Just a quick blurb on how you can determine who is connected to a PowerShell remoting endpoint that you have configured to use a RunAsAccount. An example of doing this can be found here. When someone connects to an endpoint that is using a RunAsAccount, it will delegate the credentials of the service account and that means if you do something like ‘whoami’ while running in the session, you will get back the service account’s username.
Here you can see where I connected to my remote server under the ‘prox-hyperv\proxb’ credentials, but because the endpoint is running as ‘prox-hyperv\endpointsvc’, when I call ‘whoami’, it comes back as the service account. Not that useful if we need to audit connections coming in.
Fortunately, the PowerShell team added an automatic variable called $PSSenderInfo which provides this information about who is making the connection to the endpoint. This is documented in the about_automatic_variables help file (it pays to read these ) and as shown below, we can now locate who is making the connection.
This is definitely something that you should keep in mind when creating remote endpoints for your admins to use when managing systems. This should be something that you have in your startup script that writes to an event log so you have a way of tracking connections.