Windows Unprivileged - Local Accounts JEA

Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling. Read and digest at your own peril!

This is actually dangerous. It will allow unprivileged users to create local users, remove local users and add users, including themselves, to the Administrators group (unless that is specifically stopped).

This JEA configuration will allow members of the group JEA_LocalAccounts to create and remove local users. This is basically an administrator task and I am not sure why you would want to delegate it but maybe you have your reasons.

PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-PSSessionConfigurationFile -Path LocalAccounts.pssc -SessionType RestrictedRemoteServer -RunAsVirtualAccount -RoleDefinitions @{"JEA_LocalAccounts"=@{"RoleCapabilities"="LocalAccounts"}} -ModulesToImport "Microsoft.PowerShell.LocalAccounts"
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-PSRoleCapabilityFile -Path .\RoleCapabilities\LocalAccounts.psrc -ModulesToImport "Microsoft.PowerShell.LocalAccounts" -VisibleCmdlets "*-LocalGroup*","*-LocalUser"
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-LocalGroup JEA_LocalAccounts

Name              Description
----              -----------
JEA_LocalAccounts


PS C:\Program Files\WindowsPowerShell\Modules\JEA> Add-LocalGroupMember JEA_LocalAccounts benoit
PS C:\Program Files\WindowsPowerShell\Modules\JEA> Register-PSSessionConfiguration LocalAccounts -Path .\LocalAccounts.pssc
WARNING: Register-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has recently been unregistered, certain system data structures may still be cached. In that case, a
restart of WinRM may be required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.


   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Plugin

Type            Keys                                Name
----            ----                                ----
Container       {Name=LocalAccounts}                LocalAccounts
WARNING: Set-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has recently been unregistered, certain system data structures may still be cached. In that case, a restart of
 WinRM may be required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.
WARNING: Register-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has recently been unregistered, certain system data structures may still be cached. In that case, a
restart of WinRM may be required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.


PS C:\Program Files\WindowsPowerShell\Modules\JEA>

This creates the JEA configuration, the JEA access group JEA_LocalAccounts and adds user benoit to the group.

User benoit can add himself to the Administrators group:

PS C:\WINDOWS\system32> Import-PSSession(New-PSSession -ConfigurationName LocalAccounts)-AllowClobber                                                                                             
ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.0        tmp_p3w3ml2o.2up                    {Add-LocalGroupMember, Clear-Host, Disable-LocalUser, Enable-LocalUser...}


PS C:\WINDOWS\system32> Add-LocalGroupMember Administrators benoit
PS C:\WINDOWS\system32>

To avoid this, you can modify the JEA configuration like this:

VisibleCmdlets = '*-LocalGroup', '*-LocalUser','Get-LocalGroupMember'
VisibeFunctions = 'Add-LocalGroupMember','RemoveLocalGroupMember'
FunctionDefinitions = @(
    @{
        Name = 'Add-LocalGroupMember'
        ScriptBlock = {
            param(
                [string]$Name,
                [string]$Member
            )
            if ("Administrators" -ne $Name) {
                Microsoft.PowerShell.LocalAccounts\Add-LocalGroupMember -Name $Name -Member $Member
            }#if
        }
    },
    @{
        Name = 'Remove-LocalGroupMember'
        ScriptBlock = {
            param(
                [string]$Name,
                [string]$Member
            )
            if ("Administrators" -ne $Name) {
                Microsoft.PowerShell.LocalAccounts\Remove-LocalGroupMember -Name $Name -Member $Member
            }#if
        }

    }
)

This will wrap the dangerous cmdlets Add-LocalGroupMember and Remove-LocalGroupMember in functions that check whether the group name is Administrators and will simply do nothing if it is. (You can add the missing parameters if you like.)

Note that there are probably various ways around this, but if you have decided to give unprivileged users power over local group memberships this is perhaps a good add-on.

Download the JEA configuration here:

LocalAccounts.pssc
LocalAccounts.psrc

Next: TBD