Got this one from a customer at PS Summit NA 2017:

If you use Install-Module to install a module, it gets placed in a folder that looks like $env:PSModulePath\ModuleName\Version. Apparently, when you try to join a session with a given JEA role, the session cannot find its allowed modules unless you move the module up out of the version folder (so from, e.g. 1.0.1.0 to ModuleName).

Hi!

Is there a way to expose a JEA endpoint as a web service, so that it could be used by an external system that knows how to make REST calls?

I already have a JEA endpoint that exposes a few custom cmdlets and it works through PS Remoting just fine. I've been asked to look into presenting those as a web service so that those same cmdlets could have been called by our ticketing system (which can make REST calls).

Thanks!

Hello,

I need my modules to be loaded off UNC share and they are setup to do that via ModulesToImport entry in PSSC file. RoleCapabilities folder is there along with PSRC file but that one is not being checked since PSModulePath is no specifying that folder and hence connectiong fails. ON front-end it's showing very non-descriptive error. On the box itself it's very descriptive via Get-PSssessionCapability execution. Is it possible to modify PSModulePath specificially for specific session? I don't want to do it on machinelevel since specifying UNC path on machine level will break if machine does not have access to UNC path.

PS C:\windows\system32> Enter-PSSession server1 -ConfigurationName Jea -Credential $testcred
Enter-PSSession : Processing data from remote server server1 failed with the following error message: The path is not of a legal form. For more information, see the about_Remote_Troubleshooting
Help topic.

Is there a plan to add support for downloading from a Private PS Gallery repo? I notice there is a PowerShellGet cmdlet for Get-RoleCapability, will this be incorporated in some way?

As @djwork found:

test() [ ...] incorrectly return false when GMSA is not set [...] block not entered if both $currentInstance.GroupManagedServiceAccount & $this.GroupManagedServiceAccount null, this matters because $null -replace '$$', '' will return an empty string not $null

Mea Culpa, this issue was introduced by my previous PR for bug #28

Will submit a new PR ...

Hi,
I use DSC to deploy JEA configuration on many Windows Server 2012 R2 hosts:

PS > $psversiontable

Name                           Value
----                           -----
PSVersion                      5.1.14409.1012
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1012
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

About 3 times out of 4, when Register-PSSessionConfiguration is triggered by the DSC module, WinRM service is restarted but hangs on Stopping.

It seems to happen more frequently when the configuration causes WinRM to change Logon As (from Network Service to Local System).

Is there a 'correct' way to avoid this behaviour ?

We use the following script to force restart WinRM service (with SCCM as we lost PS remoting ability on host):

$winRMService = Get-Service -Name 'WinRM'
if ($winRMService -and $winRMService.Status -eq 'StopPending') {
    $processId = Get-CimInstance -ClassName 'Win32_Service' -Filter "Name LIKE 'WinRM'" | Select-Object -Expand 'ProcessId'
    $serviceList = Get-CimInstance -ClassName 'Win32_Service' -Filter "ProcessId=$processId" | Select-Object -Expand 'Name'
    $failure = @()
    Write-Host "Forcing process $processId to stop ..." -NoNewline
    try {
        Stop-Process -Id $processId -Force
        Write-Host ' done'
        Write-Host 'Waiting 5 seconds'
        Start-Sleep -Seconds 5
        foreach ($service in $serviceList) {
            Write-Host "Starting service $service ..." -NoNewline
            try {
                Start-Service -Name $service
                Write-Host ' done'
            } catch {
                Write-Host ' failed'
                $failure += "Start service $service"
            }
        }
    } catch {
        Write-Host ' failed'
        $failure += "Kill WinRM process"
    }

    if ($failure) {
        Throw "Failed to execute following operation(s): $($failure -join ', ')"
    }
}

Should-we add WinRM restart problem detection/mitigation directly in the DSC resource ? I can provide a PR for that (with a less verbose code ;-))

To be consistent with other DSC resources, JEAEndpoint should have a Ensure = Present|Absent parameter.

Is it possible to pass a variable into the VisibleCmdlets section of a Role Capability? Example below:

$approved=@('service1','service2')

VisibleCmdlets = @{Name = 'Get-Service; Parameters=@{Name='Name'; ValidateSet = $approved} }

When I attempt to do that I get an error: "Enter-PSSession : Processing data from remote server localhost failed with the following error message: A null key is not allowed in a hash literal. For more information, see the about_Remote_Troubleshooting Help topic."

