I've been trying to figure out how a few security settings in M365 tenant can be configured via Powershell.
I was looking into Privacy Management in the admin console which has a bunch of settings I required, for eg- data retention period for subject right requests.
I was not able to find anything in the Microsoft documentations, but by some hit and trial I found a command - Get-PrivacyManagementRule . Turns out it has a lot of settings I was looking for.
I'm currently not sure whether I can use this command or this will eventually be deprecated since there is literally 0 information about this command from Microsoft.
Can anyone with more info on this help me out ?
Related
I had to configure AppDynamics alerts in the past for Java applications I worked for.
I also heard of Nagios, but I am not very sure how that works.
Now, I need to configure alerts for a FlowForce Server, but I don't believe it can be integrated with AppDynamics or Nagios.
I saw FlowForce allow me to send some alerts, like when a step of a job fails, but I would like to have some server alerts, like, for instance, if the license expires and, as a result, the server is automatically shut down.
I am wondering the best way to achieve it.
I am running it on a Windows environment BTW.
Suggestions are welcome.
Thank you in advance!
I found my answer on the Flow Force online help (https://manual.altova.com/flowforceserver/flowforceserver/)
The Flow Force is deployed as two servers, which in a window env, can be started and stopped as windows services (can be found via "Control Panel">"Administrative Tools">Services). With this information, I can monitor them via NAGIOS.
I'm running a Powershell logon script which sets users' Outlook signatures.
For debugging purposes, I'd like to log information in the client's Windows event log.
Using the New-Eventlog -LogName "Application" -Source $ParentScript command gives me a security error, "Access denied".
The users don't have administrative privileges so PowerShell is struggling to create a new source. I don't really understand this because most techy guides for the Event Log appear to indicate that any level of user can write to the Application log. Perhaps any user can write to this log, just not create a source within it?
I've looked online and one author appeared to suggest (unless I have misinterpreted) that creating an event log in registry could be an option: https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/00a043ae-9ea1-4a55-8b7c-d088a4b08f09/how-do-i-create-an-event-log-source-under-vista?forum=windowsgeneraldevelopmentissues
Unfortunately the code is not in PowerShell and I'm struggling to follow it.
My three-questions-in-one therefore are:
Can I create a new EventLog source in the registry using PowerShell?
If so, what commands should I be looking at and are permissions relevant (e.g. do I need to create a registry key then add perms to it?)
If so, can I write to this source in PowerShell without administrative privileges?
You can create a new Event Log souce with with the built-in cmelt New-EventLog something like there is a nice (even if somehow dated) post here
Full documentation for the cmdlet can be found here
Generally speaking yes you, well your user, should be able to write to the event log if memory serves a non local admin user should already be able to do so but I cannot test it right now anyhow you can red more here or read on server fault
Hope this can help a bit.
I have created a gMSA like this:
New-ADServiceAccount -name Cust00000 -DNSHostName Cust00000.domain.com -PrincipalsAllowedToRetrieveManagedPassword "IIS_IUSRS" -ManagedPasswordIntervalInDays 60
And life seems to be good. However, when I run
Test-ADServiceAccount Cust00000
This is what I get:
False
WARNING: Test failed for Managed Service Account Cust00000. If standalone Managed Service Account, the account is
linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does
not have permission to use the group MSA or this computer does not support all the Kerberos encryption types required
for the gMSA. See the MSA operational log for more information.
I checked event viewer -> Application and Services Logs -> Microsoft -> Windows -> Apps -> Microsoft-Windows-TWinUI/Operational but this does not appear to be correct. Where (and possibly what) is the MSA operational log?
EDIT: For the overall issue, I had tried Install-ADServiceAccount but it wasn't working. I gave up on that and finally got it working (for a gMSA named Domain\sirdank$) with Set-ADServiceAccount sirdank -PrincipalsAllowedToRetrieveManagedPassword "$env:computername$" I've also had luck with passing "Domain Computers" instead of "$env:computername$".
Having a similar issue right now. I think the log you are looking for is in Event Viewer under Microsoft/Windows/Security-Netlogon/Operational log; you might see some 9001/9002 events (Task Category of MSA) which might give you some color on what is happening.
Got this from a recent TechNet blog post that describes troubleshooting gMSA account creation/testing issues. Take a look, it might be relevant to your overall issue: https://blogs.technet.microsoft.com/joelvickery/cannot-install-service-account-the-provided-context-did-not-match-the-target/
Alternate link (it appears the same post was cross-posted with a different title): https://blogs.technet.microsoft.com/runcmd/the-rc4-removal-files-part-1-whats-in-an-error-message/
Ok I am attempting to transfer a manual change to powershell,
Attempting to grant IIS_IUSRS access to /LM/SmtpSvc/ and /LM/SmtpSvc/1/ nodes in the IIS Metabase.
I have googled extensively and can not find an example of what i am looking for.
I have been trying to play with
$smtp = [wmiclass]‘root\MicrosoftIISv2:IIsSmtpServerSetting'
But I am in a little over my head with WMI.
Any help would be appreciated. This setting is required for resolving
This.
Not an exact answer, but the best I have so far. Following the Guide here I chose option 1 and changed the app pool to network service. I will still work on a way to do the permissions settings with powershell.
Update (solution untested)
I found this answer on another post that details how to do it using scripts in the iis6.0 resource toolkit. To get these scripts on server 2012 you have to install the IIS6.0 resource toolkit, the only way i can find to do a silent install of this one was located here from there you can call the scripts using cscript.exe. I stuck with the changing user on the app pool option because it fits in with other things as well.
First of all, I'm not sure if this is generic to services in general, but the problem I'm having is pretty specific, it has got to do with the SageTV service component.
Since there isn't much help over at the SageTV forums regarding this specific subject, I thought maybe this was a generic issue with services and therefore worth asking here at Stackoverflow.
Here goes:
I'm running the SageTV windows service with a plugin activated which is supposed to execute external programs. When running under the Local System Account (with the "Interact with the desktop option" enabled), this works fine. For testing purposes I'm using notepad.exe as the program to execute.
Then I created a new user (let's call it mediabrowser) and changed the SageTV service so it would run as that user. When I do that, the SageTV plugin no longer executes notepad. It just does nothing, I don't get any errors or anything, it's just that nothing happens when notepad should be getting executed.
The mediabrowser user has administrative priviliges. The option to interact with the desktop is only available for the Local System Account, and I believe that normal users are always allowed to interact with the desktop anyways.
Is this a general issue with services? If so, what permissions might my mediabrowser user need in order for this to work? I'm pretty sure this is because of permission differences between my mediabrowser user and the Local System Account.
Thanks in advance ...
Uhhh OK. Now I feel like an idiot. I just launched the tast manager on the machine and I can see that there are tons of notepad.exe processes under the mediabrowser user so I guess that notepad IS being executed correctly. It's just not being shown on the desktop.
So I guess this just works :-)