{"id":75271,"date":"2015-12-05T00:01:00","date_gmt":"2015-12-05T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/12\/05\/weekend-scripter-taking-jea-for-a-spinpart-1\/"},"modified":"2019-02-18T09:20:47","modified_gmt":"2019-02-18T16:20:47","slug":"weekend-scripter-taking-jea-for-a-spinpart-1","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-taking-jea-for-a-spinpart-1\/","title":{"rendered":"Weekend Scripter: Taking JEA for a Spin\u2014Part 1"},"content":{"rendered":"<p align=\"left\"><b>Summary<\/b>: Thomas Rayner <span>explores code promotion&nbsp;<\/span>with Just Enough Admin (JEA) in Windows Server 2016.<\/p>\n<p>Hello! I&rsquo;m Thomas Rayner, a proud Cloud and Datacenter Management Microsoft MVP, filling in for The Scripting Guy this weekend. You can find me on Twitter (<a href=\"https:\/\/twitter.com\/MrThomasRayner\" target=\"_blank\">@MrThomasRayner<\/a>). I also post my blog bi-weekly: <a href=\"http:\/\/workingsysadmin.com\/\" target=\"_blank\">Working Sysadmin&mdash;Figuring stuff out at work<\/a>. The temperature is dropping and the snow is starting to fly here in Alberta, Canada so I&rsquo;m going to stay in this weekend and take an awesome new feature in Windows Server 2016, Just Enough Admin (JEA), for a spin. I&rsquo;ll explore how it can be applied in a situation where a limited user has permissions to run only one script for code promotion.<\/p>\n<p>JEA was one of the new features introduced with Windows Server 2016 TP4 when it was released in November 2015. Previously, JEA had existed as a DSC module, but now it is baked right into the operating system. I couldn&rsquo;t wait to get my hands on it, so I put together a first look on my blog: <a href=\"http:\/\/www.workingsysadmin.com\/just-enough-administration-jea-first-look\/\" target=\"_blank\">Just Enough Administration (JEA) First Look<\/a>.<\/p>\n<p>At the end of that post, I shared a handful of potential use cases, and this weekend I&rsquo;m going to demonstrate a couple of them. If this is the first you&rsquo;ve heard of JEA, I&rsquo;d suggest taking a look at this article on MSDN: <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/dn896648.aspx\" target=\"_blank\">Using Just Enough Administration Windows PowerShell Security Controls to Help Protect Enterprise Data<\/a>.<\/p>\n<p>Today, the use case I&rsquo;m going to demonstrate is code promotion. There are about a billion different ways to promote code through a software development lifecycle, but for this proof of concept, I will tackle a situation where files are staged somewhere and must simply be copied to a production server. Let&rsquo;s take a look at the requirements for the remote PowerShell sessions that JEA is going to manage for this purpose.<\/p>\n<p><b>Users must be able to:<\/b><\/p>\n<ul>\n<li>Copy files from a known source to a known destination.<\/li>\n<li>Overwrite existing files in the destination.<\/li>\n<li>Create new files in the destination.<\/li>\n<li>Restart the app we&rsquo;re promoting code for.<\/li>\n<\/ul>\n<p><b>Users must NOT be able to:<\/b><\/p>\n<ul>\n<li>Interact with other files or systems on the server.<\/li>\n<li>Edit any scripts related to the code promotion process.<\/li>\n<\/ul>\n<p>Looks pretty simple, right? Let&rsquo;s get to it&hellip;<\/p>\n<p>First I&rsquo;m going to set up a location for a new module to hold my JEA configuration files:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/2744.1.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/2744.1.PNG\" alt=\"Image of command\" title=\"Image of command\" \/><\/a><\/p>\n<p>Here is the output:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/3771.2.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/3771.2.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>I&rsquo;ve only got one machine in the lab I&rsquo;m using for this demo, so I&rsquo;m building the module to hold this JEA configuration in the location that I intend for it to end up. I need to create a new configuration file and open it in the Windows PowerShell ISE:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/4336.3.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/4336.3.PNG\" alt=\"Image of command\" title=\"Image of command\" \/><\/a><\/p>\n<p>This file has a bunch of general configuration settings for our JEA endpoint. I&rsquo;m only going to leverage a few. First, I need to change the <b>SessionType<\/b> to <b>RestrictedRemoteServer<\/b> (line 16 in the following image); otherwise, none of this is going to work the way I want it to.<\/p>\n<p>I could also configure a bunch of other interesting things, such as where to save a mandatory transcript or items related to virtual accounts. For this demo, I&rsquo;m only going to edit the role definitions on the last line (line 31 in the following image). This is where we essentially say, &ldquo;Users in this group get this role when they connect.