Though the recommended approach would be to upgrade to PowerShell 5.1 and implement JEA (preferable with DSC and the JEA DSC module), there sometimes might be a need to programmatically add permissions to a PowerShell session configuration.
Continuing the mentioned above, and a question asked on the reddit forum, below is an example on how to add a specific permission (ACE) to the configuration session permissions (ACL):
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The identity to add permissions for | |
$Identity = "myDomain\nonAdmins" | |
# The configuration name to change permissions to (default is 'microsoft.powershell') | |
$sessionConfigurationName = 'microsoft.powershell' | |
# Get the current permissions on the default endpoint | |
$sddl = (Get-PSSessionConfiguration -Name $sessionConfigurationName).SecurityDescriptorSddl | |
# Build the new Access Control Entry object | |
$rights = -1610612736 # AccessAllowed | |
$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $Identity).Translate( | |
[System.Security.Principal.SecurityIdentifier])).Value | |
$newAce = New-Object System.Security.AccessControl.CommonAce( | |
[System.Security.AccessControl.AceFlags]::None, | |
[System.Security.AccessControl.AceQualifier]::AccessAllowed, | |
$rights, $IdentitySID, $false, $null | |
) | |
# Prepare the RawSecurityDescriptor | |
$rawSD = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList $sddl | |
if ($rawSD.DiscretionaryAcl.GetEnumerator() -notcontains $newAce) { | |
$rawSD.DiscretionaryAcl.InsertAce($rawSD.DiscretionaryAcl.Count, $newAce) | |
} | |
$newSDDL = $rawSD.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All) | |
# Set the PSSessionConfiguration permissions | |
Set-PSSessionConfiguration -Name $sessionConfigurationName -SecurityDescriptorSddl $newSDDL | |
# Verify permissions were added | |
(Get-PSSessionConfiguration -Name $sessionConfigurationName).Permission -split ', ' |
HTH,
Martin.