Administrators rights are required to install Windows Features.

Right? No.

Turns out an unprivileged user can be given permissions to install or remove any Windows role or features they want and it won’t lead to worse problems than giving that same user administrators rights instead.

Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling or good taste. Read and act on it at your own peril!

This is where Just-Enough-Admin can help.

Just-Enough-Admin (or JEA) is a feature of the Windows Remote Management service that allows WinRM (the Windows Remote Management service) to act on behalf of a connected user. It is in purpose similar to sudo on Unix systems or installed images on OpenVMS. It has two general drawbacks: It only works in non-interactive mode (i.e. you cannot start programs that require user interaction or use a GUI) and it essentially trusts WinRM not to mess things up.

Create a Just-Enough-Admin configuration named WindowsFature.

PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-PSSessionConfigurationFile WindowsFeature.pssc

And create a group JEA_WindowsFeature.

PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-LocalGroup JEA_WindowsFeature

Make three changes to the WindowsFeature.pssc file created:

  1. Set SessionType to ‘RestrictedRemoteServer’.
# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'
  1. Set RunAsVirtualAccount to $true.
# Whether to run this session configuration as the machine's (virtual) administrator account
RunAsVirtualAccount = $true
  1. Configure RoleDefinitions to use WindowsFeature.psrc.
RoleDefinitions = @{'JEA_Windowsfeature' = @{RoleCapabilities='WindowsFeature'}} 

(Let us consider these three changes our default changes for each JEA configuration, with the third pointing to different groups and rolecapability files obviously.)

Then create a role capability file for this thing.

PS C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities> New-PSRoleCapabilityFile WindowsFeature.psrc

(Make sure the file is in the subfolder RoleCapabilitites at the same level as the WindowsFeature.pssc file.)

Add the following entries to the file, at the appropriate places per the hints given in the template file.

ModulesToImport = 'ServerManager','Dism'
VisibleCmdLets = '*-WindowsFeature','*-WindowsCapability'

That’s it. You might want to add more, like ways to regulate what exactly a user should be able to install or remove, but after some very little thinking I came to the conclusion that it is not worth it. Instead rely in monitoring to catch what the user might have done wrong and correct it. None of what the user can install or remove here can comprimise the system in any way and a destroyed server is a secure server. If you have users that should add remove Windows features or roles, you have already decided that you need this things to be done. This merely stops giving them more rights than they need to do this.

Register the hell out of this JEA configuration:

PS C:\Program Files\WindowsPowerShell\Modules\JEA> Register-PSSessionConfiguration WindowsFeature -Path .\WindowsFeature.pssc

Now add a user to the JEA_WindowsFeature group and let him enjoy his powers.

PS C:\> Add-LocalGroupMember -Group JEA_WindowsFeature -Member benoit
PS C:\> Get-LocalGroupMember JEA_WindowsFeature

ObjectClass Name              PrincipalSource
----------- ----              ---------------
User        CHAMPIGNAC\benoit Local


PS C:\>

You might also want to give the group the privilege needed to shut down or reboot the computer:

PS C:\Program Files\ABTokenTools> .\AccountRights.exe JEA_WindowsFeature SeShutdownPrivilege
0
SeShutdownPrivilege
1
PS C:\Program Files\ABTokenTools>

Benoit:

PS C:\> whoami
champignac\benoit
PS C:\> whoami /priv                                                                                                                                                                                                                                                                                                                                                                                                                          PRIVILEGES INFORMATION                                                                                                                                                                                                 ----------------------                                                                                                                                                                                                                                                                                                                                                                                                                        Privilege Name                Description                    State                                                                                                                                                     ============================= ============================== ========
SeShutdownPrivilege           Shut down the system           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\> Import-PSSession (New-PSSession -ConfigurationName WindowsFeature) -AllowClobber

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.0        tmp_oq0ydpru.wh3                    {Get-WindowsFeature, Install-WindowsFeature, Uninstall-WindowsFeature}


PS C:\> Add-WindowsFeature -Name Web-Server -IncludeAllSubFeature

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    Yes            SuccessRest... {Application Development, Application Init...
WARNING: You must restart this server to finish the installation process.


PS C:\>

Now benoit might want to restart the computer.

WindowsFeature.pssc
WindowsFeature.psrc

Next: How to JEA IIS.