Though the recommended approach would be to upgrade to PowerShell 5.1 and implement JEA (preferable with DSC and the JEA DSC module), there sometimes might be a need to programmatically add permissions to a PowerShell session configuration.
Continuing the mentioned above, and a question asked on the reddit forum, below is an example on how to add a specific permission (ACE) to the configuration session permissions (ACL):
| # The identity to add permissions for | |
| $Identity = "myDomain\nonAdmins" | |
| # The configuration name to change permissions to (default is 'microsoft.powershell') | |
| $sessionConfigurationName = 'microsoft.powershell' | |
| # Get the current permissions on the default endpoint | |
| $sddl = (Get-PSSessionConfiguration -Name $sessionConfigurationName).SecurityDescriptorSddl | |
| # Build the new Access Control Entry object | |
| $rights = -1610612736 # AccessAllowed | |
| $IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $Identity).Translate( | |
| [System.Security.Principal.SecurityIdentifier])).Value | |
| $newAce = New-Object System.Security.AccessControl.CommonAce( | |
| [System.Security.AccessControl.AceFlags]::None, | |
| [System.Security.AccessControl.AceQualifier]::AccessAllowed, | |
| $rights, $IdentitySID, $false, $null | |
| ) | |
| # Prepare the RawSecurityDescriptor | |
| $rawSD = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList $sddl | |
| if ($rawSD.DiscretionaryAcl.GetEnumerator() -notcontains $newAce) { | |
| $rawSD.DiscretionaryAcl.InsertAce($rawSD.DiscretionaryAcl.Count, $newAce) | |
| } | |
| $newSDDL = $rawSD.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All) | |
| # Set the PSSessionConfiguration permissions | |
| Set-PSSessionConfiguration -Name $sessionConfigurationName -SecurityDescriptorSddl $newSDDL | |
| # Verify permissions were added | |
| (Get-PSSessionConfiguration -Name $sessionConfigurationName).Permission -split ', ' |
HTH,
Martin.
