PoshCode Logo PowerShell Code Repository

Add-PoShEndpointAccess by DollarUnderscore 24 months ago
embed code: <script type="text/javascript" src="http://PoshCode.org/embed/5870"></script>download | new post

Function add an account/group to a WinRM-endpoint, by default the default PowerShell endpoint. See comment based help or this blog post for more information:
http://dollarunderscore.azurewebsites.net/?p=5321

  1. #========================================================================
  2. # Created By: Anders Wahlqvist
  3. # Website: DollarUnderscore (http://dollarunderscore.azurewebsites.net)
  4. #========================================================================
  5.  
  6. function Add-PoShEndpointAccess
  7. {
  8.     <#
  9.     .Synopsis
  10.        Adds a group or user to a PowerShell (WinRM) endpoint to allow remote management.
  11.  
  12.     .DESCRIPTION
  13.        This function will edit the SDDL of a PowerShell (WinRM) endpoint to
  14.        allow remote management for the specified account/group.
  15.  
  16.        If you run this against a remote computer, CredSSP needs to be enabled and you need
  17.        to restart the WinRM-service manually afterwards (this function uses WinRM to connect
  18.        to the remote machine, which is why it will not restart the service itself).
  19.  
  20.     .PARAMETER SamAccountName
  21.        The SamAccount name of the user or group that you want to give access to. Could also be in the form
  22.        domain\SamAccountName, for example contoso\Administrator.
  23.  
  24.     .PARAMETER ComputerName
  25.        Specifies the computer on which the command runs. The default is the local computer.
  26.  
  27.     .PARAMETER EndpointName
  28.        Specifies then name of the WinRM endpoint you want to configure, the default is Microsoft.PowerShell.
  29.  
  30.     .EXAMPLE
  31.        Add-PoShEndpointAccess -SamAccountName "contoso\PoShUsers" -ComputerName MyPoShEndpoint.contoso.com
  32.  
  33.     #>
  34.  
  35.     [CmdletBinding()]
  36.     Param
  37.     (
  38.         [Parameter(Mandatory=$true,
  39.                    ValueFromPipelineByPropertyName=$true)]
  40.         $SamAccountName,
  41.  
  42.         [Parameter(Mandatory=$false)]
  43.         $ComputerName = '.',
  44.  
  45.         [Parameter(Mandatory=$false)]
  46.         $EndpointName = 'Microsoft.PowerShell'
  47.     )
  48.  
  49.     Begin { }
  50.  
  51.     Process {
  52.         if ($ComputerName -eq '.' -OR $ComputerName -eq "$($env:COMPUTERNAME)") {
  53.                 $IdentityObject = New-Object Security.Principal.NTAccount $SamAccountName
  54.                 try {
  55.                     $sid = $IdentityObject.Translate([Security.Principal.SecurityIdentifier]).Value
  56.                 }
  57.                 catch {
  58.                     throw "Failed to translate $SamAccountName to a valid SID."
  59.                 }
  60.  
  61.                 try {
  62.                     $PSSConfig = Get-PSSessionConfiguration -Name $EndpointName -ErrorAction Stop
  63.                 }
  64.                 catch {
  65.                     if ($_.Tostring() -like '*access is denied*') {
  66.                         throw 'You need to have Admin-access to run this command!'
  67.                     }
  68.                 }
  69.  
  70.                 $existingSDDL = $PSSConfig.SecurityDescriptorSDDL
  71.                 $isContainer = $false
  72.                 $isDS = $false
  73.  
  74.                 $SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor -ArgumentList $isContainer,$isDS, $existingSDDL
  75.                 $accessType = 'Allow'
  76.                 $accessMask = 268435456
  77.                 $inheritanceFlags = 'none'
  78.                 $propagationFlags = 'none'
  79.                 $SecurityDescriptor.DiscretionaryAcl.AddAccess($accessType,$sid,$accessMask,$inheritanceFlags,$propagationFlags)
  80.  
  81.                 $null = Set-PSSessionConfiguration -Name $EndpointName -SecurityDescriptorSddl ($SecurityDescriptor.GetSddlForm('All')) -Confirm:$false -Force
  82.  
  83.         }
  84.         else {
  85.             Invoke-Command -ArgumentList $SamAccountName,$EndpointName -ScriptBlock {
  86.                 $IdentityObject = New-Object Security.Principal.NTAccount $args[0]
  87.                 $EndpointName = $args[1]
  88.  
  89.                 try {
  90.                     $sid = $IdentityObject.Translate([Security.Principal.SecurityIdentifier]).Value
  91.                 }
  92.                 catch {
  93.                     throw "Failed to translate $($args[0]) to a valid SID."
  94.                 }
  95.  
  96.                 try {
  97.                     $PSSConfig = Get-PSSessionConfiguration -Name $EndpointName -ErrorAction Stop
  98.                 }
  99.                 catch {
  100.                     if ($_.Tostring() -like '*access is denied*') {
  101.                         throw 'You need to have Admin-access and enable CredSSP to run this command remotely!'
  102.                     }
  103.                 }
  104.  
  105.                 $existingSDDL = $PSSConfig.SecurityDescriptorSDDL
  106.                 $isContainer = $false
  107.                 $isDS = $false
  108.  
  109.                 $SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor -ArgumentList $isContainer,$isDS, $existingSDDL
  110.                 $accessType = 'Allow'
  111.                 $accessMask = 268435456
  112.                 $inheritanceFlags = 'none'
  113.                 $propagationFlags = 'none'
  114.                 $SecurityDescriptor.DiscretionaryAcl.AddAccess($accessType,$sid,$accessMask,$inheritanceFlags,$propagationFlags)
  115.  
  116.                 $null = Set-PSSessionConfiguration -Name $EndpointName -SecurityDescriptorSddl ($SecurityDescriptor.GetSddlForm('All')) -Confirm:$false -Force -NoServiceRestart
  117.  
  118.             } -ComputerName $ComputerName
  119.         }
  120.     }
  121.  
  122.     End { }
  123. }

Submit a correction or amendment below (
click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting:


Remember me