No docs

Whether I explicitly add Domain Admins group in the RunAsVirtualAccountsGroups parameter or not it seems that I am not being given domain access right when running cmdlets like New-ADusers or New-ADComputer

Whether to run this session configuration as the machine's (virtual) administrator account

RunAsVirtualAccount = $true

RunAsVirtualAccountGroups = 'mesa\Domain Admins'

Access is denied
+ CategoryInfo : PermissionDenied: (CN=jeauser2,CN=Users,DC=mesa,DC=internal:String) [New-ADUser], Unauth
orizedAccessException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Manag
ement.Commands.NewADUser

For example when running this on a node not part of the CONTOSO domain.

Invoke-DscResource -ModuleName JustEnoughAdministration -Name JeaEndpoint -Method Set -Verbose -Property @{
            EndpointName        = 'Microsoft.PowerShell'
            RoleDefinitions     = "@{ 'CONTOSO\DnsAdmins' = @{ RoleCapabilities = 'DnsAdmin' } }"
            TranscriptDirectory = 'C:\ProgramData\JeaEndpoint\Transcripts'
            ScriptsToProcess    = @('C:\ProgramData\JeaEndpoint\startup.ps1')
            VisibleCmdlets      = "'DnsServer\*',
                @{
                    'Name'       = 'Restart-Service'
                    'Parameters' = @{
                        'Name'        = 'Name'
                        'ValidateSet' = 'Dns'
                    }
                }"
}

It's reporting this error, but continue to process without failing.

'Could not grant remote access to 'CONTOSO\DnsAdmins': 'Some or all identity references could not be translated.'

I suggest adding -ErrorAction to the calls to Register-PSSessionConfiguration, and maybe also Unregister-PSSessionConfiguration.

To be able to deploy role capabilities, a DSC resource has to be created.

This resource would take same parameters as New-PSRoleCapabilityFile

• Path: where to store the file. String
• AliasDefinitions: Adds the specified aliases to sessions that use the role capability file. Hashtable with keys Name, Value, Description and Options.
• AssembliesToLoad: Specifies the assemblies to load into the sessions that use the role capability file. String list.
• EnvironmentVariable: Specifies the environment variables for sessions that expose this role capability file. Hashtable of environment variables.
• FormatsToProcess: Specifies the formatting files (.ps1xml) that run in sessions that use the role capability file. The value of this parameter must be a full or absolute path of the formatting files. String list.
• FunctionDefinitions: Adds the specified functions to sessions that expose the role capability. Hashtable with keys Name, Scriptblock and Options.
• ModulesToImport: Specifies the modules that are automatically imported into sessions that use the role capability file. By default, all of the commands in listed modules are visible. When used with VisibleCmdlets or VisibleFunctions , the commands visible from the specified modules can be restricted. Hashtable with keys ModuleName, ModuleVersion and GUID.
• ScriptsToProcess: Specifies scripts to add to sessions that use the role capability file. String list.
• TypesToProcess: Specifies type files (.ps1xml) to add to sessions that use the role capability file. The value of this parameter must be a full or absolute path of the type file names. String list.
• VariableDefinitions: Specifies variables to add to sessions that use the role capability file. Hashtable with keys Name, Value, Options.
• VisibleAliase: Limits the aliases in the session to those aliases specified in the value of this parameter, plus any aliases that you define in the AliasDefinition parameter. Wildcard characters are supported. By default, all aliases that are defined by the Windows PowerShell engine and all aliases that modules export are visible in the session. String list.
• VisibleCmdlets: Limits the cmdlets in the session to those specified in the value of this parameter. Wildcard characters and Module Qualified Names are supported. String list ?
• VisibleExternalCommands: Limits the external binaries, scripts and commands that can be executed in the session to those specified in the value of this parameter. Wildcard characters are supported. String list.
• VisibleFunctions: Limits the functions in the session to those specified in the value of this parameter, plus any functions that you define in the FunctionDefinitions parameter. Wildcard characters are supported. String list?
• VisibleProviders: Limits the Windows PowerShell providers in the session to those specified in the value of this parameter. Wildcard characters are supported. String list.

