Good News! Windows 2012 R2 came with hundreds of new features, few of them are real gems (then the features Windows 2016 with a lot more).
I am talking about “PowerShell web access” on this post
What you need :
Windows 2012 R2 machine with access to other servers using Powershell (Powershell remoting)
Install Powershell webaccess role
Open Powershell run as administrator and run below command to install the role
Install-WindowsFeature –Name WindowsPowerShellWebAccess –Computername <server_name> -IncludeManagementTools –Restart
Install and configure the gateway
To create an application pool and enable https using a self-signed certificate run
Note: UseTestCertificate create self-signed certificate and associate it
Configure Authorization rules and Security
Now to create authorization rule, you may run below command on same powershell prompt
Add-PswaAuthorizationRule -UserName <domain\user1> -ComputerName <server1> -ConfigurationName *
This command provides user domain\user1 to machine server1
If you want to give access to all users who got access to the server across the network
Add-PswaAuthorizationRule -UserName * -ComputerName * -ConfigurationName * or (Add-PswaAuthorizationRule * * *)
To retrieve authorization rules run “get–PswaAuthorizationRule”
Test PowerShell we access using https://<server_name>/pswa
If you want to restrict the cmdlets, functions or modules for each user to run, you could enable Just enough administration (JEA in Windows 2016)
Or create new PowerShell Session configuration with specific functions or modules.
For example, I want to restrict few users to access the servers they could do only “Local server disk administration”
Create a new pssession configuration
New-PSSessionConfigurationFile -ModulesToImport Storage -Path “C:\Program Files\WindowsPowerShell\Custom\StorageAdmins.pssc“
Register new configuration with a name StorageAdmin
Register-PSSessionConfiguration -Name “StorageAdmin” -Path “C:\Program Files\WindowsPowerShell\Custom\StorageAdmins.pssc” -ShowSecurityDescriptorUI
Note: ShowSecurityDescriptorUI, give us an option to enable non-administrator to give execute or invoke access to them using this PS session configuration
Create new AuthorizationRule using “Add-PswaAuthorizationRule -UserName domain\userid -ComputerName <computername> -ConfigurationName “StorageAdmin”
Login to the session using “optional connection settings” with configuration name as “StorageAdmin”
Using this account you can administer only local storage on that server, it will not execute any other cmdlet
Note: Instead of using predefined modules, you can even create custom modules and import them as well.
Use PowerShell DSC to copy over new module or configuration files and register them.