question

JackChuong-8462 avatar image
0 Votes"
JackChuong-8462 asked LimitlessTechnology-2700 answered

Windows server 2016 - non admin user run powershell as administrator

Hi all,
My environment : Windows server 2016 standard with OpenSSH service running , a local user "gitlab" , user gitlab can ssh to server successfully.
I want user gitlab can do
Stop-WebAppPool -Name "mywebapppool" -Passthru
Start-WebAppPool -Name "mywebapppool" -Passthru
I granted user gitlab permission for managing IIS by using "IIS Manager permissions"
I added user gitlab into local Administrators group
It works.
Is there any other way that I don't have to add user gitlab into local Administrators group ?
I want user gitlab can run some WebAdministration cmdlet (or some .ps1 file) as administrator privilege
Please give me some advice, thank you very much.

windows-server-powershellwindows-server-2016windows-server-iis
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JackChuong-8462 ,

IIS is a very important service in windows system. Almost all features need admin privilege. It is not allow non-admin account to do anything about IIS service. To be honest, there is no way to do that without admin privilege.

0 Votes 0 ·

While that may be true, the privilege can be delegated. See Microsoft's Just Enough Administration for PowerShell.

Not only can it manage that delegation, it can also limit the cmdlets a user is permitted to run.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered

Hello JackChoung

What I would recommend you in this case is the use of JEA:

Just Enough Administration (JEA) is a security technology that enables delegated administration for anything managed by PowerShell. With JEA, you can:

Reduce the number of administrators on your machines using virtual accounts or group-managed service accounts to perform privileged actions on behalf of regular users.
Limit what users can do by specifying which cmdlets, functions, and external commands they can run.
Better understand what your users are doing with transcripts and logs that show you exactly which commands a user executed during their session.

You can find more information about JEA, requisites and capabilities and usage here: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/overview?view=powershell-5.1



--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
1 Vote"
RichMatheisen-8856 answered JackChuong-8462 commented

Have a look at this: overview


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much for Microsoft's Just Enough Administration for PowerShell link, it looks promising, I'm trying it.

0 Votes 0 ·