You Don’t Have to Be An Administrator to Run Remote PowerShell Commands

PowerShell Team

I was just read blog entry which complained about having to have administrative access to execute PowerShell commands against a remote server.  This is not the case.

We are “secure by default” which means that if you want to do something that exposes a security risk to your machines, you have to make a conscious decision to do so.  We are secure by default so that you can feel confident in putting PowerShell on all your machines.  Your risks are a function of the decisions you make after  you install PowerShell and we’ll educate you about the risks and benefits of those decisions.  (Run “Get-Help about_Execution_Policies” to see a great example of that.)

That is why remoting is turned off by default and you have to run Enable-PSRemoting to turn it on. 

When you do this, we create the default PSSessionConfiguration called Microsoft.PowerShell with a SDDL which only allows people with administrative rights to execute remote commands on that machine.  You can see that by the following command:

PS> Get-PSSessionConfiguration |fl *

Name                   : microsoft.powershell
Filename               : %windir%\system32\pwrshplugin.dll
SDKVersion             : 1
XmlRenderingType       : text
lang                   : en-US
PSVersion              : 2.0
ResourceUri            :
SupportsOptions        : true
Capability             : {Shell}
xmlns                  :
Uri                    :
ExactMatch             : false
SecurityDescriptorSddl : O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
Permission             : BUILTIN\Administrators AccessAllowed


If you decide you want to allow others, what you do is run the command:

PS> Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

Are you sure you want to perform this action?
Performing operation "Set-PSSessionConfiguration" on Target "Name: Microsoft.PowerShell".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

Notice that this action could have a serious impact on your system so we ask you to confirm that you really want to do this.(In general we assume you know what you are doing and only bring up these nag-messages when we think it is super important that you not sleep walk through this one.  You can always add a –FORCE switch to bypass this message.)  This brings up the following dialog box which allows you to give others the ability to run commands on that machine:



Experiment!  Enjoy!  Engage!

Jeffrey Snover [MSFT]
Distinguished Engineer
Visit the Windows PowerShell Team blog at:
Visit the Windows PowerShell ScriptCenter at:


Discussion is closed.

Feedback usabilla icon