Manage your datacenter over the web using PowerShell web access


Good News! Windows 2012 R2 came with hundreds of new features, few of them are real gems (then the features Windows 2016 with a lot more).

I am talking about “PowerShell web access” on this post

PowerShell Web Access, you can do almost any task on any remote server from any device that has a standard web browser that supports HTTPS, JavaScript, and cookies. Yes, that’ right with this Windows PowerShell Web Access gateway (https://servername/pswa), you could manage any servers in the datacenter from lunch table using your smartphone or tablet.

1

2

What you need :

Windows 2012 R2 machine with access to other servers using Powershell (Powershell remoting)

Install Powershell webaccess role

Open Powershell run as administrator and run below command to install the role

Install-WindowsFeature –Name WindowsPowerShellWebAccess –Computername <server_name> -IncludeManagementTools –Restart

Install and configure the gateway

To create an application pool and enable https using a self-signed certificate run

Install-PswaWebApplication –UseTestCertificate

Note: UseTestCertificate create self-signed certificate and associate it

Configure Authorization rules and Security

Now to create authorization rule, you may run below command on same powershell prompt

Add-PswaAuthorizationRule -UserName <domain\user1> -ComputerName <server1> -ConfigurationName *

This command provides user domain\user1 to machine server1

If you want to give access to all users who got access to the server across the network

Add-PswaAuthorizationRule -UserName * -ComputerName * -ConfigurationName *  or (Add-PswaAuthorizationRule * * *)

To retrieve  authorization rules run “get–PswaAuthorizationRule”

3

Test PowerShell we access using https://<server_name>/pswa

If you want to restrict the cmdlets, functions or modules for each user to run, you could enable Just enough administration (JEA in Windows 2016)

Or create new PowerShell Session configuration with specific functions or modules.

For example, I want to restrict few users to access the servers they could do only “Local server disk administration”

Create a new pssession configuration

New-PSSessionConfigurationFile -ModulesToImport Storage -Path “C:\Program Files\WindowsPowerShell\Custom\StorageAdmins.pssc

Register new configuration with a name StorageAdmin

Register-PSSessionConfiguration -Name “StorageAdmin” -Path “C:\Program Files\WindowsPowerShell\Custom\StorageAdmins.pssc” -ShowSecurityDescriptorUI

4

Note: ShowSecurityDescriptorUI, give us an option to enable non-administrator to give execute or invoke access to them using this PS session configuration

Create new AuthorizationRule using  “Add-PswaAuthorizationRule -UserName domain\userid -ComputerName <computername> -ConfigurationName “StorageAdmin”

Login to the session using “optional connection settings” with configuration name as “StorageAdmin”

5

Using this account you can administer only local storage on that server, it will not execute any other cmdlet

6

Note: Instead of using predefined modules, you can even create custom modules and import them as well.

Use PowerShell DSC to copy over new module or configuration files and register them.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s