Not possible to use Powershell Session Configuration with limited group SDDL by Sergey Gruzdov

Active

Type:	Bug
ID:	773489
Opened:	12/4/2012 11:10:02 PM
Access Restriction:	Public

Workaround(s)

view

User(s) can reproduce this bug

Not possible to use Powershell Session Configuration created with limited group SDDL (non-local admins) when ExectuionPolicy is set via GPO - will get "AuthorizationManager check failed" on startup script

Details (expand)

Always Happens

Yes, this happens in all previous versions

1. set execution policy through Group Policy to Unrestricted

2. Create Session configuration and try to use it:
$grpSDDL = SDDL for limited group;
Register-PSSessionConfiguration -Name "Test" -StartupScript "C:\Test\Startup.ps1" -SecurityDescriptorSddl $grpSDDL -Force;
Enter-PSSession -ComputerName someServer -ConfigurationName Test -Authentication negotiate -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -Credential (Get-Credential "userInLimitedGroup)

enter-PSSession : AuthorizationManager check failed.
At line:1 char:1
+ enter-PSSession -ComputerName SomeServer -ConfigurationName Test ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Enter-PSSession], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess

0 attachments

Posted by Sergey Gruzdov on 12/23/2012 at 10:11 PM

any version of powershell (tested in 2.0 and 3.0). another see in details

Posted by Aleksandar Nikolić on 12/10/2012 at 7:26 AM

Can you provide more details?
What's the value of the execution policy in GPO?
How do you define session configuration?
A version of PowerShell?

Posted by Sergey Gruzdov on 12/4/2012 at 11:10 PM

Workaround: remove Execution Policy settings in GPO

Microsoft