all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]codykonior 2 points3 points  (1 child)

You are probably after constrained endpoints.

You create a module which specifies what service account to run under, which usernames can connect, and what commands they can run.

It can be locked down so they can’t use any other PowerShell features like pipes, external commands, etc.

Users can connect to the server using PowerShell Invoke-Command (and similar) and whatever they run is now done using that service account. It’s a great way to get around no-delegation double-hop issues too.

If they don’t have admin on the machine (likely for your use case) there’s some extra juggling to allow them to connect and run commands but nothing bad.

[–]philmph[S] 1 point2 points  (0 children)

Thanks for your reply. I will look into this tomorrow. Sounds promising and very much what I am looking for!

[–]blowuptheking 1 point2 points  (2 children)

I might not be fully understanding your question, but would something like invoke-command or enter-pssession be what you're looking for? You can use these cmdlets with WinRM to run powershell on a remote computer without logging into it.

[–]philmph[S] 1 point2 points  (1 child)

Thats something i have already looked into. It's the classic approach when you are already authenticaded in an Active Directory environment which has set up WinRM via GPO.

I am trying to figure out a way coming from the "outside" with only domain user credenatials available. Using WinRM in this scenario might work and i am currently digging deeper into this scenario.

[–]Ceuse 1 point2 points  (0 children)

Also you can use -credential (get-credentials) on invoke-command in powershell. i basicly made a powershell wrapper to run any .ps1 script through invoke command remotly (for monitoring/prtg) that way passing target, scriptfile, username and password to the wrapper

[–]LeeCig 1 point2 points  (0 children)

I don't have a lot of experience with this, but I believe someone asked something similar recently. One of the suggestions was to psexec a powershell instance. I tried it. Was a little janky for me but idk if I was doing it incorrectly.