Skip to content

Instantly share code, notes, and snippets.

@martin77s

martin77s/AddSessionConfigurationPermissions.ps1

Created February 25, 2018 17:54
Show Gist options
  • Save martin77s/4f3226232b398f355087a08d8bd244e1 to your computer and use it in GitHub Desktop.
Save martin77s/4f3226232b398f355087a08d8bd244e1 to your computer and use it in GitHub Desktop.
Download ZIP
Add permissions to a Session Configuration programmatically
Raw
AddSessionConfigurationPermissions.ps1
# The identity to add permissions for
$Identity = "myDomain\nonAdmins"
# The configuration name to change permissions to (default is 'microsoft.powershell')
$sessionConfigurationName = 'microsoft.powershell'
# Get the current permissions on the default endpoint
$sddl = (Get-PSSessionConfiguration -Name $sessionConfigurationName).SecurityDescriptorSddl
# Build the new Access Control Entry object
$rights = -1610612736 # AccessAllowed
$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $Identity).Translate(
[System.Security.Principal.SecurityIdentifier])).Value
$newAce = New-Object System.Security.AccessControl.CommonAce(
[System.Security.AccessControl.AceFlags]::None,
[System.Security.AccessControl.AceQualifier]::AccessAllowed,
$rights, $IdentitySID, $false, $null
)
# Prepare the RawSecurityDescriptor
$rawSD = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList $sddl
if ($rawSD.DiscretionaryAcl.GetEnumerator() -notcontains $newAce) {
$rawSD.DiscretionaryAcl.InsertAce($rawSD.DiscretionaryAcl.Count, $newAce)
}
$newSDDL = $rawSD.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)
# Set the PSSessionConfiguration permissions
Set-PSSessionConfiguration -Name $sessionConfigurationName -SecurityDescriptorSddl $newSDDL
# Verify permissions were added
(Get-PSSessionConfiguration -Name $sessionConfigurationName).Permission -split ', '
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment