question

josephpatrick-7433 avatar image
0 Votes"
josephpatrick-7433 asked VickyWang-MFST answered

Just Enough Administration for Domain Controllers

I am building a JEA file for Domain Controllers, one file will be to perform read only items, the second file would be to perform certain executable/ change items like restart services or do role activities.

I have read the various documentation out there but have not seen anything regarding domain controllers... What would be ideal to have in a DC jea file?

If there a JEA template out there with settings ideal for Domain Controllers?

windows-server-powershellwindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
1 Vote"
DSPatrick answered

Some ideas here.
http://woshub.com/using-powershell-just-enough-administration-jea/

--please don't forget to Accept as answer if the reply is helpful--


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,
Glad your problem has been solved
Best wishes
Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to Accept as answer if the reply is helpful--




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,
Thank you for posting in our forum.

First of all, create a configuration file of a PowerShell session (*.pssc). To do it, run this command on your domain controller:

New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\dc_manage.pssc'

Open the PSSC file using the Notepad.
The PSSC file sets who may connect to this JEA endpoint and under what account the commands in the JEA session will run.

Modify the following values:

SessionType from Default to RestrictedRemoteServer. This mode allows to use the following PowerShell cmdlets: Clear-Host, Exit-PSSession, Get-Command, Get-FormatData, Get-Help, Measure-Object, Out-Default or Select-Objectl
Specify a folder (create it) in the TranscriptDirectory parameter. Here you will log all JEA user actions: TranscriptDirectory = C:\PS\JEA_logs
The RunAsVirtualAccount option allows to run commands under a virtual administrator account (member of the local Administrator or Domain Administrator group): RunAsVirtualAccount = $true

For specific steps, please refer to the link provided by Patrick. The following link can give you some information:


https://docs.servicenow.com/bundle/quebec-it-operations-management/page/product/discovery/concept/microsoft-jea-discovery.html

https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/session-configurations?view=powershell-7.1

Hope this information can help you
Best wishes
Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.