These parameters exist in New-PSRoleCapabilityFile but, in my opinion, should not be visible in the DSC resource:

• Author
• CompanyName
• Copyright
• Description
• Guid

I have a MOF file, which has RoleDefinitions hashtable as string. The hashtable itself is not sorted.
RoleDefinitions = "@{'test\\svilen-t' = @{'RoleCapabilities' = 'Role1'};'test\\TestGroup' = @{'RoleCapabilities' = 'Role1'};'test\\svilen' = @{'RoleCapabilities' = 'Role2'}}";

When I do test I get the following:

VERBOSE: [TESTSERVER]:                            [[WACJeaEndpoint]Endpoint] Argument1: {
    "test\\TestGroup":  {
                              "RoleCapabilities":  "Role1"
                          },
    "test\\svilen":  {
                            "RoleCapabilities":  "Role2"
                        },
    "test\\svilen-t":  {
                              "RoleCapabilities":  "Role1"
                          }
}
VERBOSE: [TESTSERVER]:                            [[WACJeaEndpoint]Endpoint] Argument2: {
    "test\\svilen":  {
                            "RoleCapabilities":  "Role2"
                        },
    "test\\TestGroup":  {
                              "RoleCapabilities":  "Role1"
                          },
    "test\\svilen-t":  {
                              "RoleCapabilities":  "Role1"
                          }
}
VERBOSE: [TESTSERVER]:                            [[WACJeaEndpoint]Endpoint] RoleDfinitions not equal: @{
    'test\svilen' = @{
        'RoleCapabilities' = 'Role2' }
    'test\svilen-t' = @{
        'RoleCapabilities' = 'Role1' }
    'test\TestGroup' = @{
        'RoleCapabilities' = 'Role1' } }

The both hashtables are obviously equal. Expected is:

VERBOSE: [TestServer]:                            [[WACJeaEndpoint]Endpoint] string
VERBOSE: [TestServer]:                            [[WACJeaEndpoint]Endpoint] Argument1: {
    "Test\\TestGroup":  {
                              "RoleCapabilities":  "Role1"
                          },
    "Test\\svilen":  {
                            "RoleCapabilities":  "Role2"
                        },
    "Test\\svilen-t":  {
                              "RoleCapabilities":  "Role1"
                          }
}
VERBOSE: [TestServer]:                            [[WACJeaEndpoint]Endpoint] Argument2: {
    "Test\\TestGroup":  {
                              "RoleCapabilities":  "Role1"
                          },
    "Test\\svilen":  {
                            "RoleCapabilities":  "Role2"
                        },
    "Test\\svilen-t":  {
                              "RoleCapabilities":  "Role1"
                          }
}

To me, it looks like SafeGetValue() works different on both ASTs (the one from the current PSSC file and the one from the MOF file.)
I'm ready to open PR for that, if you belive that this is really an issue.

Hey guys & Gals,

Setting up a new PSRoleCapabilityFile and want to allow access to a parameter with no validateset/pattern as in example from https://msdn.microsoft.com/powershell/jea/role-capabilities

VisibleCmdlets = @{ Name = 'Restart-Computer'; Parameters = @{ Name = 'Name'; ValidateSet = }}

but it keeps erroring out saying "Missing statement in '=' in hash literal."

Are we able to open up full Parameter use without restricting down what is required by the param in a JEA end point?

On Windows Server 2012 R2:

PS > $psversiontable

Name                           Value
----                           -----
PSVersion                      5.1.14409.1005
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1005
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

WinRM will be (definitevly) damaged if you run the following script:

Configuration Config  {
    Param (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [String[]]
        $NodeName
    )

    Import-DSCResource -ModuleName 'PSDesiredStateConfiguration'

    Node $NodeName {

        Environment PathJava {
            Name      = "PATH"
            Value     = "%JAVA_HOME%\bin"
            Path      = $true
            Ensure    = "Present"
        }

        Script PSSessionConfig {
        SetScript = {
                $psscPath = "C:\TestJEA.pssc"
                $configurationFileArguments = @{
                    Path                = $psscPath
                    RoleDefinitions     = @{ 'Everyone' = @{ VisibleCmdlets = 'Get-*' } }
                    RunAsVirtualAccount = $true
                    SessionType         = 'RestrictedRemoteServer'
                }
                New-PSSessionConfigurationFile @configurationFileArguments
                Register-PSSessionConfiguration -Name 'TestJEA' -Path $psscPath
            }

