How to allow access to winrs for non-admin user?
Solution 1
What works is
winrm configSDDL default
And then allowing read and execute rights. But strange thing, that settings there are the same as in WSMan:\localhost\Service\RootSDDL
. It could be because of winrm configSDDL reloads some cache or something, I dunno...
Solution 2
Can you add the User using:
winrm configSDDL http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd
Solution 3
you have to add users on the winrm server to the group "Remote Management Users"
It's that simple.
Related videos on Youtube
Bunyk
Mainly Python programmer, but also could do some JavaScript.
Updated on September 18, 2022Comments
-
Bunyk over 1 year
I have Windows Server 2012 (and Server 2008, but it is next priority) to monitor it using txwinrm. txwinrm library internally is using WinRS protocol. I have to monitor it using least privileged user, but don't know how to configure access for him.
All I managed to do - is to configure remote Powershell session for my user, but it's look like that winrs and powershell sessions have different security descriptors:
Invoke-Command -ComputerName 192.168.173.206 -Credential (credential Administrator $pwd) -ScriptBlock { 2 + 2} # gives 4 Invoke-Command -ComputerName 192.168.173.206 -Credential (credential lpu1 $pwd) -ScriptBlock { 2 + 2} # gives 4 winrs -r:192.168.173.206 -u:Administrator -p:$pwd 'powershell -command "2+2"' # gives 4 winrs -r:192.168.173.206 -u:lpu1 -p:$pwd 'powershell -command "2+2"' # Gives Winrs error: Access is denied.
Configuration for my user is following:
(Get-Item WSMan:\localhost\Service\RootSDDL).value # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD) (Get-PSSessionConfiguration -name Microsoft.Powershell).SecurityDescriptorSddl # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1149)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
(In each security descriptor my user is given general access to protected object).
So what security descriptor should I set to make my winrs query work for non-admin user?
UPD: Recently I found that that I could retrieve information about winrm shells:
winrm enumerate shell Shell ShellId = 3793B153-CCCF-4500-99FB-8534074E1738 ResourceUri = http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd
And I found no such resource URI in
WSMan:\localhost\Plugin
directory. :( Documentation states:The resource URI can be used to retrieve plug-in configuration that is specific to the shell instance.
But how to retrieve that plugin configuration and how to change it?
-
MichelZ about 10 yearsHave you seen this
-
Bunyk about 10 years@MichelZ Yes, I have.
-
-
Bunyk about 10 yearsAlas, no, it says: Error number: -2144108544 0x80338000 The WS-Management service cannot process the request. The service cannot find the resource identified by the resource URI and selectors. Which is strange because Administrator have acces to SOME resource, so that resource should exist.
-
Bunyk over 9 yearsDid winrs -r:$host -u:lpu1 -p:$pwd 'powershell -command "2+2"' works for you? Also, this group exists only on Windows Server 2012 (so let's hope that Windows server 2008 and lower will become legacy soon).
-
domih almost 7 years@bunyk Your hint to simply authenticate with user and password worked for me.
PS C:\Windows\system32> winrs -r:localhost:55985 -u:IEUser -p:Passw0rd! 'powershell -command "2+2"'
-
Chris F almost 3 yearsI did
net localgroup "Remote Management Users" /add jenkins
to no avail, that is, userjenkins
still can't do remote management, unless I make itAdministrator