While setting up a new workstation, which is meant to be outside company's domain, I ran the script Baseline-LocalInstall -Win11NonDomainJoined. After the script was done, I cannot turn the Remote Desktop Protocol function. The slider stays on 'off', no matter what I do (tried editing GPO as well as adding a couple of REG_DWORD's, and for the life of mine I cannot figure out what else to do. Has anyone, by any chance, encountered similiar issues? What I've noticed is that the RDP has turned of automatically while the following line was being returned in PowerShell:
Running LGPO.exe /v /g ..\GPOs\{2C3C079A-D4FB-47BD-BF32-DE883E9AF6C4} Applying GPO "MSFT Windows 11 - Domain Security"... Running LGPO.exe /v /g ..\GPOs\{091755B0-6C83-48E7-A77A-E89D0C2EAF27} Applying GPO "MSFT Windows 11 - User"... Running LGPO.exe /v /g ..\GPOs\{80A3C624-3A13-4302-89AD-62D667966E4B} Non-domain-joined: back out the local-account restrictions... Running LGPO.exe /v /s ConfigFiles\DeltaForNonDomainJoined.inf /t ConfigFiles\DeltaForNonDomainJoined.txt
Any help would be appreciated!
Related
This may not be possible, but I'm looking to run a .ps1 powershell script from a command line, it needs to be run with Elevated privileges, without or bypassing any UAC prompts.
This is from a scripting perspective, with no user interaction. So "Run as administrator" for CMD or Powershell is not an option. There cannot be any UAC prompts to click on as these will most likely be hidden from view.
My command started off like this -
powershell.exe -executionpolicy bypass -file .\remove-default-apps.ps1
This would launch the .ps1 fine, but the script would ultimately fail, as the commands in the script require elevation (Get-AppxPackage | Remove-AppxPackage)
My next attempt was using Powershell to run the script using -
Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File MyScript.ps1' -Verb RunAs
But still this prompts for elevation.
I can replicate the errors running the script from a non-elevated cmd window manually, but running elevated it works fine.
Anyone know if this is at all possible? Or have any tips to point me in the right direction, Ive tried a lot of other methods (psexec, scheduled task..) but am unable to achieve this.
This is by design. If UAC could be ignored in some method, it would kill the point of UAC. Every malicious piece of software would escalate itself without prompting, just like the wild west before UAC.
With elevation you can set other things to run elevated, whether Scheduled Tasks or otherwise. The most common thing to run these sorts of things enterprise wide is by using configuration management (SCCM, LANDesk, Puppet, Salt, etc) with an agent or to run remotely via PSRemoting/PSexec. (Note the agents have to be installed with admin rights in the first place)
As for the removing provisioned packages, that seems like a task to be done at image time. Either removing it straight from the WIM prior to deploying, removing it in a Task Sequence task after the image has been laid down while still in WinPE, or removing prior to SysPrep. I'm partial to the 2nd method, and keeping all of my imaging tasks programmatic in MDT and having as close to a default Windows image.
If you don't want the prompt, you can turn UAC off (or set to never notify etc Win8+). That can be done by Group Policy, if you are looking to do on many computers. However that would not be wise.
Disabling UAC is not a wise decision. However, it is possible to bypass it using Powershell:
if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
Remove-Item "HKCU:\software\classes\ms-settings" -Force -Recurse
#Script that will run at high integrity
} else {
$reg_path = "HKCU:\software\classes\ms-settings\shell\open\command"
New-Item $reg_path -Force
New-ItemProperty $reg_path -Name "DelegateExecute" -Value $null -Force
Set-ItemProperty $reg_path -Name "(default)" -Value "powershell.exe -NoProfile -ExecutionPolicy Bypass -File $PSCommandPath" -Force
Start-Process "ComputerDefaults.exe"
}
*This script only for Windows 10 users who are already admin. See here for my full answer.
After hitting many brick walls... I eventually solved my problem.
Found this helpful tool -
https://technet.microsoft.com/en-gb/library/d08d6a02-4d5b-4929-87ad-98f03be11898?f=255&MSPPError=-2147217396
Using this along with temporarily disabling UAC prompts via registry allowed the powershelll commands to run with elevation as intended.
My final script was:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
elevate %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file remove-default-apps.ps1
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
For the Reset function, I go to Settings > Updates and Security > Recovery > Reset this PC. So this is a choice that I make, and on that basis I want to choose for that system to run a script after the Reset - and we know that should be possible as we can create completely customised Windows installation ISOs that install apps and Features in a clean state, so can someone tell me how to do a quite simple things - to just get Windows to run a PowerShell script after that Reset?
Actually, I only want to run a couple of lines:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
i.e. This will enable RDP and allow me to connect remotely and continue the configuration without having to plug in a monitor and keyboard and mouse all just to run the above two commands. As per title, this is a non-Domain scenario so accessing the system as Domain Admin is not possible (and really a Domain should not be necessary, these are my systems on my local network).
The other reason that should make all of the above completely possible is that performing a Reset is not an absolute reset as it retains user information (my main user is still there with the password intact), so just enabling RDP would make everything possible post-Reset.
For reference, nothing in the following have helped me to achieve this goal so far:
Run a powershell script on a remote system with elevated permissions to enable remoting
https://interfacett.com/blogs/how-to-remotely-enable-and-disable-rdp-remote-desktop
The easiest way to do this is to download PStools from Microsoft and use psexec to give yourself remote access:
psexec \\machinename reg add hklm\system\currentcontrolset\control\terminal server /f /v fDenyTSConnections /t REG_DWORD /d 0
psexec \\machinename netsh firewall set service remoteadmin enable
psexec \\machinename netsh firewall set service remotedesktop enable
psexec will let you supply credentials with -u and -p
Admittedly I'm no scripter. I piece together what already works but trying to learn.
