How to Configure PowerShell Just Enough Administration (JEA) on Windows Server 2012 R2
Just Enough Administration (JEA) is a PowerShell security technology that enables role-based access to administrative functions without granting full administrator privileges. Rather than making a helpdesk technician a local administrator to restart a service, JEA creates a constrained PowerShell endpoint where the technician can run only specific commands, only with specific parameters, and only against specific resources — all while running in the context of a privileged service account that the operator never sees. On Windows Server 2012 R2 with WMF 5.0 installed, JEA is fully supported and provides a powerful layer of least-privilege enforcement.
Prerequisites
– Windows Server 2012 R2 with Windows Management Framework 5.0 installed (JEA requires WMF 5.0)
– PowerShell 5.0: verify with $PSVersionTable.PSVersion.Major -ge 5
– WinRM service running and configured
– A non-interactive service account to be used as the JEA RunAs identity
– Administrative privileges to register session configurations
Step 1: Install WMF 5.0 on Windows Server 2012 R2
Windows Server 2012 R2 ships with PowerShell 4.0. JEA requires PowerShell 5.0, delivered via WMF 5.0:
# Verify current version
$PSVersionTable.PSVersion
# Download WMF 5.0 from Microsoft Update Catalog or deploy via WSUS
# Package: Win8.1AndW2K12R2-KB3134758-x64.msu
# Install silently (requires reboot)
wusa.exe Win8.1AndW2K12R2-KB3134758-x64.msu /quiet /norestart
# After reboot, verify
$PSVersionTable.PSVersion # Should show 5.x
Step 2: Create the JEA Service Account
JEA uses a virtual account or a Group Managed Service Account (gMSA) as the RunAs identity. For simplicity, we use a virtual account (recommended for single-server scenarios) and a dedicated service account for domain scenarios:
Import-Module ActiveDirectory
# Create a Group Managed Service Account for multi-server JEA
Add-KdsRootKey -EffectiveImmediately # Only needed once per domain
New-ADServiceAccount -Name "svc_JEA_DNS" `
-Description "JEA RunAs account for DNS operator role" `
-DNSHostName "svc-jea-dns.corp.local" `
-PrincipalsAllowedToRetrieveManagedPassword "JEA-DNS-Servers" # AD group containing the servers
# Install the gMSA on each target server
Install-ADServiceAccount -Identity "svc_JEA_DNS"
Test-ADServiceAccount -Identity "svc_JEA_DNS"
Step 3: Create Role Capability Files
Role Capability files (.psrc) define what cmdlets, functions, and external commands are available in a JEA session. Create one per role:
# Create the JEA module directory
$jeaModulePath = "C:Program FilesWindowsPowerShellModulesJEA_DNSOperator"
New-Item -ItemType Directory -Path "$jeaModulePathRoleCapabilities" -Force
# Create the DNS Operator role capability
New-PSRoleCapabilityFile -Path "$jeaModulePathRoleCapabilitiesDNSOperator.psrc" `
-Description "Allows DNS record management without full admin access" `
-VisibleCmdlets @(
'Get-DnsServerZone',
'Get-DnsServerResourceRecord',
@{ Name = 'Add-DnsServerResourceRecordA'; Parameters = @(
@{ Name = 'ZoneName'; ValidateSet = 'corp.local','internal.corp.local' },
@{ Name = 'Name'; ValidatePattern = '^[a-zA-Z0-9-]{1,63}$' },
@{ Name = 'IPv4Address'; ValidatePattern = '^10.d+.d+.d+$' }
)
},
@{ Name = 'Remove-DnsServerResourceRecord'; Parameters = @(
@{ Name = 'ZoneName'; ValidateSet = 'corp.local','internal.corp.local' },
@{ Name = 'Name' },
@{ Name = 'RRType' }
)
},
'Resolve-DnsName'
) `
-VisibleExternalCommands @() `
-VisibleFunctions @() `
-VisibleAliases @()
# Create a Helpdesk role for user account management
New-Item -ItemType Directory -Path "C:Program FilesWindowsPowerShellModulesJEA_HelpDeskRoleCapabilities" -Force
New-PSRoleCapabilityFile -Path "C:Program FilesWindowsPowerShellModulesJEA_HelpDeskRoleCapabilitiesHelpDesk.psrc" `
-Description "Helpdesk password reset and account unlock operations" `
-VisibleCmdlets @(
'Get-ADUser',
'Get-ADGroupMember',
@{ Name = 'Unlock-ADAccount'; Parameters = @(@{ Name = 'Identity' }) },
@{ Name = 'Set-ADAccountPassword'; Parameters = @(
@{ Name = 'Identity' },
@{ Name = 'NewPassword' },
@{ Name = 'Reset'; ValidateSet = '$true' }
)
},
@{ Name = 'Enable-ADAccount'; Parameters = @(@{ Name = 'Identity' }) },
'Get-ADLockedOutLocation',
'Search-ADAccount'
) `
-ModulesToImport 'ActiveDirectory'
Step 4: Create Session Configuration Files
Session Configuration files (.pssc) bind roles to AD groups and define the RunAs identity and session constraints:
# DNS Operator session configuration
New-PSSessionConfigurationFile -Path "C:JEADNSOperator.pssc" `
-SessionType RestrictedRemoteServer `
-Description "JEA endpoint for DNS Operators" `
-RunAsVirtualAccount `
-RoleDefinitions @{
'CORPDNS-Operators' = @{ RoleCapabilities = 'DNSOperator' }
} `
-TranscriptDirectory "C:JEATranscriptsDNSOperator" `
-LanguageMode NoLanguage
# HelpDesk session configuration using gMSA
New-PSSessionConfigurationFile -Path "C:JEAHelpDesk.pssc" `
