says that by winrm configSDDL default one should give access to the account or group used by Ainsible to allow non-administrator access to WinRM.
I understand “default” is really the default security descriptor for WinRM resources that do not have a security descriptor (at least that is what PowerShell says when I write into it).
My questions are:
Why does Ainsible not work with WinRM otherwise, given that theRemote Management Users group already has access to pretty much all WinRM resources and the Ainsible account is in it?
What permissions are really missing (on what resource), so that setting the default permissions must be changed and why not change those specific permissions?
Changing the default permissions seems a bit extreme.
Why does Ainsible not work with WinRM otherwise, given that theRemote Management Users group already has access to pretty much all WinRM resources and the Ainsible account is in it?
The winrm connection plugin uses the “default” winrm SD which only allows members of the Administrators group access (outside of INTERACTIVE which a network logon won’t use)
The Remote Management Users is set on the PSRemoting WinRM endpoints which is what the psrp connection plugin connects to though.
What permissions are really missing (on what resource), so that setting the default permissions must be changed and why not change those specific permissions?
I’m not aware of a way to set this for the resource the winrm connection plugin connects to. There could be something available to do so but I don’t know what it is. You should consider looking into the psrp connection plugin because that does more fine grained permissions set on the registered resource such as the Remote Management Users group.
