The main highlight of a web console is that you can perform administrative tasks on virtually any client (though WAC currently does not support mobile devices). If you delegate these tasks to non-technical users, you save yourself the tasks of installing and updating tools on their computers. These are usually too complex for the help desk or end user anyway.
Built-in role concept ^
Here, the Windows Admin Center offers a clear advantage over traditional tools, most of which are based on the Microsoft Management Console (MMC). In addition, these tools do not allow a granular assignment of permissions.
By contrast, WAC has role-based authorization management right from the start. However, this is only available when installing WAC in gateway mode on a Windows Server.
Rights management can control both access to the gateway itself and to the managed endpoints.
Controlling access to the gateway ^
By default, only users with administrative rights can connect to the gateway. You have to add other accounts explicitly, but the direct assignment of single user accounts to roles is not possible. Rather, the tool only allows you to add local or Active Directory (AD) groups.
Admin Center provides two roles for securing the gateway, namely Gateway administrators and Gateway users. The latter cannot change any settings at the gateway and have no access to the rights management.
You assign roles to user groups in the WAC settings, accessible via the gear symbol in the upper-right corner. However, the Gateway section is only visible there if you start Admin Center from a Windows session to which you are logged on as an administrative user.
The command Gateway > Access opens a page on which you can assign rights to normal users via the + Add button under Allowed Groups. In the respective form, enter the name of the group. A search in AD is not possible, so you have to type in the name completely.
Please note that the mere name of the group is sufficient if it is located in the same domain as the gateway server. A notation according to the "domain\group" pattern is therefore not required.
In addition to selecting the role, assignment to the smart card security group can force the added users to log on using a smart card.
Roles for endpoint management ^
When granting an account access to the gateway, it does not yet have authorization for management of machines via the Admin Center. For this it needs administrative rights on every single endpoint.
By default, therefore, only those users whose accounts are members of the local Administrators group on each target computer can manage computers via WAC.
Nevertheless, Admin Center comes with three predefined roles that permit standard users to access the management endpoints. These are:
- Windows Admin Center Administrators
- Windows Admin Center Hyper-V Administrators
- Windows Admin Center Readers
Administrators can use most of the Admin Center tools and features, but the Remote Desktop and PowerShell modules remain hidden, and admins cannot open the settings for a machine.
As expected, Hyper-V administrators are limited to managing the hypervisor and virtual machines (VMs), and readers get read-only access. Because all three groups are denied remote desktop connectivity, Hyper-V admins cannot view the console of VMs in WAC.
Enabling access control and assigning roles ^
To take advantage of these user roles, you must activate role-based access control in the settings of each target computer. This action configures the respective server as an endpoint for JEA and downloads the PowerShell modules WAC requires onto the machine.
In addition, this creates three local groups whose names are identical to those of each role. To assign users or groups with the permissions of these roles, you have to add them to these newly created local groups. You can automate this task via group policies.
In larger environments, this interactive configuration of endpoints is not practical. In such a case, you should first download the entire package consisting of the JEA and Desired State Configuration (DSC) files as well as the PowerShell modules and then distribute it to the target machines via your preferred mechanism.
You can avoid the detour via the local groups by adapting the JEA files accordingly and assigning an AD group directly to the roles. This documentation describes this exact procedure.
Since Admin Center is based on Windows Management Instrumentation (WMI), Windows Remote Management (WinRM), and PowerShell, it can take advantage of JEA to give users the rights they need to manage specific machines regardless of their originally assigned privileges.
This mechanism, however, is currently limited to three roles, thus allowing only a very rough allocation of permissions. So you cannot just delegate the management of certain VMs to Hyper-V administrators; rather, they are also able to edit or delete virtual switches (vSwitches).
The biggest shortcoming of the role-based access control in the Admin Center is that it is currently not possible to define your own roles and assign granular rights to them. In addition to the limited range of functions and the poor performance, the rudimentary rights management also considerably limits the benefits of the WAC tools.
Subscribe to 4sysops newsletter!
In my next post I will explain how to creating and configuring VMs in Windows Admin Center.