How to Configure Just Enough Administration (JEA) on Windows Server 2016

Introduction

Just Enough Administration (JEA) is a PowerShell security feature on Windows Server 2016 that restricts what administrators can do in remote sessions. Using role capability files and session configurations, JEA implements least-privilege delegation, allowing helpdesk staff to run only the commands they need without full admin rights.

Creating a Role Capability File

Define the commands a delegated role may run:

$modulePath = 'C:Program FilesWindowsPowerShellModulesJEAHelpersRoleCapabilities'
New-Item -ItemType Directory -Path $modulePath -Force
New-PSRoleCapabilityFile -Path "$modulePathHelpDesk.psrc" `
    -VisibleCmdlets @(
        'Restart-Service',
        @{Name='Set-ADAccountPassword'; Parameters=@{Name='Identity'}},
        'Unlock-ADAccount',
        'Get-ADUser'
    ) `
    -VisibleFunctions 'Get-ServerStatus'

Creating a Session Configuration File

Define who can connect and what role they receive:

New-PSSessionConfigurationFile -Path C:JEAHelpDeskSession.pssc `
    -SessionType RestrictedRemoteServer `
    -RunAsVirtualAccount `
    -TranscriptDirectory 'C:JEATranscripts' `
    -RoleDefinitions @{
        'CONTOSOHelpDesk' = @{ RoleCapabilities = 'HelpDesk' }
    } `
    -LanguageMode NoLanguage
Test-PSSessionConfigurationFile -Path C:JEAHelpDeskSession.pssc

Registering the JEA Endpoint

Activate the JEA endpoint on the server:

Register-PSSessionConfiguration -Name 'HelpDesk' `
    -Path C:JEAHelpDeskSession.pssc -Force
Get-PSSessionConfiguration -Name 'HelpDesk'

Connecting to and Testing JEA

Test the endpoint as a helpdesk user:

$cred = Get-Credential 'CONTOSOhelpdesk01'
Enter-PSSession -ComputerName SRV01 -ConfigurationName HelpDesk -Credential $cred
# Inside session - only allowed commands are visible
Get-Command

Reviewing JEA Transcripts

Audit all actions taken in JEA sessions:

Get-ChildItem C:JEATranscripts | Sort-Object LastWriteTime -Descending | Select-Object -First 5
Get-Content (Get-ChildItem C:JEATranscripts | Sort-Object LastWriteTime -Descending | Select-Object -First 1).FullName

Summary

JEA on Windows Server 2016 provides granular, auditable delegation of administrative tasks. By combining role capability files, session configurations, virtual accounts, and transcripts, JEA lets you give helpdesk staff exactly the access they need — nothing more — enforcing least privilege at the PowerShell command level.