I have a script that does a lot of the manual labor for setting up a scan user for myself and our techs. Here is a small portion of it written as a batch file. At the end before the pause I want to call a PowerShell to show what the Network type is, not to change it. At least not at this time. I did remove alot of the extra from the file to save space. Both the batch file and the PS1 file will be in the same folder on a thumb drive.
The nettype.ps1 file just has:
get-netconnectionprofile
pause
The pause of course is so the tech can see the network type.
Hope someone has a simple solution. I did look here and other websites. I may not be using the right terminology in my search or understanding what I need done.
net user Scans Scanner1 /add
net localgroup administrators Scans /add
wmic UserAccount where Name='Scans' set PasswordExpires=False
md C:\Scans
#echo off
NET SHARE Scans=C:\Scans /Grant:Scans,Full
ICACLS "C:\Scans" /Grant Scans:(OI)(CI)(F) /t /c
ICACLS "C:\Scans" /Grant Everyone:(OI)(CI)(F) /t /c
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
PowerShell.exe -File "nettype.ps1"
pause
If that is all you have inside your powershell script, don't run it as a script, delete it and just run the command directly in your batch-file:
"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-NetConnectionProfile"
Which could be probably be shortened to:
PowerShell Get-NetConnectionProfile
I found the answer, knew it would be simple.
Just had to use the following in the batch file:
powershell.exe -ExecutionPolicy Bypass -File ""%~dp0nettype.ps1""
You can change the powershell call to the following to find the ps1 file in the same directory:
powershell.exe -File "%~dp0nettype.ps1"
%~dp0 is a combination of %0 variable and ~d and ~p modifiers.
%0 is the full path to the current batch file.
~d when combined with %0 (e.g. %~d0) will get you drive letter portion (e.g. C:) from %0.
~p when combined with %0 (e.g. %~p0) will get you the path portion of %0 without the filename.
Combining them together, %~dp0, will get you the full path of the folder where current batch file is located.
You can find a complete list of these modifiers here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb490909(v=technet.10)?redirectedfrom=MSDN
One thing to note, is that %~dp0 modifier only works in batch files, not when you try to run on commandline directly.
I get this error when I connect with RDP
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660
How to solve it ?
Microsoft made this bad change but I will solve it for you :-)
Run cmd as Administrator (Search for cmd and right click with the mouse to choose RUN AS ADMINISTRATOR).
You can also use powershell admin.
Copy and paste this command to run it and rate my answer if succeed :-)
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
create a text file: rd_patch.reg
Paste following content, save and double-click it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002
Solution from: https://serverfault.com/a/911645
I have a 10KB powershell script that I am trying to convert to a .bat. The format of the script is
1. declare constants 2. a bunch of for each child item loops involving the sending of an email and the moving of a file. Other bat files that I have made do work.
There are 6 non-nested loops.
When the bat of each loop is run in isolation (with the declarations), everything works. When I combine 3, one group works, the other sends the email without moving the file. When all are combined, nothing works and command prompt window doesn't even pop up.
I read that the line length limit of a bat file is 127 bytes (http://support.microsoft.com/kb/69563) and I think that this is the cause of my problem. Do I need to do something in powershell to separate the lines so the bat file won't try to read it as one line?
To convert, I used the script from here (http://www.altitudeintegration.com/PowerShellToBatFile.aspx)
You can call the original PowerShell script from a batch file using
powershell.exe -ExecutionPolicy RemoteSigned -File myscript.ps1
This way you can use your script by doubleclicking on the batch file.
The ExecutionPolicy parameter can be used to allow the script to run, without altering the machine level ExecutionPolicy:
Sets the default execution policy for the current session and saves it
in the $env:PSExecutionPolicyPreference environment variable. This
parameter does not change the Windows PowerShell execution policy that
is set in the registry.
This way there is no need to convert the PowerShell scripts to batch (which may not be possible at all).
You can use powershell.exe /? from a command prompt to discover all it's options.
Note that PowerShell defaults to setting the ExecutionPolicy to Restricted (RemoteSigned in Windows Server 2012 R2). Changing the machine wide policy in machine scope requires local admin rights.
Using the -ExecutionPolicy parameter on powershell.exe sets the executionpolicy for the local scope only.
See more details on ExecutionPolicy using
Get-Help about_Execution_Policies
or look here http://technet.microsoft.com/en-US/library/hh847748.aspx
You can find the PowerShell.exe executable in
C:\Windows\System32\WindowsPowerShell\v1.0\powersell.exe
(see: Path to Powershell.exe (v 2.0) )
This is not the entire answer to your question, but I specifically wanted to address your 127-byte assertion. That may have been true for 16-bit DOS, but cmd.exe has no such limitation.
test case:
#echo off
setlocal
set "longline=############################################################################################################################################################################################################################################################################################################"
call :length %longline% len
echo longline is %len% bytes
:: end main script
goto :EOF
:length <string> <var_to_set>
setlocal enabledelayedexpansion
set "str=%~1"
for /l %%I in (1,1,1000) do (
if "!str!"=="!str:~-%%I!" (
endlocal && set "%~2=%%I"
goto :EOF
)
)
output:
longline is 300 bytes
Did you originally script or code the bat file?
If not, can you pull that file out of backup?
I know we used to encode our KiX Scripts, so you should have the magic decoder ring as it were. Personally, I would be very careful in encoding your scripts unless they include login credentials. Other than that, I would leave them as raw text.
Thanks!