question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked BojanZivkovic-7448 answered

PowerShell JEA - issues with Add-ADGroupMember cmdlet

Hi, I am building a PAM request tool for the other team - it will add them temporarily to AD group being local admin on all servers they own/manage. Having created session configuration/role capability files allowing them only to execute Add-ADGroupMember cmdlet I registered session configuration and all tests were successful with this line in .psrc file.

VisibleCmdlets = 'Add-ADGroupMember'

However when I want to restrict this cmdlet to be executed only against AD group mentioned above, Add-ADGroupMember cmdlet is not longer recognized (as if it is not listed in .psrc file).

VisibleCmdlets = @{ Name = 'Add-ADGroupMember'; Parameters = @{ Name = 'Identity'; ValidateSet = 'DSC_Cloud_Admins' }}

I do not see any syntax mistake here and according to https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/role-capabilities?view=powershell-5.1 this should work.

Why is this happening? Thank you in advance.

windows-server-powershell
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

When creating a JEA endpoint, you need to define one or more role capabilities that describe what someone can do in a JEA session. Make sure it has been done from the same link that you have shared

This issue occurs if the group has a member from another forest whose account has been removed from the account forest. The member is represented in the local domain by a Foreign Security Principal (FSP).

To resolve this issue, enable logging for the resolution requests that concern these SIDs and that are performed by the Active Directory Webservice. In this way, you can identify the accounts that fail resolution. To do this, run the Get-ADGroupMember cmdlet on the domain controller of contoso.com

You can get more info from here https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/get-adgroupmember-error-remote-forest-members


--If the reply is helpful, please Upvote and Accept it as an answer--

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered

AD group I would like other team members to add themselves to temporarily leveraging MemberTimeToLive parameter is by default empty and it will contain other team members only after they submit PAM request adding them to the group - all accounts are from the same domain as AD group itself.

I just want to assure (although in the GUI tool code AD group name they will be added to is hard-coded) they can only add themselves to that group - ValidateSet of parameter Identity value should work but as I said if I do that Add-ADGroupMember is not visible cmdlet inside custom session configuration.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.