-
Notifications
You must be signed in to change notification settings - Fork 64
/
Add-PoShEndpointAccess.ps1
123 lines (98 loc) · 4.89 KB
/
Add-PoShEndpointAccess.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#========================================================================
# Created By: Anders Wahlqvist
# Website: DollarUnderscore (http://dollarunderscore.azurewebsites.net)
#========================================================================
function Add-PoShEndpointAccess
{
<#
.Synopsis
Adds a group or user to a PowerShell (WinRM) endpoint to allow remote management.
.DESCRIPTION
This function will edit the SDDL of a PowerShell (WinRM) endpoint to
allow remote management for the specified account/group.
If you run this against a remote computer, CredSSP needs to be enabled and you need
to restart the WinRM-service manually afterwards (this function uses WinRM to connect
to the remote machine, which is why it will not restart the service itself).
.PARAMETER SamAccountName
The SamAccount name of the user or group that you want to give access to. Could also be in the form
domain\SamAccountName, for example contoso\Administrator.
.PARAMETER ComputerName
Specifies the computer on which the command runs. The default is the local computer.
.PARAMETER EndpointName
Specifies then name of the WinRM endpoint you want to configure, the default is Microsoft.PowerShell.
.EXAMPLE
Add-PoShEndpointAccess -SamAccountName "contoso\PoShUsers" -ComputerName MyPoShEndpoint.contoso.com
#>
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true)]
$SamAccountName,
[Parameter(Mandatory=$false)]
$ComputerName = '.',
[Parameter(Mandatory=$false)]
$EndpointName = 'Microsoft.PowerShell'
)
Begin { }
Process {
if ($ComputerName -eq '.' -OR $ComputerName -eq "$($env:COMPUTERNAME)") {
$IdentityObject = New-Object Security.Principal.NTAccount $SamAccountName
try {
$sid = $IdentityObject.Translate([Security.Principal.SecurityIdentifier]).Value
}
catch {
throw "Failed to translate $SamAccountName to a valid SID."
}
try {
$PSSConfig = Get-PSSessionConfiguration -Name $EndpointName -ErrorAction Stop
}
catch {
if ($_.Tostring() -like '*access is denied*') {
throw 'You need to have Admin-access to run this command!'
}
}
$existingSDDL = $PSSConfig.SecurityDescriptorSDDL
$isContainer = $false
$isDS = $false
$SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor -ArgumentList $isContainer,$isDS, $existingSDDL
$accessType = 'Allow'
$accessMask = 268435456
$inheritanceFlags = 'none'
$propagationFlags = 'none'
$SecurityDescriptor.DiscretionaryAcl.AddAccess($accessType,$sid,$accessMask,$inheritanceFlags,$propagationFlags)
$null = Set-PSSessionConfiguration -Name $EndpointName -SecurityDescriptorSddl ($SecurityDescriptor.GetSddlForm('All')) -Confirm:$false -Force
}
else {
Invoke-Command -ArgumentList $SamAccountName,$EndpointName -ScriptBlock {
$IdentityObject = New-Object Security.Principal.NTAccount $args[0]
$EndpointName = $args[1]
try {
$sid = $IdentityObject.Translate([Security.Principal.SecurityIdentifier]).Value
}
catch {
throw "Failed to translate $($args[0]) to a valid SID."
}
try {
$PSSConfig = Get-PSSessionConfiguration -Name $EndpointName -ErrorAction Stop
}
catch {
if ($_.Tostring() -like '*access is denied*') {
throw 'You need to have Admin-access and enable CredSSP to run this command remotely!'
}
}
$existingSDDL = $PSSConfig.SecurityDescriptorSDDL
$isContainer = $false
$isDS = $false
$SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor -ArgumentList $isContainer,$isDS, $existingSDDL
$accessType = 'Allow'
$accessMask = 268435456
$inheritanceFlags = 'none'
$propagationFlags = 'none'
$SecurityDescriptor.DiscretionaryAcl.AddAccess($accessType,$sid,$accessMask,$inheritanceFlags,$propagationFlags)
$null = Set-PSSessionConfiguration -Name $EndpointName -SecurityDescriptorSddl ($SecurityDescriptor.GetSddlForm('All')) -Confirm:$false -Force -NoServiceRestart
} -ComputerName $ComputerName
}
}
End { }
}