I'm looking for a way to script the whole IIS configuration through PowerShell and I've already done most of it. The problem I'm facing right now is how to set 'IP Address Restrictions' for Management Service in IIS.
I know there is a simple way to do it for a domain or a site but my goal is to limit the number of IP's being able to deploy to IIS.
Including screenshot for clarification:
IIS Management Service
Following #BruceZhang advice, I've firstly set up the required value using the UI, then looked up the registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server\RemoteRestrictions' and found out the encrypted value for my ip address. From now on setting it up was only a matter of changing the value for this key in the registry through PowerShell script. It works fine, thanks!
Stop-Service -Name "WMSVC"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WebManagement\Server" -Name "RemoteRestrictions" -Value /wEZAgAAAAEAAABnAgAAABkBAAAAAAAAABkDAAAAAQAAAC4EA8ADqAMdAx0CAAAALgQD/wP/A/8D/wMAAAB
Start-Service -Name "WMSVC"
Related
I have an existing IIS web app with windows authentication enabled. When I run this command, to set bindings, Windows authentication fails and I have to manually disable and re-enable windows authentication for it to work.
import-module WebAdministration
Set-ItemProperty "IIS:\Sites\Test\My" -name bindings -value (#{protocol="https";bindingInformation="*:443:my.test.com";sslFlags=1},#{protocol="net.tcp";bindingInformation="808:my.test.com"})
I have tried setting windows authentication with powershell but had no effect.
Set-WebConfigurationProperty -filter /system.WebServer/security/authentication/WindowsAuthentication -name enabled -value true -PSPath "IIS:\Sites\TestMy"
Any suggestions?
The cause of the issue may be that we haven’t bound a certificate to the specific port yet.
After specifying an Https binding, please bind a certificate to that port.
Netsh http add sslcert ipport=1.1.1.1:443
certhash=0102030405060708090A0B0C0D0E0F1011121314
appid={00112233-4455-6677-8899-AABBCCDDEEFF}
https://learn.microsoft.com/en-us/windows/win32/http/add-sslcert
This is commonly finished by the IIS. Without this procedure, the website could work improperly over https binding. You could try to set up an HTTP binding on the website in order to rule this point out.
Feel free to let me know if the problem persists.
I am trying to create my website through powershell by using the following command
New-Website -Name 'mytestapp' -force -Port 8080 -HostHeader mytestsite -PhysicalPath 'C:\Users\myuser\Desktop\Docker\PublishOutput' -ApplicationPool '.NET v4.5'
I also set the hostheader and indeed I can see in IIS the relative binding. Unfortunately when I navigate to the website nothing happens, because in the host file in C:\Windows\System32\drivers\etc there is no mapping between 127.0.0.1 and mytestsite , which I would expect to happen from the creation of the site itself. How do I do this in a smart way through powershell? I don't want a command to modify a text file, I would expect there is some powershell command IIS related that does this for me.
I am trying to remove / uncheck the Msmq Message and Journal Quota limitation in 2008 R2 via the Powershell script.
I've got the following script working on my machine (Windows 10). But it's not working on any of our server at all (which are 2008 R2 servers). It does not show any error too.
#Set the value for unchecked (hex or decima)
Set-ItemProperty -Path HKLM:\Software\Microsoft\MSMQ\Parameters\MachineCache -Name MachineQuota -Value 4294967295
Set-ItemProperty -Path HKLM:\Software\Microsoft\MSMQ\Parameters\MachineCache -Name MachineJournalQuota -Value 4294967295
#IMP-Restart the MSMQ services for changes to take effect
Get-Service MSMQ | Restart-Service -Force
I tried to manually change the value in the Registry with Regedit tool. But whenever I restarted the MSMQ (Message Queuing) service, it always change it back to the original value '1048576'
I tried to execute Octopus deployment which runs the script with 'Local System Account', but still no luck and it does not remove the Storage limits and shows no error.
Do you have to be an administrator or highest role to remove it?
Could you please suggest me how I could remove that limitation via Powershell?
I can manually set MachineQuota and MachineJournalQuota through Computer Management without a problem and restarting MSMQ leaves them unchanged.