-SessionType RestrictedRemoteServer `
-Description "JEA endpoint for HelpDesk staff" `
-GroupManagedServiceAccount "CORPsvc_JEA_HelpDesk$" `
-RoleDefinitions @{
'CORPHelpDesk-Tier1' = @{ RoleCapabilities = 'HelpDesk' }
'CORPHelpDesk-Tier2' = @{ RoleCapabilities = 'HelpDesk' }
} `
-TranscriptDirectory "C:JEATranscriptsHelpDesk" `
-LanguageMode NoLanguage
# Create transcript directories
New-Item -ItemType Directory -Path "C:JEATranscriptsDNSOperator" -Force
New-Item -ItemType Directory -Path "C:JEATranscriptsHelpDesk" -Force
Step 5: Register JEA Endpoints
Register the session configuration files as PowerShell endpoints. This makes them available for remote connections:
# Validate configuration files before registering
Test-PSSessionConfigurationFile -Path "C:JEADNSOperator.pssc"
Test-PSSessionConfigurationFile -Path "C:JEAHelpDesk.pssc"
# Register the DNS Operator endpoint
Register-PSSessionConfiguration -Name "DNSOperator" `
-Path "C:JEADNSOperator.pssc" `
-Force
# Register the HelpDesk endpoint
Register-PSSessionConfiguration -Name "HelpDesk" `
-Path "C:JEAHelpDesk.pssc" `
-Force
# Verify endpoints are registered
Get-PSSessionConfiguration | Select-Object Name, Permission | Format-Table -AutoSize
# Restart WinRM to apply changes
Restart-Service WinRM
Step 6: Connect to a JEA Endpoint
Users connect to JEA endpoints using standard PowerShell remoting. They see only the commands permitted by their role:
# Connect as a helpdesk user (non-admin)
$session = New-PSSession -ComputerName "dc01.corp.local" -ConfigurationName "HelpDesk"
# See what commands are available
Invoke-Command -Session $session -ScriptBlock { Get-Command }
# Perform an allowed operation
Invoke-Command -Session $session -ScriptBlock {
Unlock-ADAccount -Identity "jsmith"
Write-Output "Account unlocked successfully"
}
# Attempt a forbidden operation — this will fail
Invoke-Command -Session $session -ScriptBlock {
Get-ADDomain # Not in the role capability — will be blocked
}
$session | Remove-PSSession
Step 7: Review JEA Transcripts and Audit
JEA automatically transcribes all sessions. Review transcripts for compliance and incident investigation:
# List recent transcripts
Get-ChildItem "C:JEATranscriptsHelpDesk" | Sort-Object LastWriteTime -Descending | Select-Object -First 10
# Parse a transcript for specific user actions
Get-ChildItem "C:JEATranscriptsHelpDesk" |
ForEach-Object { Get-Content $_.FullName } |
Where-Object { $_ -match "RunAs User|Unlock-ADAccount|Set-ADAccountPassword" } |
Select-Object -First 50
# Example transcript entries show:
# **********************
# Windows PowerShell transcript start
# Username: CORPhdtech01
# RunAs User: CORPsvc_JEA_HelpDesk$
# Machine: DC01.corp.local
# Host Application: C:WindowsSystem32wsmprovhost.exe
# **********************
# PS> Unlock-ADAccount -Identity jsmith
Step 8: Deploy JEA via DSC for Consistency
Use Desired State Configuration to ensure JEA endpoints are consistently deployed across all servers in the environment:
Configuration JEA_DNSOperator {
param([string[]]$NodeName = 'localhost')
Import-DscResource -ModuleName PSDesiredStateConfiguration
Node $NodeName {
# Ensure WinRM is running
Service WinRM {
Name = 'WinRM'
State = 'Running'
StartupType = 'Automatic'
}
# Copy role capability module
File JEA_DNSOperatorModule {
Ensure = 'Present'
SourcePath = '\fileserverJEAJEA_DNSOperator'
DestinationPath = 'C:Program FilesWindowsPowerShellModulesJEA_DNSOperator'
Recurse = $true
Type = 'Directory'
}
# Register the endpoint using Script resource
Script RegisterJEAEndpoint {
GetScript = { @{ Result = (Get-PSSessionConfiguration -Name 'DNSOperator' -ErrorAction SilentlyContinue) -ne $null } }
TestScript = { (Get-PSSessionConfiguration -Name 'DNSOperator' -ErrorAction SilentlyContinue) -ne $null }
SetScript = {
Register-PSSessionConfiguration -Name 'DNSOperator' `
-Path 'C:JEADNSOperator.pssc' -Force
Restart-Service WinRM
}
DependsOn = '[File]JEA_DNSOperatorModule'
}
}
}
Verification
# Verify endpoint security
Get-PSSessionConfiguration -Name "HelpDesk" | Format-List *
# Check who can use the endpoint
(Get-PSSessionConfiguration -Name "HelpDesk").Permission
# Confirm virtual account / gMSA assignment
(Get-PSSessionConfiguration -Name "HelpDesk").RunAsVirtualAccount
(Get-PSSessionConfiguration -Name "HelpDesk").GroupManagedServiceAccount
Summary
JEA on Windows Server 2012 R2 (with WMF 5.0) enables true least-privilege administration by creating constrained PowerShell endpoints where operators run only what they need under a privileged RunAs account they never directly hold. With role capability files defining allowed cmdlets and parameters, session configuration files binding AD groups to roles, automatic transcripts for full audit trails, and DSC for consistent deployment, JEA is a cornerstone of a zero-standing-privilege administrative model in Windows environments.