            TestScript = {
                return $false
            }

            GetScript = {
                return @{ }
            }
        }
    }
}
Config -NodeName localhost 
Start-DscConfiguration -Path .\Config -Wait -Verbose

After that, WinRM service configuration seems to be corrupted and starting the service lead to that message:

I did not find any way of getting the service back to life (except VM snapshot reverse ;-))

When running the resource using

Invoke-DscResource -ModuleName JustEnoughAdministration -Name JeaEndpoint -Method Set -Verbose -Property @{
            EndpointName        = 'Microsoft.PowerShell'
            RoleDefinitions     = "@{ 'CONTOSO\DnsAdmins' = @{ RoleCapabilities = 'DnsAdmin' } }"
            TranscriptDirectory = 'C:\ProgramData\JeaEndpoint\Transcripts'
            ScriptsToProcess    = @('C:\ProgramData\JeaEndpoint\startup.ps1')
            VisibleCmdlets      = "'DnsServer\*',
                @{
                    'Name'       = 'Restart-Service'
                    'Parameters' = @{
                        'Name'        = 'Name'
                        'ValidateSet' = 'Dns'
                    }
                }"
}

At one point it restarts the WinRM service, which then fails the DSC run.

VERBOSE: [SQLTEST]:                            [[JeaEndpoint]DirectResourceAccess] Restarting WinRM service
WARNING: [WSManNetworkFailureDetected] The network connection to localhost has been interrupted. Attempting to reconnect for up to 4 minutes... 
WARNING: [WSManConnectionRetryAttempt] Attempting to reconnect to localhost ... 
WARNING: [WSManConnectionRetrySucceeded] The network connection to localhost has been restored. 
The WS-Management service cannot process the operation. The operation is being attempted on a client session that is unusable.  This may be related to a recent restart of the WS-Management service. Please create a new client ses
sion and retry the operation if re-executing the operation does not have undesired behavior.
    + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : HRESULT 0x803381fa
    + PSComputerName        : localhost

Would it be better to override the restart the service, and instead allow the resource to restart the node using $global:DSCMachineStatus = 1. 🤔

Is there a way to get tab completion working with JEA endpoints?

I have a use case where we would like to apply a JEA configuration that allows an external program which is in the form of a command-line utility. I have exposed the command in the Visible External Commands section, but when I try to run the command from the configuration, I get an error:

.<command-line tool> --
+ CategoryInfo : NotSpecified: (s:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

Is there a workaround for this behavior?

Thanks!

So, doing a live presentation with the St. Louis PowerShell usergroup, we ran into Select-Object malfunctioning in a JEA endpoint from our expectations.

We wrote a simple function to check for installed software in registry and return only display name and version, but errored out on the Select-Object call, exception below:

Cannot validate argument on parameter 'Property'. The argument "myArguments" does not belong to the set "ModuleName,Namespace,OutputType,Count,HelpUri,Name,CommandType,ResolvedCommandName,DefaultParameterSet,CmdletBinding,Parameters" specified by the
ValidateSet attribute.

We "solved" it by using the workaround here.

Is this the expected behavior? 99% of all uses of Select-Object I see include specifying properties.

As far as I can see, there is no versioning in the configuration.

It would be nice if we could add some versioning to the configuration
and then Get-PSSessionConfiguration should also output the version.

I'm not sure this is the correct repo for this?

The ComplexObjectsEqual sometimes generate a false positive in detecting differences where there is not.

It occurs mainly when adding new user/group to an existing endpoint.

The problem is that order of keys in a hashtable is not garanteed. And the ComplexObjectsEqual only use ConvertTo-Json to compare 2 hashtables.

I'll PR a tested fix for that ;-)

Hello,

we are making use of JEA and want to establish, that our Hyper-V Operators are capable of toggling the pxe boot for their VMs.

Without JEA this can be accomplished like this:

Set-VMFirmware -VMName $vmname -FirstBootDevice (Get-VMNetworkAdapter -VMName $vmname -Name $adaptername)
In order to set FirstBootDevice, you have to pass an object of type VMComponentObject.

