How to allow access to winrs for non-admin user?

windows powershell remoting winrm

14,396

Solution 1

What works is

winrm configSDDL default

And then allowing read and execute rights. But strange thing, that settings there are the same as in WSMan:\localhost\Service\RootSDDL. It could be because of winrm configSDDL reloads some cache or something, I dunno...

Solution 2

Can you add the User using:

winrm configSDDL http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd

Source

Solution 3

you have to add users on the winrm server to the group "Remote Management Users"

It's that simple.

14,396

Bunyk

Mainly Python programmer, but also could do some JavaScript.

Updated on September 18, 2022

Comments

Bunyk over 1 year
I have Windows Server 2012 (and Server 2008, but it is next priority) to monitor it using txwinrm. txwinrm library internally is using WinRS protocol. I have to monitor it using least privileged user, but don't know how to configure access for him.

All I managed to do - is to configure remote Powershell session for my user, but it's look like that winrs and powershell sessions have different security descriptors:
```
Invoke-Command -ComputerName 192.168.173.206 -Credential (credential Administrator $pwd) -ScriptBlock { 2 + 2}
# gives 4
Invoke-Command -ComputerName 192.168.173.206 -Credential (credential lpu1 $pwd) -ScriptBlock { 2 + 2}
# gives 4
winrs -r:192.168.173.206 -u:Administrator -p:$pwd 'powershell -command "2+2"'
# gives 4
winrs -r:192.168.173.206 -u:lpu1 -p:$pwd 'powershell -command "2+2"'
# Gives Winrs error: Access is denied.
```
Configuration for my user is following:
```
(Get-Item WSMan:\localhost\Service\RootSDDL).value
# O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
(Get-PSSessionConfiguration -name Microsoft.Powershell).SecurityDescriptorSddl
# O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1149)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
```
(In each security descriptor my user is given general access to protected object).

So what security descriptor should I set to make my winrs query work for non-admin user?

UPD: Recently I found that that I could retrieve information about winrm shells:
```
  winrm enumerate shell
Shell
    ShellId = 3793B153-CCCF-4500-99FB-8534074E1738
    ResourceUri = http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd
```
And I found no such resource URI in WSMan:\localhost\Plugin directory. :( Documentation states:

The resource URI can be used to retrieve plug-in configuration that is specific to the shell instance.

But how to retrieve that plugin configuration and how to change it?
- MichelZ about 10 years
  
  Have you seen this
- Bunyk about 10 years
  
  @MichelZ Yes, I have.
Bunyk about 10 years

Alas, no, it says: Error number: -2144108544 0x80338000 The WS-Management service cannot process the request. The service cannot find the resource identified by the resource URI and selectors. Which is strange because Administrator have acces to SOME resource, so that resource should exist.
Bunyk over 9 years

Did winrs -r:$host -u:lpu1 -p:$pwd 'powershell -command "2+2"' works for you? Also, this group exists only on Windows Server 2012 (so let's hope that Windows server 2008 and lower will become legacy soon).
domih almost 7 years

@bunyk Your hint to simply authenticate with user and password worked for me. PS C:\Windows\system32> winrs -r:localhost:55985 -u:IEUser -p:Passw0rd! 'powershell -command "2+2"'
Chris F almost 3 years

I did net localgroup "Remote Management Users" /add jenkins to no avail, that is, user jenkins still can't do remote management, unless I make it Administrator