Disable Remote Powershell for Exchange

Richard Long 301 Reputation points

I'm following the guidance for the Exchange zero-days (link below) and I'm curious how others are disabling remote PowerShell access for non-admin users.

Is there a command to allow access for a specific ad group or local admins? Ideally we'd like to disable all of our standard users and allow just specific IT users.

How are others accomplishing this?


Thank you

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,381 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,737 questions
{count} votes

9 answers

Sort by: Most helpful
  1. Joyce Shen - MSFT 16,646 Reputation points

    Hi @Richard Long

    Are you looking for this: Control remote PowerShell access to Exchange servers

    The parameter -RemotePowerShellEnabled in command Set-User specifies whether the user has access to remote PowerShell. Remote PowerShell access is required to open the Exchange Management Shell or the Exchange admin center (EAC), even if you're trying to open the Exchange Management Shell or the EAC on the local Mailbox server. Valid values are:

    $true: The user has access to remote PowerShell.
    $false: The user doesn't have access to remote PowerShell.

    Set-User "User" -RemotePowerShellEnabled $false  

    And we could use the Exchange Management Shell to disable remote PowerShell access for many users:

    And in Exchange 2019 you could use client access rule to meet this need:
    Blocking EAC / Remote PowerShell access in Exchange 2019.
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Client Access Rules in Exchange 2019

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Amit Singh 4,851 Reputation points
    get-user -ResultSize unlimited |  
    set-user -RemotePowerShellEnabled $false  
    Get-aduser Admin1 |  
    set-user -RemotePowerShellEnabled $true  
    Get-aduser Admin2 |  
    set-user -RemotePowerShellEnabled $true  

    Also, keep in mind, RemotePowerShellEnabled can not be set to false for the logged-in/running user.

  3. Limitless Technology 39,416 Reputation points


    You can disable or enable the Remote Powershell using group policies and firewall settings. Bear in mind that this setting is oriented to target the systems that will allow/disallow but not the users.

    GPO1: Computer Configuration | Administrative Templates | Windows Components | Windows Remote Management (RM) | WinRM Service | Allow Remote Server Management Through WinRM
    GPO2: Computer Configuration | Windows Settings | Security Settings | System Services | Windows Remote Management (WS-Management)


    --If the reply is helpful, please Upvote and Accept as answer--

  4. IDriveAKeyboard 1 Reputation point

    Here goes.
    I ran the short script imamitsingh wrote including excluding admins.

    Now I can't run EMS, it says "Your attempt to connect to this Exchange server was denied because your account isn't enabled for Remote PowerShell."

    Any ideas how to fix this please?

    0 comments No comments

  5. DavidYorkshire 91 Reputation points

    Microsoft tells us to disable remote powershell for non-admin account. OK, fine - but there appears to be no easy way to actually do that without risking getting locked out as the poster above has found. Given the vague and unhelpful documentation, I assume there is no straightforward way to block remote powershell for every account except those in a defined admins group?

    Given that users are created regularly, blocking a whole list of specific accounts isn't a lot of use as it will rapidly become out of date.

    0 comments No comments