&rdquo;<\/p>\n<p>I have a user named Reg Guy who I want to allow the code promotion role. In the following PSSC file, note that Reg Guy is a member of the Reg Users group that I&rsquo;m assigning this role to.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/2425.4.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/2425.4.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>Now I can save and close the PSSC file because I&rsquo;m done with it.<\/p>\n<p>Next, I need to configure that CodePromo role I assigned to the Reg Users group in the PSSC. To do this, I need to make a CodePromo role capabilities file. All role configuration files need to go in a <b>RoleCapabilities<\/b> folder in the same directory as the PSSC.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/8270.5.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/8270.5.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>Now it&rsquo;s time for the thinking part. How am I going to restrict my remotely connecting users but at the same time, give them the permissions to promote code as previously described? The answer is brutally simple&#8230;<\/p>\n<p>I know where the files are being copied to and from, and I don&rsquo;t want users doing anything else. Instead of trying to do all kinds of weirdness with file system permissions and which cmdlets to restrict or open up, I&rsquo;m simply going to write a script that promotes this code.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/1651.6.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/1651.6.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>With that in place, I need to allow Reg Guy to run this script using the <b>VisibleExternalCommands<\/b> item (line 31 in the following image). I&rsquo;m also going to give users a nice little function to run so they don&rsquo;t need to remember where the script lives (line 43 in the following image).<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/3681.7.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/3681.7.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>When Reg Guy remotely connects (I&rsquo;ve already given him those permissions) and runs <b>Invoke-CodePromo<\/b>, the code promotion script will be triggered. I simply have to apply this JEA configuration to an endpoint (safely ignoring warnings), test it, and turn it over to Reg Guy.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/0574.8.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/0574.8.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>Now let&rsquo;s see what it&rsquo;s like to be Reg Guy&hellip;<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/1134.9.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/1134.9.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>Perfect! Reg Guy can connect to a remote session and run our code promotion script. He can&rsquo;t do anything else though (note the errors are supposed to occur). It looks like my JEA-configured remote PowerShell endpoint is behaving exactly like I want it to.<\/p>\n<p>Join me tomorrow when I tackle another example use case for JEA: enabling limited rights to interact with Active Directory.<\/p>\n<p>~Thomas<\/p>\n<p>I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.<\/p>\n<p><b>Ed Wilson<\/b>, Microsoft Scripting Guy<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Thomas Rayner explores code promotion&nbsp;with Just Enough Admin (JEA) in Windows Server 2016. Hello! I&rsquo;m Thomas Rayner, a proud Cloud and Datacenter Management Microsoft MVP, filling in for The Scripting Guy this weekend. You can find me on Twitter (@MrThomasRayner). I also post my blog bi-weekly: Working Sysadmin&mdash;Figuring stuff out at work. The temperature [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[56,652,61,45],"class_list":["post-75271","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-guest-blogger","tag-thomas-rayner","tag-weekend-scripter","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Thomas Rayner explores code promotion&nbsp;with Just Enough Admin (JEA) in Windows Server 2016. Hello! I&rsquo;m Thomas Rayner, a proud Cloud and Datacenter Management Microsoft MVP, filling in for The Scripting Guy this weekend. You can find me on Twitter (@MrThomasRayner). I also post my blog bi-weekly: Working Sysadmin&mdash;Figuring stuff out at work. The temperature [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/75271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=75271"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/75271\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=75271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=75271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=75271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}