Control Users' Access to Windows Remote Management
Applies to: Office 365 for enterprises, Live@edu
By default, all new user accounts are allowed to use Windows Remote Management (WinRM) to access the cloud-based organization with Windows PowerShell. However, you can prevent new and existing users from using Windows PowerShell to access your cloud-based organization.
Here's how:
- Prevent access for a new user in Live@edu
- Prevent access for a new user in Office 365
- Prevent access for an existing user
- Prevent access for many existing users
- Grant access
- Find out who has access already
Before you begin
To learn how to install and configure Windows PowerShell and connect to the service, see Use Windows PowerShell in Exchange Online.
Prevent access for a new user in Live@edu
Run the following command:
New-Mailbox -Name <Name> -WindowsLiveID <Windows Live ID> -Password (ConvertTo-SecureString -String '<Password>' -AsPlainText -Force) -RemotePowerShellEnabled $false
For example, to prevent access for a new user named "Kim Akers" with the Windows Live ID kakers@contoso.edu and the password Pa$$word1, run the following command:
New-Mailbox -Name "Kim Akers" -WindowsLiveID kakers@contoso.edu -Password (ConvertTo-SecureString -String 'Pa$$word1' -AsPlainText -Force) -RemotePowerShellEnabled $false
Prevent access for a new user in Office 365
Run the following command:
New-Mailbox -Name <Name> -MicrosoftOnlineServicesID <user ID> -Password (ConvertTo-SecureString -String '<Password>' -AsPlainText -Force) -RemotePowerShellEnabled $false
For example, to prevent access for a new user named "Kim Akers" with the user ID kakers@contoso.com and the password Pa$$word1, run the following command:
New-Mailbox -Name "Kim Akers" -MicrosoftOnlineServicesID kakers@contoso.com -Password (ConvertTo-SecureString -String 'Pa$$word1' -AsPlainText -Force) -RemotePowerShellEnabled $false
Prevent access for an existing user
Run the following command:
Set-User <Identity> -RemotePowerShellEnabled $false
For example, to prevent access for the user laura@fabrikam.com, run the following command:
Set-User laura@fabrikam.com -RemotePowerShellEnabled $false
Prevent access for many existing users
There are two ways to prevent access for a specific group of existing users:
- Filter the users based on an existing attribute This method assumes that the target user accounts all share a unique filterable attribute. For example, the Title, Department, or one of the CustomAttribute1-15 attributes are the same for and unique to all the affected users. Note that some attributes, such as Title, Department, address information, and telephone number, are visible only when you use the Get-User cmdlet. Other attributes, such as CustomAttribute1-15, are visible only when you use the Get-Mailbox cmdlet.
- Use a list of specific accounts After you generate the list of specific accounts, you can use that list to assign a mailbox plan.
Filter the users based on an existing attribute
Run the following command:
<Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter> | Set-User -RemotePowerShellEnabled $false
For example, let's assume you manage a Live@edu organization and you want to prevent access for students in the primary grades and you've stored students' grade level in the Title attribute. To prevent access for all mailboxes where the Title property contains "Primary", run the following command:
Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like '*primary*')} | Set-User -RemotePowerShellEnabled $false
Use a list of specific accounts
Run the following command:
Get-Content <text file> | Set-User -RemotePowerShellEnabled $false
For example, the following procedure uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their user IDs. The text file must contain one user ID on each line like this:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
After you populate the text file with the user accounts you want to update, run the following command:
Get-Content "C:\My Documents\NoPowerShell.txt" | Set-User -RemotePowerShellEnabled $false
Grant access
To grant access to existing users who have been denied access in the past, simply use the value $true
with the RemotePowerShellEnabled parameter as described in the previous examples.
To grant access to new users you create using Windows PowerShell, you don't have to use the RemotePowerShellEnabled parameter at all, because all new users are granted access automatically.
Find out who has access already
To find out who has access and view all users' access status, you can use Windows PowerShell.
View the access status for a specific user
Run the following command:
Get-User <Identity> | Format-List RemotePowerShellEnabled
For example, to determine the access status of a user named "Tamara Johnston", run the following command:
Get-User "Tamara Johnston" | Format-List RemotePowerShellEnabled
View the access status for all users
Run the following command:
Get-User -ResultSize unlimited | Format-Table Name,DisplayName,RemotePowerShellEnabled
To display only those users who don't have access, run the following command:
Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $false}
To display only those users who have access, run the following command:
Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $true}