This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 87%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
I'm following the guidance for the Exchange zero-days (link below) and I'm curious how others are disabling remote PowerShell access for non-admin users.
Is there a command to allow access for a specific ad group or local admins? Ideally we'd like to disable all of our standard users and allow just specific IT users.
How are others accomplishing this?
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
I am writing to see how everything is going on with this thread. If you still have further concern on this, please feel free to let us know.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
Looks like your issue is resolved now. Don't forget to "Accept Answer" for any helpful reply below to close this thread, your action would be helpful to other users who encounter the same issue and read this thread.
Thanks for your understanding!
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Are you looking for this: Control remote PowerShell access to Exchange servers
The parameter -RemotePowerShellEnabled in command Set-User specifies whether the user has access to remote PowerShell. Remote PowerShell access is required to open the Exchange Management Shell or the Exchange admin center (EAC), even if you're trying to open the Exchange Management Shell or the EAC on the local Mailbox server. Valid values are:
$true: The user has access to remote PowerShell.
$false: The user doesn't have access to remote PowerShell.
Set-User "User" -RemotePowerShellEnabled $false
And we could use the Exchange Management Shell to disable remote PowerShell access for many users:
And in Exchange 2019 you could use client access rule to meet this need:
Blocking EAC / Remote PowerShell access in Exchange 2019.
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Client Access Rules in Exchange 2019
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
get-user -ResultSize unlimited |
set-user -RemotePowerShellEnabled $false
Get-aduser Admin1 |
set-user -RemotePowerShellEnabled $true
Get-aduser Admin2 |
set-user -RemotePowerShellEnabled $true
Also, keep in mind, RemotePowerShellEnabled can not be set to false for the logged-in/running user.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 48%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
This is the wrong way to do this. If you do the above, you will remove permissions from admin1 and admin2. Better way would be to use
Get-User | Where-Object {$_.UserPrincipalName -ne 'admin1@contoso.com' -and $_.UserPrincipalName -ne 'admin2@contoso.com'...} | Set-User -RemotePowerShellEnabled $false.
However this does not address how to prevent new users from having remote PowerShell enabled.
Hello,
You can disable or enable the Remote Powershell using group policies and firewall settings. Bear in mind that this setting is oriented to target the systems that will allow/disallow but not the users.
GPO1: Computer Configuration | Administrative Templates | Windows Components | Windows Remote Management (RM) | WinRM Service | Allow Remote Server Management Through WinRM
GPO2: Computer Configuration | Windows Settings | Security Settings | System Services | Windows Remote Management (WS-Management)
----------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 96%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
Someone didn't read the question
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 23%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Here goes.
I ran the short script imamitsingh wrote including excluding admins.
Now I can't run EMS, it says "Your attempt to connect to this Exchange server was denied because your account isn't enabled for Remote PowerShell."
Any ideas how to fix this please?
Thanks
IDAK
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 32%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Microsoft tells us to disable remote powershell for non-admin account. OK, fine - but there appears to be no easy way to actually do that without risking getting locked out as the poster above has found. Given the vague and unhelpful documentation, I assume there is no straightforward way to block remote powershell for every account except those in a defined admins group?
Given that users are created regularly, blocking a whole list of specific accounts isn't a lot of use as it will rapidly become out of date.