PowerShell 5 remoting - JEA with RunAsCredential and Select-Object -Unique

Question

I am trying to use PowerShell JEA (Just Enough Administration) on a Windows Server 2012 R2 server where I installed WMF 5.

I need to make visible to a non-admin group of users 1 custom function only that relies on another locally installed module. This function does not require admin privileges but needs to run in the context of a particular domain account.

I create a new role capability with my custom function listed in the VisibleFunctions section, assign that role to my group of user in the session configuration file (which also contains RunAsVirtualAccount = $false) and register this session configuration with the configuration file and the RunAsCredential parameter.

When using Get-PSSessionCapability locally on the server with an authorized non-admin account, I see my custom function listed. When I use Enter-PSSession from a remote machine (Windows 8.1 with WMF 5 installed) with this constrained endpoint and then use Get-Command, the function is not listed.

If I stop using the RunAsCredential parameter and instead use RunAsVirtualACcount = $true (which would make my function fail but this is for testing only), then I can see my custom function listed with Get-Command when executed remotely. But in that case, trying to call the function results in the following error, which happens even before the missing "RunAs" account authorization error would appear:

Select-Object : A parameter cannot be found that matches parameter name 'Unique'.

The Select-Object cmdlet is called in the nested 3rd-party module I am using (and thus I cannot replace it with any other function).

Here is the output of $PSVersionTable on the server:

Name                           Value
----                           -----
PSVersion                      5.0.10586.117
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.10586.117
CLRVersion                     4.0.30319.34014
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Idem on my workstation except for CLRVersion which is 4.0.30319.42000.

How can I use JEA in my scenario, with a domain account as RunAsCredential and calling my 3rd-party module and (among other things) its Select-Object -Unique call?

Thank you,

Jordan

Did you include Microsoft.PowerShell.Utility in your imported modules? — mjolinor, May 18 '16 at 13:07

score 1 · Answer 1 · answered Oct 20 '16 at 13:49

I've had the same issue, creating a PS endpoint as a wrapper around the PSPKI module. The PSPKI module uses the Select-Object as well, giving the same error.

solution for me was to update my endpoint .psrc file to include an AliasDefinition for Select-Object to point to the FQDN Select-Object.

AliasDefinitions = @{ Name = 'Select-Object' ; Value = 'Microsoft.PowerShell.Utility\Select-Object' }

See also: https://jamesone111.wordpress.com/2016/07/01/just-enough-admin-and-constrained-endpoints-part-2-startup-scripts/

Grtx, BvZanten

Hello, thanks for the tip. That seems to fix the select-object issue indeed. But that does not fix the main problem: my custom function is still not visible when using the RunAsCredential configuration. And I can't use virtual accounts unfortunately in my scenario... — jalliot, Dec 05 '16 at 15:56

PowerShell 5 remoting - JEA with RunAsCredential and Select-Object -Unique

1 Answers1