1
00:00:01,240 --> 00:00:03,660
[Autogenerated] now let's tackle Windows PowerShell just

2
00:00:03,660 --> 00:00:07,900
enough administration or JIA for short, what is the use case for?

3
00:00:07,900 --> 00:00:08,780
PowerShell JIA,

4
00:00:08,780 --> 00:00:12,170
well I mentioned that when a Windows server is enabled for

5
00:00:12,170 --> 00:00:15,640
PowerShell remoting you have these session configuration,

6
00:00:15,640 --> 00:00:18,370
endpoints and by default they're all the same.

7
00:00:18,370 --> 00:00:22,200
That is the connecting user will normally identify with their

8
00:00:22,200 --> 00:00:25,350
credentials and they will have whatever privileges their

9
00:00:25,350 --> 00:00:27,440
credentials convey on that machine.

10
00:00:27,440 --> 00:00:30,690
However, in the name of delegated administration,

11
00:00:30,690 --> 00:00:32,270
that may not be what you want,

12
00:00:32,270 --> 00:00:35,970
you may have say a support person who you want to give the

13
00:00:35,970 --> 00:00:39,610
ability to connect to maybe an alternate session.

14
00:00:39,610 --> 00:00:44,100
endpoint on that server that's heavily constrained to where that user might

15
00:00:44,100 --> 00:00:48,630
be able to restart a service or might be able to check the status of a

16
00:00:48,630 --> 00:00:51,910
service but not do anything else on that machine.

17
00:00:51,910 --> 00:00:55,960
Your admins who should have full administrator privileges

18
00:00:55,960 --> 00:00:58,230
would make sure to connect to the admin,

19
00:00:58,230 --> 00:00:59,520
endpoint on that server?

20
00:00:59,520 --> 00:01:03,700
This is the G a use case Just enough administration where we

21
00:01:03,700 --> 00:01:07,540
can support PowerShell remoting in both administrative and

22
00:01:07,540 --> 00:01:10,040
non administrative contexts.

23
00:01:10,040 --> 00:01:14,210
The high level overview of configuring JIA on a server is as follows,

24
00:01:14,210 --> 00:01:17,470
you need to create a couple PowerShell script files

25
00:01:17,470 --> 00:01:18,870
that have their own extensions,

26
00:01:18,870 --> 00:01:21,600
you'll see how this works in more detail in the demo but

27
00:01:21,600 --> 00:01:24,050
first we have the role capability, script?

28
00:01:24,050 --> 00:01:28,490
This is going to define what is available on that constrained,

29
00:01:28,490 --> 00:01:33,120
endpoint are you allowing just certain cmdlet It's probably yes.

30
00:01:33,120 --> 00:01:37,140
Are you allowing any compiled executable is to be used for

31
00:01:37,140 --> 00:01:40,950
instance who am I ping trace route you may want to enable

32
00:01:40,950 --> 00:01:43,550
some but then block all the rest.

33
00:01:43,550 --> 00:01:45,590
This is a role capability script.

34
00:01:45,590 --> 00:01:49,230
We then have the session configuration script that ties that role

35
00:01:49,230 --> 00:01:52,560
capability script with a particular group or groups.

36
00:01:52,560 --> 00:01:56,460
Long story short in order to connect to that constrained JIA

37
00:01:56,460 --> 00:02:00,510
endpoint The user would have to be in a group that's allowed based

38
00:02:00,510 --> 00:02:05,040
on that JIA configuration and once that happens they establish a

39
00:02:05,040 --> 00:02:08,700
connection to that endpoint and they've been allowed in based on

40
00:02:08,700 --> 00:02:09,800
their group membership.

41
00:02:09,800 --> 00:02:13,100
They then would have all the privileges that are conveyed

42
00:02:13,100 --> 00:02:15,440
only by that role capability script.

43
00:02:15,440 --> 00:02:18,340
I'm getting a little ahead of myself After you create and

44
00:02:18,340 --> 00:02:21,910
deploy your role capability and session configuration

45
00:02:21,910 --> 00:02:23,350
scripts to the target server.

46
00:02:23,350 --> 00:02:26,590
Normally you'll store them in the PowerShell modules path.

47
00:02:26,590 --> 00:02:30,630
You would then register the geo session configuration with the server

48
00:02:30,630 --> 00:02:33,330
and then lastly you make a remoting connection,

49
00:02:33,330 --> 00:02:35,930
specifying that session configuration.

50
00:02:35,930 --> 00:02:37,640
So that would be a training issue.

51
00:02:37,640 --> 00:02:40,570
You would need your support personnel to know or maybe you just

52
00:02:40,570 --> 00:02:44,060
give them a connection script that references the appropriate geo

53
00:02:44,060 --> 00:02:47,420
session configuration that they would use with their enter PS

54
00:02:47,420 --> 00:02:52,000
session where new session command. Now let's do that demo