none
Wanted to block particular security group so that they can not query/access/modify/create or delete data of Active Directory using powershell commands or powershell scripts but they can use RSAT for same. RRS feed

  • Question

  • Hello Everyone,

    In brief, we have Domain environment (Active Directory structure) and wanted to block particular security group only (not for all the groups but only for the particular group say group X) so that they can not access Active Directory using powershell commands or powershell scripts. We do not want to block powershell utility for them on their local systems but to block access of AD whenever they will use powershell utility only. Here they should access  AD whenever they use RSAT (only need to block AD access whenever they will use powershell utility to access AD).

    Looking for your great support on this.

    Friday, June 26, 2020 2:48 PM

All replies

  • Hi Tiwari Ganesh,

    lets start from the begining, you have a group with users or computers inside?

    Members of this group is an ad administrators, or granted users?

    Why you want to do that? As you can google you may found that there many ldap constructions that can be used in a powershell instead of build in cmdlets. So when you block cmdlets same thing may be possible to do with ldap queries...


    The opinion expressed by me is not an official position of Microsoft

    Friday, June 26, 2020 8:26 PM
  • Indeed. I was using LDAP to manage the AD with Basic and Perl for more than five years before the introduction of PowerShell in 2006 (and even after that since PowerShell had nowhere near the utility it has today!).

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Friday, June 26, 2020 9:18 PM
  • The only sensible method to do this is to use a constricted endpoint and disallow the group from any extended access to AD>  The constricted endpoint can be given permissions through its account and the commands and their reach can be restricted.

    This is not exactly what you ask but is as close as I can see that you can get.


    \_(ツ)_/

    Friday, June 26, 2020 11:08 PM
    Moderator
  • Hi Vector,

    First I would like to thank you for giving your valuable time for this.

    Please find my below inputs,

    Query- lets start from the begining, you have a group with users or computers inside?

    Input- It a group which consists users (L2 System Administrators) only and not the computers.

    Query- Members of this group is an ad administrators, or granted users?

    Input- Members of this group are L2 System Administrators who create/modify/delete users in AD where limited access has been provided to them for AD (earlier they were using RSAT but now a days they are using powershell scripts).

    Query- Why you want to do that? As you can google you may found that there many ldap constructions that can be used in a powershell instead of build in cmdlets. So when you block cmdlets same thing may be possible to do with ldap queries....

    Input- No doubt that Powershell is a very powerful and useful tool. Wanted to block powershell access to access AD as one of the security concern so that no bulky changes can be applied using powershell or any other LDAP utilities. In current scenario if particular team wants to access AD then they should access it using RSAT only and not through Powershell or its scripts.

    Note: I can disable Powershell on their Computers through GP but do not want to stop their other day to day work if they are doing using Powershell which is not related to AD. So blocking entire powershell for them in their local system will not work.

    As we all aware that powershell is inbuilt in Windows (no need to download and install) and it is capable of doing bulky changes in couple of seconds (N numbers of scripts are available on net related to AD changes). As a precautionary measures looking for this type of restriction. 

    Thanks for reading my reply.

    Saturday, June 27, 2020 11:44 AM
  • Hi JRV,

    Thanks for your valuable time and suggestion.

    Saturday, June 27, 2020 11:46 AM
  • Unfortunately all of your text only tells me that you need to learn PowerShell and learn about how PowerShell, Windows Security and subsystems like AD work.  Adding a lot of description that is not about any of these things will not get you an answer.

    Please read the following to get an idea of how to ask a technical question.  The first requirement is that you know the fundamentals of the technology.

    I strongly recommend that you contact a trained tech or consultant to help you with this.  You are asking for someone to design a solution for you.  This forum is not a place to ask for people to design solutions for end users with limited or no technical training.  A consultant will be able to sit with you and discuss the details until a clear statement of your needs emerges.  This can take hours with non-technical users and managers as the normal user does not know the technology or the language required to describe their needs.  A consultant is trained in the technologies required and knows how to extract a design by discovering the requirements.  This is what consulting means.  A user "consults" with an expert to define a set of requirements.  The consultant then designs a solution.



    \_(ツ)_/

    Saturday, June 27, 2020 11:58 AM
    Moderator
  • THANKS.
    Sunday, June 28, 2020 3:23 PM
  • Hi Vector,

    First I would like to thank you for giving your valuable time for this.

    Please find my below inputs,

    Query- lets start from the begining, you have a group with users or computers inside?

    Input- It a group which consists users (L2 System Administrators) only and not the computers.

    Query- Members of this group is an ad administrators, or granted users?

    Input- Members of this group are L2 System Administrators who create/modify/delete users in AD where limited access has been provided to them for AD (earlier they were using RSAT but now a days they are using powershell scripts).

    Query- Why you want to do that? As you can google you may found that there many ldap constructions that can be used in a powershell instead of build in cmdlets. So when you block cmdlets same thing may be possible to do with ldap queries....

    Input- No doubt that Powershell is a very powerful and useful tool. Wanted to block powershell access to access AD as one of the security concern so that no bulky changes can be applied using powershell or any other LDAP utilities. In current scenario if particular team wants to access AD then they should access it using RSAT only and not through Powershell or its scripts.

    Note: I can disable Powershell on their Computers through GP but do not want to stop their other day to day work if they are doing using Powershell which is not related to AD. So blocking entire powershell for them in their local system will not work.

    As we all aware that powershell is inbuilt in Windows (no need to download and install) and it is capable of doing bulky changes in couple of seconds (N numbers of scripts are available on net related to AD changes). As a precautionary measures looking for this type of restriction. 

    Thanks for reading my reply.

    Even if we will imagen that yours L2 Admnins will not have powershell at all on ther computers but they will have rights doing something in AD they stilll will have possibility to use any other language (cmd\python\bash\etc), as Rich said few comments ago. 


    The opinion expressed by me is not an official position of Microsoft

    Sunday, June 28, 2020 6:22 PM
  • What about just removing the ActiveDirectory module from their machines?

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Monday, June 29, 2020 1:35 AM
  • Hi,
    Was your issue resolved? 
    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.
    Best Regards,
    Yang Yang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 3, 2020 5:47 AM