So what we have done is, we changed the Operator.psrc file and included following cmdlets under visible cmdlets:
'Get-VMFirmware', @{Name ='Get-VMFirmware'; Parameters=@{Name='VMName'} },
'Set-VMFirmware', @{Name ='Set-VMFirmware'; Parameters=@{Name='VMName'}, @{Name='FirstBootDevice'} },
'Get-VMNetworkAdapter', @{Name ='Get-VMNetworkAdapter'; Parameters=@{Name='VMName'}, @{Name='Name'} },

I have tried to make use of it as following:

Invoke-Command -ComputerName localhost -ConfigurationName 'Manage-HyperV' -ArgumentList $script:vm_name, $networkadaptername -ScriptBlock { Set-VMFirmware -VMName $args[0] -FirstBootDevice (Get-VMNetworkAdapter -VMName $args[0] -Name $args[1]) }

The syntax is not supported by this runspace. This can be the case if the runspace is not in language mode.
+ CategoryInfo : ParserError: ( Set-VMFirmware...Name $args[1]) :String) [], ParseException
+ FullyQualifiedErrorId : ScriptsNotAllowed
+ PSComputerName : localhost

Gathering the VMNetworkadapter in a variable and tried to passing it over the argument list is not possible, since the invoke command does not pass the networkadapter as type of VMComponentObject.

Invoke-Command -ComputerName localhost -ConfigurationName 'Manage-HyperV' -ArgumentList $networkadapter -ScriptBlock {                   
    Param(                                  
            [PSObject]$networkadapter
    )
                                
    set-vmfirmware -FirstBootDevice $networkadapter                                  
}

In order to set FirstBootDevice, you have to pass an object of type VMComponentObject, so passing the ID or name does not function.

I also have created a script, which I tried to call, but this also does not help. Do you have an idea how to set the firstbootorder for the vmfirmware?

Hi,

On a Windows Server 2012 R2 with WMF 5.1:

Name                           Value
----                           -----
PSVersion                      5.1.14409.1012
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1012
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

I successfully setup a JEA endpoint with the following DSC configuration:

Configuration JeaTest
{
    Import-DscResource -Module JustEnoughAdministration, PSDesiredStateConfiguration

    JeaEndpoint Endpoint
    {
        GroupManagedServiceAccount = 'UNDISLAB\gMSA-Undis02'
        EndpointName = "JEA"
        RoleDefinitions = "@{ 
            'UNDISLAB\jnury' = @{ RoleCapabilities = 'Maintenance' }
        }"
    }
}

JeaTest
Start-DscConfiguration .\JeaTest -Force -Wait -Verbose

But Test-DSCConfiguration returns False:

VERBOSE: [UNDIS02]:                            [[JeaEndpoint]Endpoint] GroupManagedServiceAccount not equal: UNDISLAB\gMSA-Undis02$
VERBOSE: [UNDIS02]: LCM:  [ End    Test     ]  [[JeaEndpoint]Endpoint] False in 0.3900 seconds.
VERBOSE: [UNDIS02]: LCM:  [ End    Resource ]  [[JeaEndpoint]Endpoint]
VERBOSE: [UNDIS02]: LCM:  [ End    Test     ]     Completed processing test operation. The operation returned False.

If I modify the config as the following (to match the Get-DSCConfiguration value):

    JeaEndpoint Endpoint
    {
        GroupManagedServiceAccount = 'UNDISLAB\gMSA-Undis02$'
        EndpointName = "JEA"
        RoleDefinitions = "@{ 
            'UNDISLAB\jnury' = @{ RoleCapabilities = 'Maintenance' }
        }"
    }

The Test-DSCConfiguration returns True, but the endpoint doesn't work .
Enter-PSSession from another host fails with error: The verification of the Managed Service Account failed with error 1326

That's because the RunAsUser is misspelled:

PS C:\Users\administrator.UNDISLAB\Desktop> Get-PSSessionConfiguration -name JEA | fl *

GroupManagedServiceAccount    : UNDISLAB\gMSA-Undis02$
...
RunAsUser                     : UNDISLAB\gMSA-Undis02$$

Note that I get exactly the same behavior if I manually register PSSessionConfiguration with the trailing $ sign in GroupManagedServiceAccount parameter.

Hope it's clear ...
Have a nice day.

