Solved

Block a Specific Snapin?

Posted on 2015-02-23
2
48 Views
Last Modified: 2015-02-27
Is anyone familiar with a way to block a specific PowerShell Snapin from being loaded?  Basically I have an Exchange 2010 script that won't run properly through an imported implicit remote session.  It will work fine if the admin tools are installed and we use the typical Connect-ExchangeServer to import the cmdlets.  The problem is this also gives the user access to Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010.  Loading the commands in this way bypasses RBAC and thus gives the operator access to commands outside their assigned RBAC roles.
0
Comment
Question by:nashiooka
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40626114
If the user is a local administrator on the machine there is really no way around this. When users import the modules or snapins into the session they should only be able to access cmdlets that their account has rights to. So if someone with no Exchange Admin rights when they type in the cmdlet Get-Mailbox it will error back stating that this cmdlet does not exist because they do not have permissions to it.

This happens even after the module / snapin has been imported into the session.

Will.
0
 
LVL 10

Author Comment

by:nashiooka
ID: 40626171
I appreciate your reply.  Loading the local snapin bypasses RBAC.  RBAC is not the same as ACL based permissions that may be on the underlying AD objects, but of course I don't want to test my ACL's by making inappropriate commands visible.  I view that as a violation of least privilege and an unnecessary risk.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question