If you are getting 'Access Denied' then check the permissions on the MachineCache key. On my Windows 10 machine, Full Control is given to SYSTEM, Administrators and MSMQ. So running a script under the local system account should work. Maybe your permissions are different for some reason.
I am currently building a Hyper-V lab consisting of a DC and multiple networked VMs, using Windows Server 2016. I'd like to completely disable the windows firewall for all existing and newly created VMs.
The best way that I've found to do this so far is via Group Policy for the Domain Profile. Then set Windows Firewall: Protect all network connections to disabled. What I would like to do is to have a way of scripting this out (using Powershell if possible).
I've found that by performing the above steps in the GUI, it creates a few entries in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsFirewall\DomainProfile
In each of those entries, there is a property called EnableFirewall which is set to 0. So I tried creating all of this using Powershell like this:
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft" -name WindowsFirewall
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall" -name DomainProfile
New-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -name EnableFirewall -value 0 -PropertyType DWord -Force
Unfortunately it doesn't seem to be working, so there must be something else that I'm missing.
Does anybody know how to completely disable the windows firewall for all networked machines using the command line in Windows Server 2016?
Setting up the Windows-Firewall for your domain-computers through computer-startup-script is not a great solution in my opinion.
You should definetly use Group Policy for this task.
GP does exactly what I want, I would just like a way of modifying GP using Powershell. I'm building a lab from scratch, and I'm looking to script as much of it as possible rather than using the gui.
I am not completely sure, what you are trying to achive.
You have created a lab now and I think you are trying to script a complete automatic built-up for future use. Is this correct?
If yes, then my solution is maybe what you are looking for:
Create a new GPO in your lab named "Firewall-Settings" for example.
Make all of your needed FireWall-Settings to the new GPO.
In Group Policy Editor open the main-node named „Group Policy Objects“. (important) Find the newly created GPO, right-click it and select "Backup":
Save the GPO-backup to a folder. (folder must exist)
The GPO is beeing saved and named like on the screenshot below (GUID):
That's it for the preparation. Now you maybe want to script the creation of the GPO with Powershell for future use and import the backup to obtain it's settings in a new environment:
New-GPO -Name "FireWall-Settings" | New-GPLink -Target "DC=mydomain,DC=local" # distinguishedName of Target-OU
Import-GPO -Path $PathtoGPOBackup -TargetName "FireWall-Settings" -BackupGpoName "FireWall-Settings"
The Script creates a GPO in the new environment with the name "FireWall-Settings" and links it to the target-OU.
After that you import the settings of the backup-GPO. All the domain-members in scope of the GPO will get the Windows-Firewall configured automatically.
Now the process is documented and fully automatic, if this is, what you are looking for.
Kind regards
open cmd prompt with elevated mode and run this:
netsh -r ComputerName -u Username -p Password -c advfirewall set allprofiles state off
If you want to do it for all the machines. Get all the ad computers using get-adcomputer. Run a foreach loop and put the variable istead of computername.
If you have the domain admin creds, then you are good to go with this.
Hope it helps.
Depending on the profile you want to disable, specify profiles (public, domain, private) using the -Name parameter. To disable all profiles for a networked machine, where $computerName array is the hostname of your DC, PC etc:
$computerName = 'DC1, PC1, MS1'
Invoke-Command -Computername $computerName -ScriptBlock {
Set-NetFirewallProfile -Name Domain, Public, Private -Enabled False
}
I'm trying to create an Application Pool in IIS7 using PowerShell. I want this to run under the NetworkService account but currently this appears to try and set itself as an 'Other' user on the Application Pool rather than being recognised as a built-in account.
My PS looks like this currently:
Set-ItemProperty $iisAppPoolDir -name processModel -value #{userName="NetworkService";identitytype=3}
Now this usually should also have the password="*****"; field available to allow me to create the application pool and have the user log in. I've left this out, hoping it would be identifiable, but it's not worked.
Any help appreciated!
Network Service is its own identityType, so you would not set a username at all, and instead set the identityType to 2, like this:
Set-ItemProperty IIS:\AppPools\MyAppPool -name processModel.identityType -value 2
This will set the identity to Network Service.
The identityType values are documented on the IIS website.