Just enough Administration & RDS

The Problem?

Microsoft RDS has limitations when delegating access, in fact there is no built-in access delegation whatsoever!

The solution? Powershell!

A Just enough Administration (JEA) endpoint, also known as a Constrained Powershell Endpoint.

I’ve created a powershell app to list and logoff users I also created a simple tool in powershell to connect to connection brokers and search users. All without delegating users access to any RDS servers.

  1. Connection broker/Endpoint connection
  2. Collection field, used to search and filter. Multiple collections can be selected at once
  3. Wildcard search field, can be blank (list all users)
  4. User information & selection are
  5. Press to logoff all selected users

How does this work? Constrained Powershell Endpoint.

The endpoint is restricted to only access List collection, list users and subsequently force logoff users. The endpoint configuration to only accept users from a certain AD group.

To configure endpoint, run the following code on all connection brokers. The script is somewhat generalized for easy adaptability. The main parts are in the parameters where we configure who can run, using which account and also what cmdlet are available in the constrained session.

The frontend application code is not posted in the blog.

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.