Share via


Control Users' Access to Windows Remote Management

Applies to: Office 365 for enterprises, Live@edu

By default, all new user accounts are allowed to use Windows Remote Management (WinRM) to access the cloud-based organization with Windows PowerShell. However, you can prevent new and existing users from using Windows PowerShell to access your cloud-based organization.

Here's how:

  • Prevent access for a new user in Live@edu
  • Prevent access for a new user in Office 365
  • Prevent access for an existing user
  • Prevent access for many existing users
  • Grant access
  • Find out who has access already

Before you begin

To learn how to install and configure Windows PowerShell and connect to the service, see Use Windows PowerShell in Exchange Online.

Prevent access for a new user in Live@edu

Run the following command:

New-Mailbox -Name <Name> -WindowsLiveID <Windows Live ID> -Password (ConvertTo-SecureString -String '<Password>' -AsPlainText -Force) -RemotePowerShellEnabled $false

For example, to prevent access for a new user named "Kim Akers" with the Windows Live ID kakers@contoso.edu and the password Pa$$word1, run the following command:

New-Mailbox -Name "Kim Akers" -WindowsLiveID kakers@contoso.edu -Password (ConvertTo-SecureString -String 'Pa$$word1' -AsPlainText -Force) -RemotePowerShellEnabled $false

Prevent access for a new user in Office 365

Run the following command:

New-Mailbox -Name <Name> -MicrosoftOnlineServicesID <user ID> -Password (ConvertTo-SecureString -String '<Password>' -AsPlainText -Force) -RemotePowerShellEnabled $false

For example, to prevent access for a new user named "Kim Akers" with the user ID kakers@contoso.com and the password Pa$$word1, run the following command:

New-Mailbox -Name "Kim Akers" -MicrosoftOnlineServicesID kakers@contoso.com -Password (ConvertTo-SecureString -String 'Pa$$word1' -AsPlainText -Force) -RemotePowerShellEnabled $false

Prevent access for an existing user

Run the following command:

Set-User <Identity> -RemotePowerShellEnabled $false

For example, to prevent access for the user laura@fabrikam.com, run the following command:

Set-User laura@fabrikam.com -RemotePowerShellEnabled $false

Prevent access for many existing users

There are two ways to prevent access for a specific group of existing users:

  • Filter the users based on an existing attribute   This method assumes that the target user accounts all share a unique filterable attribute. For example, the Title, Department, or one of the CustomAttribute1-15 attributes are the same for and unique to all the affected users. Note that some attributes, such as Title, Department, address information, and telephone number, are visible only when you use the Get-User cmdlet. Other attributes, such as CustomAttribute1-15, are visible only when you use the Get-Mailbox cmdlet.
  • Use a list of specific accounts   After you generate the list of specific accounts, you can use that list to assign a mailbox plan.

Filter the users based on an existing attribute

Run the following command:

<Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter> | Set-User -RemotePowerShellEnabled $false

For example, let's assume you manage a Live@edu organization and you want to prevent access for students in the primary grades and you've stored students' grade level in the Title attribute. To prevent access for all mailboxes where the Title property contains "Primary", run the following command:

Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like '*primary*')} | Set-User -RemotePowerShellEnabled $false

Use a list of specific accounts

Run the following command:

Get-Content <text file> | Set-User -RemotePowerShellEnabled $false

For example, the following procedure uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their user IDs. The text file must contain one user ID on each line like this:

akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com

After you populate the text file with the user accounts you want to update, run the following command:

Get-Content "C:\My Documents\NoPowerShell.txt" | Set-User -RemotePowerShellEnabled $false

Grant access

To grant access to existing users who have been denied access in the past, simply use the value $true with the RemotePowerShellEnabled parameter as described in the previous examples.

To grant access to new users you create using Windows PowerShell, you don't have to use the RemotePowerShellEnabled parameter at all, because all new users are granted access automatically.

Find out who has access already

To find out who has access and view all users' access status, you can use Windows PowerShell.

View the access status for a specific user

Run the following command:

Get-User <Identity> | Format-List RemotePowerShellEnabled

For example, to determine the access status of a user named "Tamara Johnston", run the following command:

Get-User "Tamara Johnston" | Format-List RemotePowerShellEnabled

View the access status for all users

Run the following command:

Get-User -ResultSize unlimited | Format-Table Name,DisplayName,RemotePowerShellEnabled

To display only those users who don't have access, run the following command:

Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $false}

To display only those users who have access, run the following command:

Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $true}