For connecting to services (such as WinRM), it’s often possible to manipulate the service ACL rather than the user’s privileges. For example, adding a user to the Microsoft.PowerShell security descriptor with the “Full Control” permission will enable access to the WinRM service, regardless of the permissions explicitly assigned to the user.

# Note that the below PowerShell command will pull up a GUI ACL
# configuration dialog
#
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

The advantage to manipulating user privileges and service ACLs directly is that it’s less obvious that a user is back-doored.