        + CategoryInfo          : InvalidOperation: (:) [New-PSSessionConfigurationFile], PSInvalidOperationException
        + FullyQualifiedErrorId : InvalidRoleEntryNotHashtable,Microsoft.PowerShell.Commands.NewPSSessionConfigurationFileCommand

    Thank you in advance!

    Tuesday, May 29, 2018 9:24 AM

Answers

  • You likely have a bad character in the spec.  Try it like this:

    $splat = @{
        Path = 'C:\Program Files\WindowsPowerShell\disk.pssc' 
        SessionType = 'RestrictedRemoteServer' 
        TranscriptDirectory = 'C:\Transcripts'
        RunAsVirtualAccount = $true 
        VisibleCmdlets = 'Get-disk'
        RoleDefinitions = @{ 'Domain\testuser' = @{ RoleCapabilities = 'disk' }} 
        RequiredGroups  = @{ And = 'elevated-jea' }
    }
    New-PSSessionConfigurationFile @splat

    The above works fine for me.


    \_(ツ)_/


    • Edited by jrv Tuesday, May 29, 2018 2:08 PM
    • Marked as answer by Anahaym Tuesday, May 29, 2018 2:23 PM
    Tuesday, May 29, 2018 2:06 PM

All replies

  • You likely have a bad character in the spec.  Try it like this:

    $splat = @{
        Path = 'C:\Program Files\WindowsPowerShell\disk.pssc' 
        SessionType = 'RestrictedRemoteServer' 
        TranscriptDirectory = 'C:\Transcripts'
        RunAsVirtualAccount = $true 
        VisibleCmdlets = 'Get-disk'
        RoleDefinitions = @{ 'Domain\testuser' = @{ RoleCapabilities = 'disk' }} 
        RequiredGroups  = @{ And = 'elevated-jea' }
    }
    New-PSSessionConfigurationFile @splat

    The above works fine for me.


    \_(ツ)_/


    • Edited by jrv Tuesday, May 29, 2018 2:08 PM
    • Marked as answer by Anahaym Tuesday, May 29, 2018 2:23 PM
    Tuesday, May 29, 2018 2:06 PM
  • it is not due to a bad character but because of some bug when you run this command in remote session. It works if you use the variables.
    Tuesday, May 29, 2018 2:23 PM
  • It works fine for me in a remote session.


    \_(ツ)_/

    Tuesday, May 29, 2018 2:33 PM
  • do you mean it works without $splat?

    Tuesday, May 29, 2018 2:51 PM
  • No - with the splat. 

    \_(ツ)_/

    Tuesday, May 29, 2018 3:00 PM
  • No - with the splat. 

    \_(ツ)_/

    yes, that I meant. I can run without any problems my command (without $splat) on local system, but if I connect remotely (Enter-Pssession) the same command doesn't work.
    • Edited by Anahaym Tuesday, May 29, 2018 3:06 PM
    Tuesday, May 29, 2018 3:02 PM
  • Remote sessions may not support all syntaxes.  It depends on OS and some limitations of the endpoint architecture.

    It may also be a bug.  Report it to UserVoice if you think it is a bub.


    \_(ツ)_/

    Tuesday, May 29, 2018 3:05 PM
  • Remote sessions may not support all syntaxes. It may also be a bug. 

    I face it very often....
    Tuesday, May 29, 2018 3:07 PM
  • one more question...

    if the configuration file has "RequiredGroups = @{ And = 'elevated-jea' }" - it doesn't work:

    Test-PSSessionConfigurationFile : A positional parameter cannot be found that accepts argument

    Although the test is passed:

    PS C:\> Test-PSSessionConfigurationFile -Path "C:\Program Files\WindowsPowerShell\disk.pssc"
    True

    So, how can I get an elevated session? Some CMDlets are required the elevation. I found that, but it doesn't work.

    Wednesday, May 30, 2018 10:04 AM
  • Did you create the group?

    # Example 1: Connecting users must belong to a security group called "elevated-jea"
    RequiredGroups = @{ And = 'elevated-jea' }

    This does not cause elevation it just verifies that the user belongs to the group.  The name is superfluous.


    \_(ツ)_/

    Wednesday, May 30, 2018 10:12 AM
  • Wednesday, May 30, 2018 10:32 AM
  • The name used for the group is bogus.  Remoting does not require elevation.  JEA can allow regular users access to Admin capabilities on a restricted basis. "Elevation" is not a correct term here.


    \_(ツ)_/

    Wednesday, May 30, 2018 10:37 AM
  • ok, I got it. Thanks!
    Wednesday, May 30, 2018 10:44 AM
  • sorry, it was not a last question. Hope this will be:

    I am trying to enter all CMDlets from Read-Host:

    $cmdlet = (Read-Host "Enter all needed CMDlets")
    New-PSRoleCapabilityFile -Path file.psrc -VisibleCmdlets $cmdlet

    There is no problem to add only one command, but how can I add multiply commands? The problem is that the file .psrc has the following format:

    VisibleCmdlets = 'get-disk','get-volume'

    What can I do with the apostrophe ?

    Wednesday, May 30, 2018 11:00 AM
  • What apostrophe?  There is no apostrophe.

    $splat = @{
        Path = 'C:\Program Files\WindowsPowerShell\disk.pssc' 
        SessionType = 'RestrictedRemoteServer' 
        TranscriptDirectory = 'C:\Transcripts'
        RunAsVirtualAccount = $true 
        VisibleCmdlets = 'Get-disk','Get-Command','Get-Process'
        RoleDefinitions = @{ 'Domain\testuser' = @{ RoleCapabilities = 'disk' }} 
        RequiredGroups  = @{ And = 'elevated-jea' }
    }
    New-PSSessionConfigurationFile @splat


    \_(ツ)_/

    Wednesday, May 30, 2018 2:57 PM
  • What apostrophe?  There is no apostrophe.


    \_(ツ)_/

    this is an apostrophe '

    there is no any apostrophe in you code, but I will use Read-Host. But I would like to avoid always to type an apostrophe... like this: 'get-disk','get-volume'

    Wednesday, May 30, 2018 3:05 PM