Just Enough Administration for Domain Controllers

Joseph Patrick 641 Reputation points
2021-05-10T17:07:19.47+00:00

I am building a JEA file for Domain Controllers, one file will be to perform read only items, the second file would be to perform certain executable/ change items like restart services or do role activities.

I have read the various documentation out there but have not seen anything regarding domain controllers... What would be ideal to have in a DC jea file?

If there a JEA template out there with settings ideal for Domain Controllers?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,806 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,504 questions
0 comments No comments
{count} votes

3 additional answers

Sort by: Most helpful
  1. Vicky Wang 2,726 Reputation points
    2021-05-11T09:24:31.687+00:00

    Hi,
    Thank you for posting in our forum.

    First of all, create a configuration file of a PowerShell session (*.pssc). To do it, run this command on your domain controller:

    New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\dc_manage.pssc'

    Open the PSSC file using the Notepad.
    The PSSC file sets who may connect to this JEA endpoint and under what account the commands in the JEA session will run.

    Modify the following values:

    SessionType from Default to RestrictedRemoteServer. This mode allows to use the following PowerShell cmdlets: Clear-Host, Exit-PSSession, Get-Command, Get-FormatData, Get-Help, Measure-Object, Out-Default or Select-Objectl
    Specify a folder (create it) in the TranscriptDirectory parameter. Here you will log all JEA user actions: TranscriptDirectory = C:\PS\JEA_logs
    The RunAsVirtualAccount option allows to run commands under a virtual administrator account (member of the local Administrator or Domain Administrator group): RunAsVirtualAccount = $true

    For specific steps, please refer to the link provided by Patrick. The following link can give you some information:

    https://docs.servicenow.com/bundle/quebec-it-operations-management/page/product/discovery/concept/microsoft-jea-discovery.html

    https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/session-configurations?view=powershell-7.1

    Hope this information can help you
    Best wishes
    Vicky

    0 comments No comments

  2. Anonymous
    2021-05-11T12:11:04.077+00:00

    Just checking if there's any progress or updates?

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  3. Vicky Wang 2,726 Reputation points
    2021-05-12T07:30:18.527+00:00

    Hi,
    Glad your problem has been solved
    Best wishes
    Vicky

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.