Windows Unprivileged - Network Configuration
Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling. Read and digest at your own peril!
This is actually dangerous. It will allow unprivileged users to reconfigure network settings and network adapters. I include it for completeness’ sake only and to present a faster method of creaing Just Enough Admin configurations.
This JEA configuration will allow members of the group JEA_Net to configure network adapters and other network settings. This is basically an administrator task and I am not sure why you would want to delegate it but maybe you have your reasons.
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-PSSessionConfigurationFile -Path Net.pssc -SessionType RestrictedRemoteServer -RunAsVirtualAccount -RoleDefinitions @{"JEA_Net"=@{"RoleCapabilities"="Net"}} -ModulesToImport "NetAdapter","NetTCPIP"
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-PSRoleCapabilityFile -Path .\RoleCapabilities\Net.psrc -ModulesToImport "NetAdapter","NetTCPIP" -VisibleCmdlets "*-Net*"
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-LocalGroup JEA_Net
Name Description
---- -----------
JEA_Net
PS C:\Program Files\WindowsPowerShell\Modules\JEA> Add-LocalGroupMember JEA_Net benoit
PS C:\Program Files\WindowsPowerShell\Modules\JEA> Register-PSSessionConfiguration Net -Path .\Net.pssc
WARNING: Register-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has recently been unregistered, certain system data structures may still be cached. In that case, a
restart of WinRM may be required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Plugin
Type Keys Name
---- ---- ----
Container {Name=Net} Net
WARNING: Set-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has recently been unregistered, certain system data structures may still be cached. In that case, a restart of
WinRM may be required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.
WARNING: Register-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has recently been unregistered, certain system data structures may still be cached. In that case, a
restart of WinRM may be required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.
PS C:\Program Files\WindowsPowerShell\Modules\JEA>This creates the JEA configuration, the JEA access group JEA_Net and adds user benoit to the group.
See how user benoit tried to modify network settings without the JEA configuration:
PS C:\Users\benoit> new-NetIPAddress -IPAddress 192.168.2.2 -PrefixLength 24 -InterfaceAlias "Ethernet 2"
new-NetIPAddress : Access is denied.
At line:1 char:1
+ new-NetIPAddress -IPAddress 192.168.2.2 -PrefixLength 24 -InterfaceAlias "Ethernet 2"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (MSFT_NetIPAddress:ROOT/StandardCimv2/MSFT_NetIPAddress) [New-NetIPAddress], CimException
+ FullyQualifiedErrorId : Windows System Error 5,New-NetIPAddress
PS C:\Users\benoit>And how the JEA configuration changes everything:
PS C:\> Import-PSSession (New-PSSession -ConfigurationName Net) -AllowClobber
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 1.0 tmp_gmth40aq.5rl {Clear-Host, Disable-NetAdapter, Disable-NetAdapterBinding, Disable-NetAdapterChecksumOffload...}
PS C:\> Set-NetIPAddress -IPAddress 192.168.2.2 -PrefixLength 24 -InterfaceAlias "Ethernet 2"
PS C:\> Get-NetIPAddress -InterfaceAlias "ethernet 2"
IPAddress : fe80::8e2c:7e8a:ac5:790d%10
InterfaceIndex : 10
InterfaceAlias : Ethernet 2
AddressFamily : IPv6
Type : Unicast
PrefixLength : 64
PrefixOrigin : WellKnown
SuffixOrigin : Link
AddressState : Deprecated
ValidLifetime :
PreferredLifetime :
SkipAsSource : False
PolicyStore : ActiveStore
IPAddress : 192.168.2.2
InterfaceIndex : 10
InterfaceAlias : Ethernet 2
AddressFamily : IPv4
Type : Unicast
PrefixLength : 24
PrefixOrigin : Manual
SuffixOrigin : Manual
AddressState : Tentative
ValidLifetime :
PreferredLifetime :
SkipAsSource : False
PolicyStore : ActiveStore
IPAddress : 169.254.26.59
InterfaceIndex : 10
InterfaceAlias : Ethernet 2
AddressFamily : IPv4
Type : Unicast
PrefixLength : 16
PrefixOrigin : WellKnown
SuffixOrigin : Link
AddressState : Tentative
ValidLifetime :
PreferredLifetime :
SkipAsSource : False
PolicyStore : ActiveStore
PS C:\>Download the JEA configuration here:
Yes, the posts are getting shorter. But it will likely change again.
Next: Local Accounts