How To Securely Allow Regular Users To Create And Modify Active Directory Users With PowerShell JEA

Giving non-administrator users access to perform certain tasks in Active Directory can help free up administrators time, especially for tasks such as creating or modifying user accounts. You cannot just make a regular user a Domain Administrator though. That is a bad idea. Instead, we can utilize PowerShell’s Just Enough Administration (JEA) to not only specify who has access to run these commands, but also specify which commands they are able to run. You can even go as far as to specify which parameters they are allowed to use and what values they can pass to those variables.

In this video, Matt will show you how to set up a PowerShell Module with a Role Capability File using New-PSRoleCapabilityFile. He will modify this Role Capability File to specify settings such as ModulesToImport and VisibleCmdlets. Once the role capabilities have been defined, Matt will walk through using New-PSSessionConfigurationFile to create a constrained (JEA) endpoint that will define which user(s) have access to connect to the endpoint and which role capabilities they will have access to using the RoleDefinitions setting.

Prerequisites include: PowerShell 5.0+