How to Configure Just Enough Administration (JEA) on Windows Server 2012 R2

How to Configure Just Enough Administration (JEA) on Windows Server 2012 R2

Just Enough Administration (JEA) is a PowerShell-based delegated administration framework that allows you to grant granular, role-based administrative access without giving users full Administrator privileges. With JEA, you can define exactly which PowerShell commands a user can run, what parameters they can pass, and which systems they can access — all within a constrained PowerShell endpoint that runs as a highly privileged virtual account. JEA was introduced with Windows Management Framework (WMF) 5.0 and can be deployed on Windows Server 2012 R2 by installing WMF 5.1. This guide covers installing WMF 5.1, creating JEA configurations, and deploying them to servers.

Prerequisites

JEA requires Windows Management Framework 5.1, which must be installed on Windows Server 2012 R2 (it is built into Server 2016+). The server must have .NET Framework 4.5 or later installed (Server 2012 R2 ships with 4.5.1). You need local Administrator or Domain Admin rights to install WMF and configure JEA endpoints. PowerShell Remoting (WinRM) must be enabled for JEA to function. Plan your role capabilities before implementation: define each administrative function and which cmdlets and parameters it requires.

Installing Windows Management Framework 5.1

Download WMF 5.1 and install on Server 2012 R2. WMF 5.1 for Windows Server 2012 R2 is available from the Microsoft Download Center (Win8.1AndW2K12R2-KB3191564-x64.msu):

# Install WMF 5.1 (after downloading the MSU package)
# Run from an elevated PowerShell prompt
wusa.exe C:DownloadsWin8.1AndW2K12R2-KB3191564-x64.msu /quiet /norestart

# After the reboot, verify PowerShell version
$PSVersionTable.PSVersion

# Expected output:
# Major Minor Build Revision
# ----- ----- ----- --------
# 5     1     14409 1018

Enable PowerShell Remoting if not already configured:

Enable-PSRemoting -Force
winrm quickconfig -quiet

Understanding JEA Architecture

JEA is composed of two configuration files and a virtual account mechanism:

• Role Capability File (.psrc) — Defines what cmdlets, functions, providers, and external commands a role can use. One file per role.
• Session Configuration File (.pssc) — Defines the JEA endpoint: which roles apply, which virtual account to run as, language mode, and transcription settings.
• Virtual Account — JEA sessions run in the context of a local virtual account (or Group Managed Service Account) with the required privileges. The connecting user never directly gets an elevated token.

Creating a Role Capability File

Create a Role Capability file that defines what DNS administrators are permitted to do. Role capability files must be stored in a RoleCapabilities subfolder of a PowerShell module:

# Create the module directory structure
$ModulePath = "C:Program FilesWindowsPowerShellModulesJEAModules"
New-Item -ItemType Directory -Path "$ModulePathRoleCapabilities" -Force

# Create a DNS Admin role capability file
New-PSRoleCapabilityFile -Path "$ModulePathRoleCapabilitiesDNSAdmin.psrc" `
    -Description "Allows DNS administration tasks"

# Edit the created file to define allowed cmdlets
$DNSRoleCap = @'
@{
    # Only allow these specific DNS cmdlets
    VisibleCmdlets = @(
        'Get-DnsServer',
        'Get-DnsServerZone',
        'Add-DnsServerResourceRecord',
        'Remove-DnsServerResourceRecord',
        @{Name='Set-DnsServerZone'; Parameters=@{Name='Name'},@{Name='DynamicUpdate'}}
        'Get-DnsServerResourceRecord',
        'Resolve-DnsName',
        'Get-DnsServerStatistics'
    )
    
    # Allow these read-only cmdlets
    VisibleCmdlets += @(
        'Get-Service',
        @{Name='Restart-Service'; Parameters=@{Name='Name'; ValidateSet='DNS'}}
    )
    
    # Allow Get-* commands in the DNS Server module
    VisibleProviders = @('FileSystem')
    
    # Block all variable assignment except read
    LanguageMode = 'RestrictedLanguage'
}
'@
$DNSRoleCap | Out-File "$ModulePathRoleCapabilitiesDNSAdmin.psrc" -Encoding UTF8

Create a more comprehensive role for IIS web server administration:

$WebAdminRole = @'
@{
    Description = "IIS Web Server Administration"
    
    VisibleCmdlets = @(
        # IIS site management
        'Get-Website', 'Get-WebBinding',
        @{Name='New-Website'; Parameters=@{Name='Name'},@{Name='PhysicalPath'},@{Name='Port'}},
        @{Name='Stop-Website'; Parameters=@{Name='Name'}},
        @{Name='Start-Website'; Parameters=@{Name='Name'}},
        
        # App pool management
        'Get-WebConfiguration', 'Get-WebConfigurationProperty',
        @{Name='New-WebAppPool'; Parameters=@{Name='Name'}},
        @{Name='Stop-WebAppPool'; Parameters=@{Name='Name'}},
        @{Name='Start-WebAppPool'; Parameters=@{Name='Name'}},
        
        # Application deployment
        @{Name='New-WebApplication'; Parameters=@{Name='Name'},@{Name='Site'},@{Name='PhysicalPath'}}
    )
    
    VisibleExternalCommands = @(
        'C:WindowsSystem32inetsrvappcmd.exe'
    )
    
