Required Help in RDP Automation - powershell

Below script is to Automate RDP and I am stuck with below two points:
How to map local drive as mapped drive in RDP session(tsclient) using
powershell script/command
Example like this in RDP : drivestoredirect:s:value
RDP Automation - PowerShell Script :
cmdkey /list | ForEach-Object{if($_ -like "*target=TERMSRV/*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}
echo "Connecting to Server Name"
$Server="Server Name"
$User="Username"
$Password="Password"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f

You can't control all aspects of your connection when using mstsc.exe via command line. The information for mapping local resources in the TS session are stored in the RDP file.
If not specified, it will use the default.rdp file located in "My Documents" folder (hidden file).
If you configure the default RDP to map local resources, all subsequent connections will also have the local resources mapped... but if you change it again, it will apply to all next connections.
So a better approach will be to create one *.rdp file and use it as a template in your script:
Create Template RDP file:
Launch mstsc.exe
Configure all options as per your needs
Save the file somewhere and use it in your script (i.e C:\Temp\MyRDPtemplate.rdp)
Now, change your script in order to use this template file when connecting to a Server:
mstsc "C:\temp\MyRDPtemplate.rdp" /v:$Server
When you first connect to a Server while mapping local resources, you will receive a warning message:
If you want to avoid this message, add the following registry key before launching:
reg add "HKCU\Software\Microsoft\Terminal Server Client\LocalDevices" /v $Server /t "REG_DWORD" /d 0x4d /f
mstsc "C:\temp\MyRDPtemplate.rdp" /v:$Server
There may be a global parameter you can add to avoid this message for all Servers (like for "AuthenticationLevelOverride") but I don't know for sure.
On last word about the stored credentials... if you use cmdkey /generic:xxx, you don't need to specify the service type (TERMSRV), that's the purpose of the /generic switch. But it also works fine...
PS: Very last remark, if you want to bypass the certificate prompt (in case your server doesn't present a valid one, you should add the registry key AuthenticationLevelOverride before connecting to the Server. Also note that this key is valid for all connections.

Another choice is get a help form some 3rd-part tools for RDP.
https://github.com/VShawn/PRemoteM

Related

How to enable group policy toggle button using powershell or cmd

I am trying to automate sever setup of a windows 2019 server using userdata. I need to update the local group policy settings.
The specific group policy i want to enable is "Set time limit for disconnected sessions"
How can i enable this 'local' group policy for a vm using powershell or bash or even Regedit.
I have tried but i cant seem to get it be in an "enabled" state.
Look at this Registry Edit.
You can access this registry key in Powershell or Bash.
More information here.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxDisconnectionTime /t REG_DWORD /d 5000 /f
Try this, its the same registry key but using Powershell to set.
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name MaxDisconnectionTime -Type REG_DWORD -Value 900000
The value is in ms, this would set it to 15 minutes.
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SESSIONS_Disconnected_Timeout_2
After you run that, restart the device and the settings should be updated.
There is no way to directly configure the local group policy using PowerShell.
When configured, the GPO sets a registry key and value.
It's not bi-directional where you can set the registry key and then the GPO is configured.
You can use Microsoft's tool LGPO.exe to export the policy settings from a computer you've configured, and then use PowerShell to import those settings to your new computer.

Copy file from a Network Drive to a local Drive with a Jenkins Agent

So here is the situation, I am trying to automate the copy of some files that are in a network drive into a local folder on one of my servers. The task seems to be simple and when I try the code with PowerShell or with x copy in the command line both are working pretty great.
I've installed a Jenkins agent on this Windows server 2016 server and run the agent as a service. When I try to run the same code from the Jenkins agent, it is never working.
I tried starting the agent service as local system and as the windows network administrator who has all the right
I tried with PowerShell those lines :
Copy-Item -Path "\\server IP\directory\*" -Destination "D:\Directory\" -Verbose
and
Copy-Item -Path "z:\*" -Destination "D:\Directory\" -Verbose
Both return no error but did not copy the files, and when I tried the same code with x copy I just receive no file found and the file was not copied
xcopy "\\server IP\directory\*" "D:\Directory\" /f /s /h /y
xcopy "z:\*" "D:\Directory\" /f /s /h /y
With PowerShell, I also tried inserting the copy-file command into a script and only calling the script with the Jenkins agent, and it also didn't work
I am now running in a circle and wonder how are we supposed to work with the network drive with the Jenkins agent? Or what I am doing wrong ?
Note that other PowerShell code are working great locally.
I tried starting the agent service as local system and as the windows network administrator who has all the right
Local system doesn't have any network permissions by default. This is the machine account, so you would have to give the machine access to "\\server\share". It is not advisable though, because permissions should be granted on finer granularity. Also, local system has too many local rights, which Jenkins doesn't need.
I don't know what you mean by "Windows Network Administrator". It sounds like this one would also have too many rights.
Usually, one creates a dedicated Jenkins (domain) user. This user will be granted access to any network paths it needs. Then you have two options:
Always run Jenkins service as this user (easiest way).
Run Jenkins under another local user and connect to network drives as the domain user only on demand: net use \\server\share /user:YourDomain\Jenkins <Password>. This adds some security as you don't need to give any local permissions to the domain user.
Both return no error but did not copy the files
To improve error reporting, I suggest you set $ErrorActionPreference = 'Stop' at the beginning of your PowerShell scripts. This way the script will stop execution and show an error as soon as the first error happens. I usually wrap my PS scripts in a try/catch block to also show a script stack trace, which makes it much easier to pinpoint error locations:
$ErrorActionPreference = 'Stop' # Make the script stop at the 1st error
try {
Copy-Item -Path "\\server IP\directory\*" -Destination "D:\Directory\" -Verbose
# Possibly more commands...
# Indicate success to Jenkins
exit 0
}
catch {
Write-Host "SCRIPT ERROR: $($_.Exception)"
if( $_.ScriptStackTrace ) {
Write-Host ( "`t$($_.ScriptStackTrace)" -replace '\r?\n', "`n`t" )
}
# Indicate failure to Jenkins
exit 1
}
In this case the stack trace is not much helpful, but it will come in handy, when you call functions of other scripts, which in turn may call other scripts too.

