Wahmans Powershell Blog

Get-PSSessionCapability

Exploring PowerShell’s Get-PSSessionCapability Cmdlet

Welcome back to Wahmans PowerShell blog! Today we are diving into a useful little cmdlet that you might not use every day, but when you need it — it’s invaluable: Get-PSSessionCapability.

What is Get-PSSessionCapability?

According to Microsoft, the description is:

Gets the capabilities of a specific user on a constrained session configuration.

In simpler terms, this cmdlet lets you check what commands, functions, providers, and more a specific user can run in a PowerShell session that has been constrained through session configurations. This is especially useful in Just Enough Administration (JEA) scenarios where fine-grained access control is implemented.

Basic Syntax

Get-PSSessionCapability -ConfigurationName <String> -Username <String>

Example 1: Checking Capabilities for a User in Default JEA Config

Let’s start simple. If you have a session configuration named MyJEAConfig and want to see what user Contoso\\JSmith can do, you would use:

Get-PSSessionCapability -ConfigurationName 'MyJEAConfig' -Username 'Contoso\JSmith'

This returns an object that tells you which commands, modules, and other options this particular user has access to under that session configuration.

Example 2: Exporting Capabilities for Review

Want to save the output for an audit or documentation? Simply pipe the output into Out-File:

Get-PSSessionCapability -ConfigurationName 'MyJEAConfig' -Username 'Contoso\JSmith' |
    Out-File -FilePath 'C:\Audit\JSmith_Capabilities.txt'

This is useful for compliance, review, or debugging sessions.

Example 3: Comparing Capabilities Between Two Users

If you are configuring roles and want to see how permissions differ between two users, you can fetch and compare them like this:

$user1 = Get-PSSessionCapability -ConfigurationName 'MyJEAConfig' -Username 'Contoso\JSmith'
$user2 = Get-PSSessionCapability -ConfigurationName 'MyJEAConfig' -Username 'Contoso\ADoe'

Compare-Object -ReferenceObject $user1.VisibleCmdlets -DifferenceObject $user2.VisibleCmdlets

This gives you an object-by-object comparison so you can tell which commands are available to one user and not the other.

Example 4: Advanced Role Testing Automation

Let’s say you’re managing many constrained configurations and need to ensure users only have access to intended commands. You can script this with a little automation:

$users = @('Contoso\JSmith', 'Contoso\ADoe', 'Contoso\BLee')
$config = 'MyJEAConfig'
foreach ($user in $users) {
    $capability = Get-PSSessionCapability -ConfigurationName $config -Username $user
    $allowed = $capability.VisibleCmdlets | Where-Object { $_.Name -eq 'Restart-Service' }
    if ($null -eq $allowed) {
        Write-Warning "$user does NOT have access to Restart-Service"
    } else {
        Write-Host "$user CAN access Restart-Service"
    }
}

This loop checks if specific users are allowed to run Restart-Service under constrained JEA configuration and provides actionable feedback.

Wrap-Up

Get-PSSessionCapability is a nifty tool that helps you define and verify what a user can do in a restricted PowerShell environment. It shines brightest in secure enterprise setups where managing least privilege is critical.

Until next time…

Happy scripting, and I will see you in the next post!

Leave a Reply

Your email address will not be published. Required fields are marked *