These different options correspond to the three parameters -VisibleCmdlets, -SessionType, and -LanguageMode of the New-PSSessionConfigurationFile cmdlet.

VisibleCmdlets ^

Restricting the visible cmdlets in sessions is the most straightforward way to restrict what users can do with PowerShell. In my previous post, I demonstrated how you can ensure that only cmdlets that begin with the Get verb are available. Even though this limits users to only retrieve information from the corresponding computer, you usually want to prevent standard users from being able to gather data that they don’t really need for their work.

Thus, a better practice is to exactly define what cmdlets are visible for a user or a group. This might cost a little more time. However, in many cases, it is pretty obvious what cmdlets a user needs.

To add a specific list of cmdlets to the session configuration that the user can work with, you can use these commands:

New-PSSessionConfigurationFile -VisibleCmdlets Get-Process,Select-Object -Path .\VisibleCmdlets.pssc
Register-PSSessionConfiguration -Path .\VisibleCmdlets.pssc -Name myEndPoint

The -VisibleCmdlets parameter expects an array as input. So don’t set the value you pass in quotes. You can then try your session configuration this way:

$mySession = New-PSSession -ConfigurationName myEndPoint
Invoke-Command -Session $mySession {Get-Process –Name Explorer}

If you try to run a cmdlet that is not in your list, you will receive an error message telling you that the cmdlet was not recognized.

The Get-ChildItem cmdlet is not available in the session

The Get-ChildItem cmdlet is not available in the session.

If you have help desk staff that just needs to run a script, you can quickly determine all cmdlets used in the script with this command:

Get-Content .\myScript.ps1 | Select-String -Pattern "\w+-\w+" | Select Matches

This lists all strings in the script text that contain a hyphen. If you want it a bit more reliable, you can run the code below. It will generate an array of the cmdlet names used in the script, which you can then pass to the -VisibleCmdlets parameter directly.

$AllCmdlets = Get-Command -CommandType Cmdlet | Select-Object -ExpandProperty Name
$myScript = Get-Content .\myScript.ps1
[Regex]$Regex = '\w+-\w+'
$PossibleCmdlets = $Regex.Matches($myScript) | Foreach-Object {$_.Value}
$CmdletsInScript = Compare-Object -ReferenceObject $AllCmdlets -DifferenceObject $PossibleCmdlets -IncludeEqual -ExcludeDifferent -PassThru
New-PSSessionConfigurationFile -VisibleCmdlets $CmdletsInScript -Path .\VisibleCmdlets.pssc
Register-PSSessionConfiguration -Path .\VisibleCmdlets.pssc -Name VisibleCmdlets

This little program compares all strings in your script that contain a hyphen with the cmdlets that the Get-Command cmdlet finds in your current session. Of course, this can only work if you didn’t use cmdlet aliases in your script. This gives you a good example of why following best practices makes sense.

It is important to note that, despite its name, the -VisibleCmdlets parameter can’t be used to make cmdlets visible that you excluded by the other methods described below. Perhaps a better name for the parameter would have been “-SoleCmdlets.” However, you can use the -VisibleCmdlets parameter to further restrict the visible cmdlets in session configurations that you constrained by other means.

SessionType ^

Another way to restrict the available cmdlets in a session is through the -SessionType parameter. The New-PSSessionConfigurationFile cmdlet knows three session types: Default, Empty, and Re