Is it possible to allow a script to run in the context of JEA? For example, I am trying to allow someone who is not at all comfortable or familiar with PowerShell to restart a specific service. Could I put a shortcut to a PowerShell script that restarts that service on their desktop so when they run it, it runs in the context of JEA and allows them to restart the service?

I have played around with setting that up as a VisibleExternalCommand, but got an error saying ScriptsNotAllowed.

Thanks.

Configuration Jea_DSC
{
    Import-DscResource -ModuleName JustEnoughAdministration

    JeaEndpoint One
    {
        EndpointName = 'TestEndPoint'
        RoleDefinitions = "@{'NonAdmin_Operator' = @{RoleCapabilities = 'Maintenance'} }"
        TranscriptDirectory = 'C:\Transcripts'
    }

}

This sample applies fine to the node. Get-DscConfiguration returns a hashtable as expected with the current configuration; The call to SafeGetValue() by ConvertStringToHashtable in Test-DscConfiguration throws an exception when the RequiredGroup property is not defined.

message: Could not find the role capability, 'RoleName'. The role capability must be a file named 'RoleName.psrc' within a 'RoleCapabilities' directory in a module in the current module path. For more information, see the about_Remote_Troubleshooting Help topic.

This issue occurs when JEA modules are versioned and deployed with PowerShellGet, which drops the modules into subfolders for each version.

Can we get support for that deployment functionality in JEA?

The example in DemoConfig.ps1 has a problem with the property ScriptsToProcess. It is assigned a string, but it expects a string array.

Running the example gives this error

Convert property 'ScriptsToProcess' value from type 'STRING' to type 'STRING[]' failed
 At line:12, char:2
 Buffer:
irectResourceAccess";
};^
insta
    + CategoryInfo          : SyntaxError: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MiClientApiError_Failed
    + PSComputerName        : localhost

I suggest to change the property ScriptsToProcess to this

ScriptsToProcess    = @('C:\ProgramData\JeaEndpoint\startup.ps1')

With the following PowerShell version:

Name                           Value
----                           -----
PSVersion                      5.1.14409.1012
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1012
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

If I use VisibleCmdlets or VisibleFunctions in a RoleCapability file, module functions are no more available for other functions.

How to reproduce

A PSSessionConfiguration file, 'Test-JEA.pssc':

@{
GUID = 'd919b726-67f7-4f43-b340-3e1240375d90'
SessionType = 'RestrictedRemoteServer'
RunAsVirtualAccount = $true
RoleDefinitions = @{ 'UNDISLAB\Administrator' = @{ RoleCapabilities = 'Test-JEA' } } 
}

Registered with the command:

Register-PSSessionConfiguration -Path .\Test-JEA.pssc -Name Test-JEA

A RoleCapability file, 'Test-JEA.psrc' in the folder 'C:\Program Files\WindowsPowerShell\Modules\Test-JEA\RoleCapabilities':

@{
GUID = 'c847874d-614a-4eca-afeb-a913b82d77a2'
FunctionDefinitions = @(
	@{Name = 'GetUtilityCommand'; ScriptBlock = { Get-Command | Where-Object { $_.Source -eq 'Microsoft.PowerShell.Utility' }}}
	@{Name = 'TestGuid'; ScriptBlock = { New-Guid}}
)
}

If I enter in the Test-JEA PSSession, TestGuid function works and GetUtilityCommand returns a list of functions and cmdlets from the Microsoft.PowerShell.Utility module:

PS C:\Users\administrator.UNDISLAB\Desktop> Enter-PSSession -ComputerName localhost -ConfigurationName Test-JEA
[localhost]: PS>Get-Command

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Clear-Host
Function        Exit-PSSession
Function        Get-Command
Function        Get-FormatData
Function        Get-Help
Function        GetUtilityCommand
Function        Measure-Object
Function        TestGuid
Function        Out-Default
Function        Select-Object

[localhost]: PS>TestGuid

Guid
----
ac4de845-0977-4604-a6ea-714ee6e916ed

[localhost]: PS>getutilitycommand

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        ConvertFrom-SddlString                             3.1.0.0    Microsoft.PowerShell.Utility
Function        Format-Hex                                         3.1.0.0    Microsoft.PowerShell.Utility
Function        Get-FileHash                                       3.1.0.0    Microsoft.PowerShell.Utility
Function        Import-PowerShellDataFile                          3.1.0.0    Microsoft.PowerShell.Utility
Function        New-Guid                                           3.1.0.0    Microsoft.PowerShell.Utility
Function        New-TemporaryFile                                  3.1.0.0    Microsoft.PowerShell.Utility
Cmdlet          Add-Member                                         3.0.0.0    Microsoft.PowerShell.Utility
Cmdlet          Add-Type                                           3.0.0.0    Microsoft.PowerShell.Utility
Cmdlet          Clear-Variable                                     3.0.0.0    Microsoft.PowerShell.Utility
...

Now if I want to allow the Clear-Variable cmdlet, in the 'Test-JEA.psrc' file:

@{
GUID = 'c847874d-614a-4eca-afeb-a913b82d77a2'
VisibleCmdLets = 'Clear-Variable'
VisibleFunctions = 'GetUtilityCommand', 'TestGuid'
FunctionDefinitions = @(
	@{Name = 'GetUtilityCommand'; ScriptBlock = { Get-Command | Where-Object { $_.Source -eq 'Microsoft.PowerShell.Utility' }}}
	@{Name = 'TestGuid'; ScriptBlock = { New-Guid}}
)
}

The Clear-Variable CmdLet is available, GetUtilityCommand and TestGuid functions are available too. But function TestGuid doesn't work as the New-Guid function is no more available. GetUtilityCommand now only returns cmdlets; functions have disappeared from Microsoft.PowerShell.Utility module:

PS C:\Users\administrator.UNDISLAB\Desktop> Enter-PSSession -ComputerName localhost -ConfigurationName Test-JEA
[localhost]: PS>Get-Command

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Clear-Host
Function        Exit-PSSession
Function        Get-Command
Function        Get-FormatData
Function        Get-Help
Function        GetUtilityCommand
Function        Measure-Object
Function        TestGuid
Function        Out-Default
Function        Select-Object
Cmdlet          Clear-Variable                                     3.0.0.0    Microsoft.PowerShell.Utility

[localhost]: PS>TestGuid
New-Guid : The term 'New-Guid' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2
+  New-Guid
+  ~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (New-Guid:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

[localhost]: PS>GetUtilityCommand

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-Member                                         3.0.0.0    Microsoft.PowerShell.Utility
Cmdlet          Add-Type                                           3.0.0.0    Microsoft.PowerShell.Utility
Cmdlet          Clear-Variable                                     3.0.0.0    Microsoft.PowerShell.Utility
...

Using only VisibleCmdLets or VisibleFunctions do the same result.

Expected behavior

The expected behavior is that VisibleCmdlets or VisibleFunctions only affect 'Visible' cmdlet or function but not available functions for internal use

Impact

This is a huge problem as VisibleCmdlets is a main feature of JEA and many modules or custom scripts use functions. In our use case, we would-like to expose Pester based custom functions for monitoring purpose, but Pester cannot load without functions.

Can we get this put on the PowerShell gallery? @rpsqrd

I have a group policy deployed to enable PowerShell transcript logging, which works. However, when I deploy JEAEndpoints with DSC, I get an error message when trying to launch the JEASession - "Cannot write to a Closed TextWriter" Has anyone else seen this issue?

Please add a license (MIT)?

I would like to contribute.

Thank you

My servers are all getting a new entry in SeServiceLogonRight (Log on as a service) for every JEA connection made and they are not getting cleaned up. The SID is S-1-5-94-xxx with the name of "WinRM Virtual Users\WinRM VA_xxx_Domain_UserID" where xxx is the next numeric number, Domain and UserID are for the person connected to the endpoint. I have some servers that have over 100 entries in a few days that only differ by the incremented number (each time an automated process runs it appears to create another entry).

Hi,

we use JEA for our Monitoring Software to monitor Exchange server.

we create a module to load the Exchange pssnapins and add the module to ModulesToImport.
This works, but the monitoring software put all console output to the monitoring Software.

When JEA Loads the Module, the Module generates a Warning and the warning ist on top of the console output, so i can't see the Interesting Output of the script.

Is there an option or can you add one, to supress the warning or set the WarningAction to silentlyContinue?

Regards,

Bernd

Working in a test environment and have played around with setting pull mode on the local configuration manager. Is there a quick way to set the settings back to the defaults?