控制对 Exchange 服务器的远程 PowerShell 访问Control remote PowerShell access to Exchange servers

在 Microsoft Exchange 远程 PowerShell 允许您管理您的 Exchange 组织,从内部网络上的远程计算机或互联网。您可以禁用或启用的用户能够连接到 Exchange 服务器使用远程 PowerShell。有关远程 PowerShell 的详细信息,请参阅Exchange Server PowerShell (Exchange 管理外壳程序)Remote PowerShell in Microsoft Exchange allows you to manage your Exchange organization from a remote computer that's on your internal network or from the Internet. You can disable or enable a user's ability to connect to an Exchange server using remote PowerShell. For more information about remote PowerShell, see Exchange Server PowerShell (Exchange Management Shell).

有关与远程 PowerShell 相关的其他管理任务,请参阅使用远程 PowerShell 连接到 Exchange 服务器For additional management tasks related to remote PowerShell, see Connect to Exchange servers using remote PowerShell.

在开始之前,您需要知道什么?What do you need to know before you begin?

  • 估计完成每个步骤时间:少于 5 分钟Estimated time to complete each procedure: less than 5 minutes

  • 只能使用 PowerShell 执行此过程。若要了解如何在本地 Exchange 组织中打开 Exchange 命令行管理程序,请参阅打开 Exchange 命令行管理程序You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.

  • 默认情况下,所有用户帐户都有权访问远程 PowerShell。不过,若要实际使用远程 PowerShell 连接到 Exchange 服务器,用户必须是管理角色组的成员,或者直接分配有能够让用户运行 Exchange cmdlet 的管理角色。有关角色组和管理角色的详细信息,请参阅PermissionsBy default, all user accounts have access to remote PowerShell. However, to actually use remote PowerShell to connect to an Exchange server, the user needs to be a member of a management role group, or be directly assigned a management role that enables the user to run Exchange cmdlets. For more information about role groups and management roles, see Permissions.

  • 您必须先获得权限,然后才能执行此过程或多个过程。若要查看所需的权限,请参阅Exchange and Shell Infrastructure Permissions主题中的"远程 PowerShell"条目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Remote PowerShell" entry in the Exchange and Shell Infrastructure Permissions topic.

Tip

有问题吗?请求帮助交换论坛。在Exchange Server论坛,请访问。Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.

使用 Exchange 命令行管理程序 启用或禁用用户对远程 PowerShell 的访问权限Use the Exchange Management Shell to enable or disable remote PowerShell access for a user

此示例禁用了名为"Therese Lindqvist"的用户对远程 PowerShell 的访问权限。This example disable remote PowerShell access for the user named Therese Lindqvist.

Set-User "Therese Lindqvist" -RemotePowerShellEnabled $false

此示例启用了名为"Sirirat Kitjakarn"的用户对远程 PowerShell 的访问权限。This example enables remote PowerShell access for the user named Sirirat Kitjakarn.

Set-User "Sirirat Kitjakarn" -RemotePowerShellEnabled $false

使用 Exchange 管理外壳程序来禁用远程 PowerShell 许多用户访问Use the Exchange Management Shell to disable remote PowerShell access for many users

为了防止现有用户的特定组具有远程 PowerShell 访问权限,您可以选择以下选项:To prevent remote PowerShell access for a specific group of existing users, you have the following options:

  • 筛选用户基于现有属性: 此方法假定所有的目标用户帐户共享唯一可筛选属性。只有当您使用获取用户cmdlet 时,某些属性,如标题、 部门、 地址信息和电话号码,是可见的。仅当您使用Get 邮箱cmdlet,其他属性,如 CustomAttribute1-15,是可见的。Filter users based on an existing attribute: This method assumes that the target user accounts all share a unique filterable attribute. Some attributes, such as Title, Department, address information, and telephone number, are visible only when you use the Get-User cmdlet. Other attributes, such as CustomAttribute1-15, are visible only when you use the Get-Mailbox cmdlet.

  • 使用特定的用户列表: 生成的特定用户的列表之后,可以使用该列表禁用其访问远程 PowerShell。Use a list of specific users: After you generate the list of specific users, you can use that list to disable their access to remote PowerShell.

基于现有特性筛选用户Filter users based on an existing attribute

要禁用远程 PowerShell 访问任意数量的用户基于已有的属性,请使用下面的语法:To disable access to remote PowerShell for any number of users based on an existing attribute, use the following syntax:

$<VariableName> = <Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter>
$<VariableName> | foreach {Set-User -RemotePowerShellEnabled $false}

本示例删除对远程 PowerShell 其标题属性包含"销售协作"的值的所有用户的访问权限。This example removes access to remote PowerShell for all users whose Title attribute contains the value "Sales Associate".

$DSA = Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like '*Sales Associate*')}
$DSA | foreach {Set-User -RemotePowerShellEnabled $false}

使用特定用户的列表Use a list of specific users

要禁用远程 PowerShell 访问特定用户的列表,请使用下面的语法:To disable access to remote PowerShell for a list of specific users, use the following syntax:

$<VariableName> = Get-Content <text file>
$<VariableName> | foreach {Set-User -RemotePowerShellEnabled $false

此示例使用文本文件 C:\My Documents\NoPowerShell.txt 标识用户的用户主体名称 (UPN)。该文本文件必须包含在每一行上的一个 UPN,如下所示:This example uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their user principal name (UPN). The text file must contain one UPN on each line as follows:

akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com

填充您要更新的用户帐户具有的文本文件后,运行以下命令:After you populate the text file with the user accounts you want to update, run the following commands:

$NPS = Get-Content "C:\My Documents\NoPowerShell.txt"
$NPS | foreach {Set-User -RemotePowerShellEnabled $false}

查看用户的远程 PowerShell 访问View the remote PowerShell access for users

若要查看某一特定用户的远程 PowerShell 访问状态,请使用下面的语法:To view the remote PowerShell access status for a specific user, use the following syntax:

Get-User -Identity <UserIdentity> | Format-List RemotePowerShellEnabled

本示例显示名为林莎一起 Jones 的用户的远程 PowerShell 访问状态。This example displays the remote PowerShell access status of the user named Sarah Jones.

Get-User -Identity "Sarah Jones" | Format-List RemotePowerShellEnabled

若要显示所有用户的远程 PowerShell 访问状态,请运行以下命令:To display the remote PowerShell access status for all users, run the following command:

Get-User -ResultSize unlimited | Format-Table -Auto Name,DisplayName,RemotePowerShellEnabled

若要仅显示不具有远程 PowerShell 访问权限的用户,请运行以下命令:To display only those users who don't have access to remote PowerShell, run the following command:

Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $false}

若要仅显示具有远程 PowerShell 访问权限的用户,请运行以下命令:To display only those users who have access to remote PowerShell, run the following command:

Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $true}