    VisibleFunctions = @('TabExpansion2','Clear-Host','exit','Get-Command')
}
'@
$WebAdminRole | Out-File "$ModulePathRoleCapabilitiesWebAdmin.psrc" -Encoding UTF8

Creating a Session Configuration File

The session configuration file ties roles to AD groups and configures the JEA endpoint behavior:

# Create the JEA session configuration file
New-PSSessionConfigurationFile -Path "C:JEADNSAdminEndpoint.pssc" `
    -SessionType RestrictedRemoteServer `
    -TranscriptDirectory "C:JEATranscripts" `
    -RunAsVirtualAccount `
    -Description "JEA endpoint for DNS administration"

# Edit the .pssc file to add role mappings
$PSSCContent = @'
@{
    SchemaVersion = "2.0.0.0"
    GUID = "$(New-Guid)"
    Author = "Security Team"
    Description = "JEA Endpoint for DNS and Web Administration"
    SessionType = "RestrictedRemoteServer"
    
    # Run all commands as a virtual account (no actual admin account needed)
    RunAsVirtualAccount = $true
    
    # Optional: Use a Group Managed Service Account instead of virtual account
    # GroupManagedServiceAccount = "DOMAINJEA-GMSA$"
    
    # Map AD groups to role capability files
    RoleDefinitions = @{
        "DOMAINDNS-Admins"    = @{RoleCapabilities = "DNSAdmin"}
        "DOMAINWeb-Admins"    = @{RoleCapabilities = "WebAdmin"}
        "DOMAINTier1-Admins"  = @{RoleCapabilities = "DNSAdmin","WebAdmin"}
    }
    
    # Record all sessions for audit
    TranscriptDirectory = "C:JEATranscripts"
    
    # Restrict language to prevent PowerShell language abuse
    LanguageMode = "NoLanguage"
    
    # Log all remote commands
    ScriptsToProcess = @()
}
'@
$PSSCContent | Out-File "C:JEADNSAdminEndpoint.pssc" -Encoding UTF8

Registering the JEA Endpoint

Register the session configuration to create the JEA endpoint:

# Register the JEA endpoint
Register-PSSessionConfiguration -Name "DNSAdminJEA" `
    -Path "C:JEADNSAdminEndpoint.pssc" `
    -Force

# Verify the endpoint is registered
Get-PSSessionConfiguration -Name "DNSAdminJEA" | Select-Object Name, Permission

Create the transcript directory with appropriate permissions:

New-Item -ItemType Directory -Path "C:JEATranscripts" -Force

# Set permissions: Administrators full control, everyone else append-only
$Acl = Get-Acl "C:JEATranscripts"
$AdminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "BUILTINAdministrators", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$SystemRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "NT AUTHORITYSYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$Acl.AddAccessRule($AdminRule)
$Acl.AddAccessRule($SystemRule)
Set-Acl "C:JEATranscripts" $Acl

Connecting to a JEA Endpoint

Users connect to JEA endpoints using standard PowerShell Remoting. They receive a constrained runspace with only their permitted commands:

# Connect to JEA endpoint (run as a non-admin user in the DNS-Admins group)
Enter-PSSession -ComputerName DNSServer01 -ConfigurationName "DNSAdminJEA"

# Verify available commands (should only show permitted cmdlets)
Get-Command

# Run a permitted operation
Get-DnsServerZone -ComputerName .

# Attempt a forbidden command (will be blocked)
Get-Process  # Error: The term 'Get-Process' is not recognized

Invoke commands non-interactively via Invoke-Command:

Invoke-Command -ComputerName DNSServer01 -ConfigurationName "DNSAdminJEA" -ScriptBlock {
    Get-DnsServerZone
    Add-DnsServerResourceRecord -ZoneName "domain.com" -A -Name "newserver" -IPv4Address "10.0.0.50"
}

Reviewing JEA Transcripts

All JEA sessions are recorded to transcript files that capture every command and output:

# List recent JEA transcripts
Get-ChildItem "C:JEATranscripts" | Sort-Object LastWriteTime -Descending | 
    Select-Object Name, LastWriteTime, Length | Format-Table

# View transcript content - shows actual user identity, virtual account, and all commands
Get-Content "C:JEATranscriptsPSTranscript_*.txt" | Select-Object -First 50

Verification

# View all registered JEA endpoints
Get-PSSessionConfiguration | Select-Object Name, RunAsUser, Permission | Format-Table -AutoSize

# Test JEA endpoint access as a specific user
Test-PSSessionConfigurationFile -Path "C:JEADNSAdminEndpoint.pssc"

# Check which roles a user would receive
Get-PSSessionCapability -ConfigurationName "DNSAdminJEA" -Username "DOMAINjsmith"

Summary

JEA on Windows Server 2012 R2 (with WMF 5.1) enables the principle of least privilege for remote server administration. Instead of granting Domain Admin or local Administrator rights for specific tasks, operators receive constrained PowerShell sessions that permit only the exact cmdlets and parameters their role requires. Virtual accounts execute commands with elevated permissions without exposing admin credentials to the operator. Mandatory session transcription creates a complete audit trail. Together, JEA significantly reduces the administrative attack surface while maintaining operational capability.