You may receive the following error when trying to create a remote PowerShell session:
Enter-PSSession : Connecting to remote server DC-01 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession DC-01 + ~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (DC-01:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
The error message means that your user account does not have access to create a remote PowerShell session from system A to system B.
To allow your account to perform remote PowerShell commands on System B, you must configure proper permissions on System B.
Log in to system B and run the following command:
Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell
This command will open up the security settings for PowerShell sessions:
The account used on system A to establish the remote PowerShell session needs to have Full Control on this object to run remote PowerShell commands.
You can either assign Full Control directly to your account or add it to the Remote Management Users domain group.
Adding your user account directly to the access control list could look like this:
When this has been configured on system B you can return to system A and test again:
PS C:\Users\adm.server.joe> Enter-PSSession DC-01 [DC-01]: PS C:\Users\adm.server.joe\Documents>
As you see, this time, the remote session is established successfully, and you’re ready to fire off remote PowerShell commands.
Even Better Management
If you need to set this up for multiple systems and users, you may want to create custom domain groups for this.
Using custom domain groups (e.g., “Server01-RemotePS”) allows you to manage remote PowerShell access via AD group membership instead of adding users directly to the PowerShell session ACL.
If you’re specifically using remote PowerShell to trigger Azure AD synchronization, you should consider using Easy365Manager instead.
Easy365Manager is a lightweight snap-in for AD Users & Computers, that allows you to manage Office 365 mailboxes and licenses as part of your AD user management.
With Easy365Manager, you can trigger an Azure AD Connect synchronization directly from user properties: