Solved

Block a Specific Snapin?

Posted on 2015-02-23
2
46 Views
Last Modified: 2015-02-27
Is anyone familiar with a way to block a specific PowerShell Snapin from being loaded?  Basically I have an Exchange 2010 script that won't run properly through an imported implicit remote session.  It will work fine if the admin tools are installed and we use the typical Connect-ExchangeServer to import the cmdlets.  The problem is this also gives the user access to Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010.  Loading the commands in this way bypasses RBAC and thus gives the operator access to commands outside their assigned RBAC roles.
0
Comment
Question by:nashiooka
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40626114
If the user is a local administrator on the machine there is really no way around this. When users import the modules or snapins into the session they should only be able to access cmdlets that their account has rights to. So if someone with no Exchange Admin rights when they type in the cmdlet Get-Mailbox it will error back stating that this cmdlet does not exist because they do not have permissions to it.

This happens even after the module / snapin has been imported into the session.

Will.
0
 
LVL 10

Author Comment

by:nashiooka
ID: 40626171
I appreciate your reply.  Loading the local snapin bypasses RBAC.  RBAC is not the same as ACL based permissions that may be on the underlying AD objects, but of course I don't want to test my ACL's by making inappropriate commands visible.  I view that as a violation of least privilege and an unnecessary risk.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now