Add permissions to a Session Configuration

Though the recommended approach would be to upgrade to PowerShell 5.1 and implement JEA (preferable with DSC and the JEA DSC module), there sometimes might be a need to programmatically add permissions to a PowerShell session configuration.

Continuing the mentioned above, and a question asked on the reddit forum, below is an example on how to add a specific permission (ACE) to the configuration session permissions (ACL):

	# The identity to add permissions for
	$Identity = "myDomain\nonAdmins"
	# The configuration name to change permissions to (default is 'microsoft.powershell')
	$sessionConfigurationName = 'microsoft.powershell'
	# Get the current permissions on the default endpoint
	$sddl = (Get-PSSessionConfiguration -Name $sessionConfigurationName).SecurityDescriptorSddl
	# Build the new Access Control Entry object
	$rights = -1610612736 # AccessAllowed
	$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $Identity).Translate(
	[System.Security.Principal.SecurityIdentifier])).Value
	$newAce = New-Object System.Security.AccessControl.CommonAce(
	[System.Security.AccessControl.AceFlags]::None,
	[System.Security.AccessControl.AceQualifier]::AccessAllowed,
	$rights, $IdentitySID, $false, $null
	)
	# Prepare the RawSecurityDescriptor
	$rawSD = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList $sddl
	if ($rawSD.DiscretionaryAcl.GetEnumerator() -notcontains $newAce) {
	$rawSD.DiscretionaryAcl.InsertAce($rawSD.DiscretionaryAcl.Count, $newAce)
	}
	$newSDDL = $rawSD.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)
	# Set the PSSessionConfiguration permissions
	Set-PSSessionConfiguration -Name $sessionConfigurationName -SecurityDescriptorSddl $newSDDL
	# Verify permissions were added
	(Get-PSSessionConfiguration -Name $sessionConfigurationName).Permission -split ', '

view raw AddSessionConfigurationPermissions.ps1 hosted with ❤ by GitHub

HTH,
Martin.