Windows PowerShell remoting and delegating user credentials

re: Windows PowerShell remoting and delegating user credentials

coderaven — Wed, 08 Aug 2012 19:16:06 GMT

Regardless of what one or the other customer wants. This article is very relevant. Think about applications like System Center Service Manager and creating a Self Service portal to do a particular action like disable and account, rename an account and all of the related items like Exchange, add group memberships. Today we would create a service account that has the access and let the portal run the job with the proper access and stop there. But lets tie in SC Orchestrator having the ability to run Runbooks, administrators wanting to use PowerShell to fix things while on the move. This causes a lot of issues because now we are passing around a service account to do all kinds of stuff that is just really messy.

Looking forward, we already see PowerShell Web Access coming in Windows Server 2012, and the OData Management stuff. It is completely legit today to think that I can take a new Windows Surface, IPad, Android device and manage entire entreprise from anywhere, no VPN required. Attach all of this to SSL and read Don Jones PowerShell Remoting Guide from PowerShellbooks dot com and you would see that having the tools locally is not needed and executing commands against a central server will improve security by decreasing your exposure.

Nice Rob!

re: Windows PowerShell remoting and delegating user credentials

Pronichkin — Sun, 05 Aug 2012 04:21:22 GMT

Totally agree with all of the above. The reasons for not having RSAT installed sound weird. Especially if it's fine for you to have all those helpdesk people enjoy Admin rights on that pretty strange middle server.

But anyway, who said PowerShell Remoting doesn't support Kerberos? It might be that particular module (didn't try that) but in general it works. E.g. you can enable Kerberos delegation (instead of using CredSSP) and have browsing remote file shares from inside remote PowerShell session. I tried it many times and it works.

Also I don't like the idea of configuring all the stuff manually. There are Group Policy settings for all of that. And if you're speaking of such things as ensuring the service is set to autostart, it's also worth to note that firewall exceptions should be in place. Yeah, normally Enable-PSRemoting would take care of that. But I often have Firewall state enforced with Group Policy without permitting locally defined exceptions.

re: Windows PowerShell remoting and delegating user credentials

Nebuly — Fri, 03 Aug 2012 16:27:59 GMT

I agree with LA, it seems like they forgot to sit 5 minutes in front of the coffee machine and think about it (well at least it works for me. Sometime :D). Well i've seen far worse.

What about installing ADAC on Helpdesk computers ? Could this work ?

re: Windows PowerShell remoting and delegating user credentials

Patris_70 — Thu, 02 Aug 2012 19:05:26 GMT

Thanks, Ravikanth Chaganti (MVP) has same article and great PDF about PowerShell 2.0 remoting guide.

www.ravichaganti.com/blog

www.ravichaganti.com/.../A%20layman%27s%20guide%20to%20PowerShell%202.0%20remoting-v2.pdf

Thanks again

Regards

re: Windows PowerShell remoting and delegating user credentials

NedPyle [MSFT] — Thu, 02 Aug 2012 17:33:30 GMT

Right on all counts. Or at least, that's what I keep telling myself.

:-)

The company is always hiring, give us a look: careers.microsoft.com/gclp.aspx

re: Windows PowerShell remoting and delegating user credentials

LA Richards — Thu, 02 Aug 2012 17:30:18 GMT

Well, I imagine at the end of the day there is satisfaction knowing you delivered the product per your customers request. And, ultimately it is their decision, as long as their configuration stays in a "supported" configuration. Right?

I imagine the detachment from a project or problem takes a little getting used to. :) (I'd totally work for Microsoft, difficult problems and all)

re: Windows PowerShell remoting and delegating user credentials

NedPyle [MSFT] — Thu, 02 Aug 2012 16:21:43 GMT

You would not like working here, LA.

:-)

re: Windows PowerShell remoting and delegating user credentials

LA Richards — Thu, 02 Aug 2012 15:53:51 GMT

Why didn't they just install the Powershell AD module from RSAT on the client workstations? Is it not possible to install the module without the AD MMC snap-ins? Or they could have gone with a vendor like Quest that wrote AD specific comdlets...the further I look down this rabbit hole the more questions I have. It's like they said "what's the worst way we can do this?" and went with that.