Manage Remote PowerShell Access To Exchange Online

Determine a User’s PowerShell Access to Exchange Online

1. Let’s start by seeing which users have remote PowerShell access. If we want to see the status for our entire organization we can use a command with this syntax:

​ Get-User -ResultSize Unlimited | Format-Table Name,DisplayName,RemotePowerShellEnabled

In the image below, you can see that every user is Remote PowerShell enabled. Note that the image is blurred to protect the privacy of the innocent here.

2.If you want to see all users who have access either enabled or disabled, then the command looks a little different:

​ Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq <$true | $false>}

3. Note: You have to choose one or the other so if you want it to be true, then you would write the command:

​ Get-User –ResultSize Unlimited –Filter {RemotePowerShellEnabled –eq $true}

4. To check the status of a single user, where the response returns true or false, the command looks like this:

​ Get-User <User Identity> | Format-List RemotePowerShellEnabled

Please note that User Identity could be the persons name in quotes (ie “Phuong Nguyen”) or their email identity (ie. phuong.nguyen@example.com) used interchangeably in that space.

5. For example, this command will show the status for Phuong Nguyen:

​ Get-User "Phuong.Nguyen" | Format-List RemotePowerShellEnabled

How to disable remote user PowerShell access to Exchange Online

1. Now that we know the status of our users, we will want to get down to managing who has remote Shell access and who does not. First we will try disabling access for a single user:

​ Set-User <User Identity> -RemotePowerShellEnabled $false

2. Here is the command you would use if you wanted to disable the user phuongnguyen@example.com:

​ Set-User phuongnguyen@example.com -RemotePowerShellEnabled $false

3. Enabling access uses the same syntax with one small change at the end:

​ Set-User <User Identity> -RemotePowerShellEnabled $true

4. Depending on the size of your organization, it may not be practical to disable this user by user. If all of the users you would like to disable share a unique attribute, such as department, then you can easily disable remote Shell access using a filter with the following syntax:

​ <Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter> | Set-User -RemotePowerShellEnabled $false

5. If you wanted to make sure that all of the users in the accounting department do not have remote Shell access, then you might use this command:

​ Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Department -eq 'Accounting')} | Set-User -RemotePowerShellEnabled $false

6. What if the users you are looking to disable do not share a single, unique attribute? In such a case where filters are difficult to use, then you can manage remote Shell access using a list in the form of a text file. The text file must be formatted so that there is one user listed on each line by email address. It should look something like this:

phuongnguyen@example.com

jsisen@example.com

jsisenvlog@example.com

Once you have a list ready then run a command with this syntax:

​ Get-Content <text file> | Set-User -RemotePowerShellEnabled $false

An example command would look something like this:

​ Get-Content "C:AdminDisableRemotePSList.txt" | Set-User -RemotePowerShellEnabled $false

Source internet

Phương Nguyễn

CÓ THỂ BẠN QUAN TÂM

Được đóng lại, nhưng trackback và pingback được mở.