How to Configure Just Enough Administration (JEA) on Windows Server 2016

April 11, 2026
Tutorials
Comment off

How to Configure Windows Server 2016 Just Enough Administration

Just Enough Administration (JEA) is a PowerShell security technology in Windows Server 2016 that enables role-based access control for administrative tasks. JEA allows you to grant specific users limited administrative capabilities without giving them full administrator rights. A JEA endpoint defines exactly which PowerShell commands a user can run, what parameters they can use, and which scripts they can execute — all while running under a virtual administrator account rather than the user’s own credentials.

Key Concepts

JEA Endpoint: A PowerShell session configuration file (.pssc) that defines the session environment.
Role Capability File: A PowerShell file (.psrc) that defines which commands a role can execute.
Virtual Account: A temporary local admin account created for each JEA session; the connecting user never knows its credentials.
Transcription: JEA logs all commands executed in a session for auditing.

Step 1: Create a Role Capability File

Role Capability files define what commands are available in a JEA session. Create a directory for capabilities and generate a template:

$moduleDir = "C:Program FilesWindowsPowerShellModulesJEAOperations"
New-Item -Path $moduleDirRoleCapabilities -ItemType Directory -Force
New-PSRoleCapabilityFile -Path "$moduleDirRoleCapabilitiesDnsOps.psrc"

Edit the .psrc file to define allowed commands. Example for DNS operators:

@{
  GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
  Author = 'IT Admin'
  Description = 'DNS Operator Role'
  ModulesToImport = @('DnsServer')
  VisibleCmdlets = @(
    'Get-DnsServerZone',
    'Get-DnsServerResourceRecord',
    @{Name='Add-DnsServerResourceRecord'; Parameters=@{Name='ZoneName'; ValidateSet='corp.local','test.local'}},
    @{Name='Remove-DnsServerResourceRecord'; Parameters=@{Name='ZoneName'; ValidateSet='corp.local','test.local'}}
  )
  VisibleFunctions = @('Restart-DnsServer')
  VisibleExternalCommands = @()
}

Step 2: Create a Session Configuration File

The session configuration file defines the JEA endpoint and maps AD groups to role capabilities:

New-PSSessionConfigurationFile -Path "C:JEADnsAdmins.pssc" `
  -SessionType RestrictedRemoteServer `
  -RunAsVirtualAccount `
  -TranscriptDirectory "C:JEATranscripts" `
  -RoleDefinitions @{
    'CORPDNS-Operators' = @{RoleCapabilities='DnsOps'}
  }

Step 3: Validate the Session Configuration File

Test-PSSessionConfigurationFile -Path "C:JEADnsAdmins.pssc"

Step 4: Register the JEA Endpoint

Register-PSSessionConfiguration -Path "C:JEADnsAdmins.pssc" `
  -Name "DnsJEA" `
  -Force

Restart WinRM to activate the endpoint:

Restart-Service WinRM

Verify the endpoint is registered:

Get-PSSessionConfiguration -Name "DnsJEA"

Step 5: Connect to a JEA Endpoint

Users connect to JEA endpoints using Enter-PSSession or Invoke-Command:

Enter-PSSession -ComputerName "DNSServer01" -ConfigurationName "DnsJEA"

Once connected, users can only run the commands defined in their role capability. View available commands:

Get-Command

Step 6: Configure Transcript Logging

Ensure the transcript directory exists and has appropriate permissions:

New-Item -Path "C:JEATranscripts" -ItemType Directory -Force
$acl = Get-Acl "C:JEATranscripts"
$acl.SetAccessRuleProtection($true, $false)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl","Allow")
$acl.AddAccessRule($rule)
Set-Acl "C:JEATranscripts" $acl

Transcripts are automatically saved when sessions are used. View transcripts:

Get-ChildItem "C:JEATranscripts" | Sort-Object LastWriteTime -Descending | Select-Object -First 10
Get-Content "C:JEATranscriptsPSTranscript_20261001_140000.txt"

Step 7: Restrict JEA to Specific Domain Groups

Update the session configuration to add multiple role definitions:

Set-PSSessionConfiguration -Name "DnsJEA" -RoleDefinitions @{
  'CORPDNS-Operators' = @{RoleCapabilities='DnsOps'}
  'CORPNetwork-Admins' = @{RoleCapabilities='DnsOps','NetworkOps'}
} -Force

Step 8: Unregister a JEA Endpoint

Unregister-PSSessionConfiguration -Name "DnsJEA" -Force
Restart-Service WinRM

Step 9: Update a JEA Endpoint

To modify an existing JEA endpoint (e.g., add a new role), update the session configuration file and re-register:

Unregister-PSSessionConfiguration -Name "DnsJEA" -Force
Register-PSSessionConfiguration -Path "C:JEADnsAdmins_v2.pssc" -Name "DnsJEA" -Force
Restart-Service WinRM

Test the updated endpoint by connecting and verifying available commands:

$session = New-PSSession -ComputerName "DNSServer01" -ConfigurationName "DnsJEA"
Invoke-Command -Session $session -ScriptBlock {Get-Command | Measure-Object}
Remove-PSSession $session

Summary

Just Enough Administration dramatically reduces the attack surface for administrative actions by granting users only the specific PowerShell commands they need to do their job, under a virtual account that never exposes permanent admin credentials. Combined with transcript logging and AD group-based role mapping, JEA provides both least-privilege security and the audit trail needed for compliance and forensic investigation.