Skip to main content

Enable PowerShell V2 Remote Management via Group Policy

By

One of PowerShell V2’s strongest assets is its remote management capability.  When you enable remote management, a few actions are taken.

 

  • Enables the WinRM service
  • Starts the WinRM service.
  • Set’s the WinRM Service to start automaticlly.
  • A modification is made to the Windows Firewall to permit incoming WinRM connections.  (Outgoing connections are allowed by default.)
  • Windows PowerShell is registered as a WinRM endpoint.  Both the 32 and 64 bit versions are registered.  This allows the WinRM service to be able to send and received back commands and information to applications on your remote clients.
  • You will be prompted (if manually doing this) to confirm your decision.  This is because this action has an impact level of “high".

 

You can manually enable PowerShell Remoting by opening a PowerShell session with local administrative rights and entering the cmdlet Enable-PSRemoting.  You will be prompted to confirm your choice and the cmdlet will execute the necessary actions.  You can see a screen shot below.

image

 

 

This requires you to visit each client that you want to run PowerShell remoting on.  The easier and more effective way of doing this in the enterprise with Group Policy.

 

Open up Group Policy Management.

Expand your Forest / Domains / DomainName

Right Click Group Policy Object and click New.

Provide a name for this GPO. For this demonstration, I named mine PSRemoteSetup.

Right click your GPO and click Edit.

Expand Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Management (WinRM) / WinRM Service.

Open Allow automatic configuration of listeners
- Set this policy to Enable
- Enter * in IPv4 filter:
- Enter * in IPv6 filter:
- Click OK

Expand Computer Configuration / Policies / Windows Settings / Security Settings / Windows Firewall with Advanced Security / Windows Firewall with Advanced Security
- Right click Inbound Rules and select New Rule.
- Select Predefined.
- In the drop down box, select Windows Remote Management
- Click Next
- Check only Windows Remote Management (HTTP-In)
- Click Next.
- Select Allow the connection.
- Click Finish

If this policy is going to be applied to only Windows Server 2008 servers, exit Group Policy Management Editor.  If this policy is going to be applied to Windows Vista or Windows 7 clients, we need to enable one more Group Policy.

Expand Computer Configuration / Policies / Windows Settings / Security Settings / System Services

Double click Windows Remote Management (WS-Management)

Check Define this policy setting

Select Automatic

Click OK

Exit Group Policy Management Editor.

 

Now link this GPO to the OUs that contain the computer objects that you want to remotely manage with PowerShell.

Labels:

Comments

Post a Comment

Popular posts from this blog

How to list all the AD LDS instances on a server

By
AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.
Post a Comment
Read more

How to run GPResult on a remote client with PowerShell

By
In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.
Post a Comment
Read more

Where did a User’s Account Get Locked Out?

By
Updated: May 15, 2015 When this article was originally published, two extra carriage returns were add causing the code to malfunction.  The code below is correct.   My client for this week’s PowerShell class had a really interesting question. They needed to know where an account is being locked out at. OK, interesting. Apparently users hop around clients and forget to log off, leading to eventual lock out of their accounts. The accounts can be unlocked, but are then relocked after Active Directory replication. This problem is solved in two parts. The first one is to modify the event auditing on the network. The second part is resolved with PowerShell. The first part involves creating a group policy that will encompass your Domain Controllers. In this GPO, make these changes. Expand Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration \ Audit Policies \ Account Management Double click User Account Management C...
18 comments
Read more