none
remote login granted without being in the sessionconfiguration

    Question

  • Hello everybody,

    My question is very punctual, and refers to the fact that i´m not and administrator nor member of "remote management users", and can access remotely a server (enter-pssesion, invoke-command, new-pssesion..) .

    So, in the set-pssesionconfiguration of the server, the only accounts that have access are the local admin and "remote management users" group, both whit with full privilege.

    In addition, the "remote management users" group, does not have any member.

    Does anyone know why is this?. I need to restrict users and i don´t know why does it happends.

    Here is the picture:

    Thanks in advance.

    Octavio.


    • Edited by Octavio J Wednesday, May 16, 2018 6:09 PM add some more information
    Wednesday, May 16, 2018 4:54 PM

All replies

  • The schema entries do not control this.   The schema permissions only control access to the schema entry. 

    Look at the remote group on the domain and the individual servers.


    \_(ツ)_/

    Thursday, May 17, 2018 12:21 AM
    Moderator
  • The schema entries do not control this.   The schema permissions only control access to the schema entry. 

    Look at the remote group on the domain and the individual servers.


    \_(ツ)_/

       Jrv, i doubt about it, or maybe i´m confused , cause i´ve read and researched it, and you need, apart of the winrm protocol enabled, the endpoint microsoft.powershell permission.

    Here is an example of what i´m saying : 

    "That is why remoting is turned off by default and you have to run Enable-PSRemoting to turn it on. "

    "When you do this, we create the default PSSessionConfiguration called Microsoft.PowerShell with a SDDL which only allows people with administrative rights to execute remote commands on that machine.  You can see that by the following command: Get-PSSessionConfiguration |fl * "

    Link

     
    Thursday, May 17, 2018 3:21 AM
  • By default the endpoint includes administrators and no one else.  This is not set on the schema entry.  It is set on the endpoint process.

    See docs for creating endpoint for WsMan and PowerShell.


    \_(ツ)_/

    Thursday, May 17, 2018 3:27 AM
    Moderator
  • I´ve looked and red everywhere, and all roads leads to the same place, set-pssessionconfiguration.

    So, i don´t understand why, if i am not  a fully administrator i can access without being in the remote configuration access.

    Friday, May 18, 2018 2:46 PM