How to allow access to winrs for non-admin user?

windows powershell remoting winrm

I have Windows Server 2012 (and Server 2008, but it is next priority) to monitor it using txwinrm. txwinrm library internally is using WinRS protocol. I have to monitor it using least privileged user, but don't know how to configure access for him.

All I managed to do - is to configure remote Powershell session for my user, but it's look like that winrs and powershell sessions have different security descriptors:

Invoke-Command -ComputerName 192.168.173.206 -Credential (credential Administrator $pwd) -ScriptBlock { 2 + 2}
# gives 4
Invoke-Command -ComputerName 192.168.173.206 -Credential (credential lpu1 $pwd) -ScriptBlock { 2 + 2}
# gives 4
winrs -r:192.168.173.206 -u:Administrator -p:$pwd 'powershell -command "2+2"'
# gives 4
winrs -r:192.168.173.206 -u:lpu1 -p:$pwd 'powershell -command "2+2"'
# Gives Winrs error: Access is denied.

Configuration for my user is following:

(Get-Item WSMan:\localhost\Service\RootSDDL).value
# O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
(Get-PSSessionConfiguration -name Microsoft.Powershell).SecurityDescriptorSddl
# O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1149)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

(In each security descriptor my user is given general access to protected object).

So what security descriptor should I set to make my winrs query work for non-admin user?

UPD: Recently I found that that I could retrieve information about winrm shells:

  winrm enumerate shell
Shell
    ShellId = 3793B153-CCCF-4500-99FB-8534074E1738
    ResourceUri = http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd

And I found no such resource URI in WSMan:\localhost\Plugin directory. :( Documentation states:

The resource URI can be used to retrieve plug-in configuration that is specific to the shell instance.

But how to retrieve that plugin configuration and how to change it?


Solution 1:

What works is 

winrm configSDDL default

And then allowing read and execute rights. But strange thing, that settings there are the same as in WSMan:\localhost\Service\RootSDDL. It could be because of winrm configSDDL reloads some cache or something, I dunno...

Solution 2:

Can you add the User using:

winrm configSDDL http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd

Source

Solution 3:

you have to add users on the winrm server to the group "Remote Management Users"

It's that simple.

Related

How to deliver private ssh keys for a virtualbox controlled by vagrant?
NetApp erroring with: STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
Linux/Unix - /etc/sudoers - host definition
Why has CD/DVD host passthrough been disabled in CentOS 7 \ RHEL 7?
ssh host key certificates, find validity period remotely?
Dovecot Certificate Authentication
executing RSYNC command in jenkins
PBIS Open AD authentication stops working on ubuntu with errors: "user accout has expired" and "is your account locked?"
How can I enable outgoing HTTP/HTTPS requests on an EC2 in a public subnet within a VPC on Amazon AWS
How to put a Windows 2012 server into a Univention domain
In Active Directory, how do I delegate write permissions on specific attributes of protected user accounts?
LSI Megaraid alarm - clearing hotspare