This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 87%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
I'm following the guidance for the Exchange zero-days (link below) and I'm curious how others are disabling remote PowerShell access for non-admin users.
Is there a command to allow access for a specific ad group or local admins? Ideally we'd like to disable all of our standard users and allow just specific IT users.
How are others accomplishing this?
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
I am writing to see how everything is going on with this thread. If you still have further concern on this, please feel free to let us know.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
Looks like your issue is resolved now. Don't forget to "Accept Answer" for any helpful reply below to close this thread, your action would be helpful to other users who encounter the same issue and read this thread.
Thanks for your understanding!
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
If you screw up and disable an admin account, re-enable following:
Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.Snapin
set-user <user> -RemotePowerShellEnabled $true
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 1%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hello,
I asked myself the same question.
Also, what about new users? Should we disable powershell remote access each time we have a newcomer to the company?
I don't see any other solution besides disabling access for everyone, and enabling access for a short list of users right after...
Has anyone found an easy way to do this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 8%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
I'm effectively looking to run this:
Get-ADGroupMember -identity 'Non admins' | set-user -RemotePowerShellEnabled $false
Can someone help with the syntax please?
To answer my own question I went down the OU route instead:
Get-User | Where-Object {$_.OrganizationalUnit -ne 'Org.dns/ORG/Users/Engineers/Domain Administrators' | Set-User -RemotePowerShellEnabled $false
can use and "and" to if required:
Get-User | Where-Object {$.OrganizationalUnit -ne 'Org.dns/ORG/Users/Engineers/Domain Administrators' -and $.OrganizationalUnit -ne 'Org.dns/ORG/Service Accounts/On_prem'} | Set-User -RemotePowerShellEnabled $false
Confirm changes with:
Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true' |ft Name, RemotePowerShellEnabled
@Richard Long
If the answer is helpful please click on ACCEPT ANSWER as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.
