API tools faq
paste
Advertisement
Guest User

Setting up Just Enough Administration for ADConnect

a guest
Jul 20th, 2017
541
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 2.73 KB | None | 0 0
raw download clone embed print report
  1. #Setting UP JEA for AD Connect
  2. return
  3.  
  4. #The first step is to run the following command to verify that remote access is enabled on the machine
  5. Enable-PSRemoting
  6.  
  7. #Each session can be restricted to give PowerShell just a limited set of functionality. To list them, use the
  8. Get-PSSessionConfiguration | Select-Object Name
  9.  
  10. #Next step is to create our own session file. These files use the “.pssc” extension and can be created via the New-PSSessionConfigurationFile cmdlet
  11. New-Item -Path "${env:ProgramData}\JEAConfiguration" -ItemType Directory
  12. New-Item -Path "${env:ProgramData}\JEAConfiguration\Transcripts" -ItemType Directory
  13. New-PSSessionConfigurationFile -Path "${env:ProgramData}\JEAConfiguration\JEA_ADConnect.pssc" -Full
  14.  
  15. #Edit the endpoint configuration file
  16. psedit "${env:ProgramData}\JEAConfiguration\JEA_ADConnect.pssc"
  17.  
  18. #@ Line 22 Change SessionType field value to 'RestrictedRemoteServer'
  19. #Uncomment the line with the TranscriptDirectory field and then replace the field value with 'C:\ProgramData\JEAConfiguration\Transcripts'
  20. #Uncomment the line with the RunAsVirtualAccount field.
  21. #Change the RoleDefinition to
  22. # RoleDefinitions = @{'CONTOSO\JEA_ADConnect' = @{RoleCapabilities = 'JEA_ADConnectOperator'}}
  23.  
  24. #Now we just have to register the configuration
  25. Register-PSSessionConfiguration -Name 'JEA_ADConnect' -Path "${env:ProgramData}\JEAConfiguration\JEA_ADConnect.pssc"
  26. #Unregister-PSSessionConfiguration -Name 'JEA_ADConnect'
  27.  
  28. New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA_ADConnectOperator' -ItemType Directory
  29.  
  30. New-ModuleManifest -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA_ADConnectOperator\JEA_ADConnectOperator.psd1' -RootModule JEAHelpdeskOperator.psm1
  31. New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA_ADConnectOperator\JEA_ADConnectOperator.psm1' -ItemType File
  32. New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA_ADConnectOperator\RoleCapabilities' -ItemType Directory
  33. New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA_ADConnectOperator\RoleCapabilities\JEA_ADConnectOperator.psrc'
  34.  
  35. psedit "${env:ProgramFiles}\WindowsPowershell\Modules\JEA_ADConnectOperator\RoleCapabilities\JEA_ADConnectOperator.psrc"
  36.  
  37. #Edit the VisibleCmdLets on line 25 with
  38. #VisibleCmdlets = 'Start-ADSyncSyncCycle','Get-ADSyncConnectorRunStatus','Get-ADSyncScheduler','Get-Module'
  39.  
  40. Get-PSSessionCapability -Username 'CONTOSO\simon' -ConfigurationName JEA_ADConnect
  41.  
  42. #Validate your config
  43. $nonAdminCred = Get-Credential -Credential "CONTOSO\simon"
  44. Enter-PSSession -ComputerName . -ConfigurationName JEA_ADConnect -Credential $nonAdminCred
  45. Get-Command -CommandType All
  46. Start-ADSyncSyncCycle -PolicyType Delta
  47. #Start-ADSyncSyncCycle -PolicyType Initial
  48. Exit-PSSession
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!