Users must be able to<\/b>:<\/b><\/p>\n Users must NOT be able to<\/b>:<\/p>\n Let’s get to it! I am going to set up a location for this JEA configuration to live.<\/p>\n Now, I’ve got to set up my PowerShell Session Configuration (PSSC) file like yesterday.<\/p>\n My changes here are very limited. I am changing the session type to RestrictedRemoteServer<\/b> from Default<\/b> (line 16 in the following image)—otherwise, none of this will work correctly. I’m also assigning my Reg Users<\/b> group to the role Help Desk<\/b> (line 31 in the following image). I will define this in a moment. I have a user named Reg Guy in the Reg Users group.<\/p>\n I’m now done with the PSSC so I’ll save and close it. It’s time to set up that Help Desk role. I’ll start by creating a RoleCapabilities<\/b> folder in the same location as the PSSC and creating a new PowerShell Role Capabilities (PSRC) file. My PSRC’s name must match the RoleCapability<\/b> I assigned to my Reg Users group in the PSSC.<\/p>\n In ISE, I’m going to enable the Active Directory functionality I described above. On line 19 of the PSRC, I can include modules to import. I’m bringing in the Active Directory module. On line 25, I can enable the specific cmdlets and restrictions I identified previously.<\/p>\n Let’s take a closer look at line 25. I’ll break it down into its parts:<\/p>\n You can see the Properties<\/b> parameter is being validated against a set of allowed values: MemberOf<\/b>, LockedOut<\/b>, Enabled<\/b>, and PasswordLastSet<\/b>. The Filter<\/b> parameter only has one allowable value in its valid set: Office –like ‘Home*’<\/b>.<\/p>\n Let me now save and apply this JEA configuration to an endpoint.<\/p>\n\n
\n
![\"Image](\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/5751.1.PNG\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/2352.2.PNG\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/3113.3.PNG\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/2275.4.PNG\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/1616.5.PNG\" "\\"Image")
<\/a><\/p>\n\n
The very first part of this line wraps the rest of the content and labels it as cmdlets that I’m making visible to my limited user. Next, I have to put something between the curly braces.<\/li>\n
As it stands now, I’ve white-listed the Get-ADUser<\/b> command, without specifying any restrictions on parameters. By default, I’ve white-listed every parameter combination possible. Let’s fix that now.<\/li>\n
The first parameter I’m specifying is Identity<\/b>. I’m allowing any account to be retrieved by my limited user, so this particular item isn’t very interesting. Without specifying ValidateSet<\/b> or ValidatePattern<\/b> for the Identity<\/b> parameter, I’m allowing any value to be specified. I’m also restricting the Properties<\/b> and Filter<\/b> parameters, though.<\/li>\n
![\"Image](\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/5468.6.PNG\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/5037.7.PNG\" "\\"Image")
<\/a><\/p>\n