How to create a delegated constrained endpoint when your script is interactive – part 1

This is part one of a two part post.

As part of my NAS project, I wanted our Media lecturers to be able to allow \ revoke NAS access as well as a couple of other functions themselves.

To do this I created a powershell script that displays a simple menu that gives the lecturers a few options in order to manage the NAS (Here’s what the menu looks like):

nasadmin

I finished this completely today and got the whole thing working using a constrained remote endpoint that runs the chosen menu option using a delegated account.  This means that lecturers do not need the RSAT tools installed on their computer, nor do they need to have any of the active directory powershell cmdlets installed.

I learned quite a few “gotcha’s” doing this, including how to use a constrained endpoint when your script is interactive as my one is, and also coding powershell for error trapping when using implicit remoting.  I did not find this information available easily (particularly using the .pssc file with an interactive script) so hopefully the finished blog entry will help a few people out.

The final result allows the end user access to an explicit set of active directory cmdlets that are necessary for the script to function, and those cmdlets run under a delegated Active Directory account that only has permissions set to what I have previously defined, and the whole endpoint is only accessible to an Active Directory group membership of my choosing.

It’s genius, it’s powershell and I love powershell!

Part two of this blog entry (the how I did it) will appear as soon as I have taken screen shots.

Be the first to comment

Leave a Reply