Run a script after a Windows 10 (non-Domain) Reset to enable RDP

For the Reset function, I go to Settings > Updates and Security > Recovery > Reset this PC. So this is a choice that I make, and on that basis I want to choose for that system to run a script after the Reset - and we know that should be possible as we can create completely customised Windows installation ISOs that install apps and Features in a clean state, so can someone tell me how to do a quite simple things - to just get Windows to run a PowerShell script after that Reset?
Actually, I only want to run a couple of lines:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
i.e. This will enable RDP and allow me to connect remotely and continue the configuration without having to plug in a monitor and keyboard and mouse all just to run the above two commands. As per title, this is a non-Domain scenario so accessing the system as Domain Admin is not possible (and really a Domain should not be necessary, these are my systems on my local network).
The other reason that should make all of the above completely possible is that performing a Reset is not an absolute reset as it retains user information (my main user is still there with the password intact), so just enabling RDP would make everything possible post-Reset.
For reference, nothing in the following have helped me to achieve this goal so far:
Run a powershell script on a remote system with elevated permissions to enable remoting
https://interfacett.com/blogs/how-to-remotely-enable-and-disable-rdp-remote-desktop
The easiest way to do this is to download PStools from Microsoft and use psexec to give yourself remote access:
psexec \\machinename reg add hklm\system\currentcontrolset\control\terminal server /f /v fDenyTSConnections /t REG_DWORD /d 0
psexec \\machinename netsh firewall set service remoteadmin enable
psexec \\machinename netsh firewall set service remotedesktop enable
psexec will let you supply credentials with -u and -p

How can i delete the contents of the spool\PRINTERS directory remotely via powershell without WinRM

I need to be able to pass credentials through, which i have local administrator credential for the remote machine.
I only need to target one machine at a time, which will be manually specified in a function and the IP will be assigned as a $Global:var
I can use WMI-GetObject and stop/start the printer spool service, but cannot figure out a way to delete the remote files while passing credentials without using invoke, which doesnt work as WinRM is not enabled (and cannot be by policy)
Thank you for any help you can offer.
I have a test setup i can test as much as needed
also let me know if this would suit SuperUser more than StackOverflow
In the end i could not find a solution in powershell itself, so i defaulted to a co-located Batch file to handle the windows file operations and called the batch file from powershell with
start-process -Wait "cmd.exe" "/c c:\powershell\clearspool.bat"
batch file is below
#ECHO off
rem Set up the remote server ip
set User=administrator
set /p Server=Enter Server IP:
set /p Password=Enter Admin Password:
rem Mount the remote path
net use \\%Server%\c$\Windows\System32\spool %Password% /USER:%User%
rem Delete a file
del /S /F \\%Server%\c$\Windows\System32\spool\PRINTERS
rem Unmount the remote path
net use \\%Server%\c$\Windows\System32\spool /delete

netsh acl setting (need alternative method - registry settings?)

I am using inno-setup to install a program that needs to unblock port 4326 on Win7 (permit acl access) so that GET operations can be done over HTTP to port 4326.
I have a powershell script that an admin can run to unblock the port. But this does not work as an inno-setup [run] command (because the local machine usually disables scripts from running). (i.e powershell.exe -nowait & script.ps1)
Is there some registry keys in the target machine that I can set that will unblock the port? That I can do pretty easily in inno-setup since the setup.exe runs as an admin. I guess a self-contained EXE could do the same thing.
Here is the script that I would like to replace with just setting the registry settings in HKLM.
set-alias netsh c:\Windows\System32\netsh.exe
$PORT = 4326
$domain = $Env:userdomain
$name = $Env:username
$ErrorActionPreference = "Continue";
netsh http delete urlacl url=http://*:$PORT/
netsh http add urlacl url=http://*:$PORT/ user=$domain\$name
i think you can find firewall rules in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
suggestion :
maybe you can just export this key as .reg and import it on the other station .
Instead of using netsh, use the WinApi HttpSetServiceConfiguration instead. You can call this (and its related functions) directly from Inno's [Code] (specifically, in CurStepChanged(ssPostInstall)), given the correct prototype declaration. See the Using DLLs topic in the help file.
See running netsh.exe as a post-install in inno-setup for a continuation of this question. But I basically, jachguate's answer of running netsh.exe as a post install seems the right way to go.