If you screw up and disable an admin account, re-enable following:
Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.Snapin
set-user <user> -RemotePowerShellEnabled $true
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I'm following the guidance for the Exchange zero-days (link below) and I'm curious how others are disabling remote PowerShell access for non-admin users.
Is there a command to allow access for a specific ad group or local admins? Ideally we'd like to disable all of our standard users and allow just specific IT users.
How are others accomplishing this?
Thank you
If you screw up and disable an admin account, re-enable following:
Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.Snapin
set-user <user> -RemotePowerShellEnabled $true
Hello,
I asked myself the same question.
Also, what about new users? Should we disable powershell remote access each time we have a newcomer to the company?
I don't see any other solution besides disabling access for everyone, and enabling access for a short list of users right after...
Has anyone found an easy way to do this?
I'm effectively looking to run this:
Get-ADGroupMember -identity 'Non admins' | set-user -RemotePowerShellEnabled $false
Can someone help with the syntax please?
To answer my own question I went down the OU route instead:
Get-User | Where-Object {$_.OrganizationalUnit -ne 'Org.dns/ORG/Users/Engineers/Domain Administrators' | Set-User -RemotePowerShellEnabled $false
can use and "and" to if required:
Get-User | Where-Object {$.OrganizationalUnit -ne 'Org.dns/ORG/Users/Engineers/Domain Administrators' -and $.OrganizationalUnit -ne 'Org.dns/ORG/Service Accounts/On_prem'} | Set-User -RemotePowerShellEnabled $false