Add Security Principal on Default WinRM SDDL

AddSecurityPrincipalonDefaultWinRMSDDL.ps1

<#
    .SYNOPSIS
    Add Security Principal on Default WinRM SDDL
    .EXAMPLE
    Change $user and run
    .NOTES
    Author: John Milner / jfrmilner
    Requires: Powershell V2
    Filename:
    Version: v0.1 - 2021-02 - Test Version
#>


$user = "jdoe@jfrmilner.local"

#Adding the below script should replace "winrm configSDDL default"
$GENERIC_READ = 0x80000000
$GENERIC_WRITE = 0x40000000
$GENERIC_EXECUTE = 0x20000000
$GENERIC_ALL = 0x10000000

# get SID of user/group to add
$user_sid = (New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $user).Translate([System.Security.Principal.SecurityIdentifier])

# get the existing SDDL of the WinRM listener
$sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value

# convert the SDDL string to a SecurityDescriptor object
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, $sddl

# apply a new DACL to the SecurityDescriptor object
$sd.DiscretionaryAcl.AddAccess(
[System.Security.AccessControl.AccessControlType]::Allow,
$user_sid,
($GENERIC_READ -bor $GENERIC_EXECUTE),
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None
)

# get the SDDL string from the changed SecurityDescriptor object
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)

# apply the new SDDL to the WinRM listener
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force

#Winrm configsddl default

Restart-Service WinRM
Restart-Service Winmgmt -Force

Fixed! The $sd object was empty due to stupid mistake in the user and thus $sid info.

Glad you're sorted, thanks for letting me know!