How do I access another user's registry hive using Powershell? - powershell

How can I use Powershell to load and alter another user's registry hive, without having to shell out to another Powershell process run as the target user?

You would need to load their registry.
reg load HKU\<username> C:\Users\<username>\ntuser.dat
You can find more detailed information on this here though:
https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/manipulating-registry-user-hive

While the accepted answer helped me solve my issue, I've since learned how to do this with pure PowerShell using the Registry provider:
# Mount the HKEY_USERS hive
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
# Change location to the user's registry (organized by SID)
cd HKU:/$userSid
This works by mounting the HKEY_USERS hive as a new PSDrive named HKU, which other user hives are accessible under a sub-key named after the target user's SID. You can determine the SID in one of two ways (assuming you don't already know the SID ahead of time):
Local account:
$userSid = ( Get-LocalUser NAME ).SID.Value
Domain Account[1]:
$userSid = ( Get-ADUser NAME ).SID.Value
[1] Get-ADUser is available with the RSAT Tools AD cmdlets, which must be installed as a prerequisite for this command to work.

Related

How to disable windows firewall for all networked machines using the command line in Windows Server 2016?

I am currently building a Hyper-V lab consisting of a DC and multiple networked VMs, using Windows Server 2016. I'd like to completely disable the windows firewall for all existing and newly created VMs.
The best way that I've found to do this so far is via Group Policy for the Domain Profile. Then set Windows Firewall: Protect all network connections to disabled. What I would like to do is to have a way of scripting this out (using Powershell if possible).
I've found that by performing the above steps in the GUI, it creates a few entries in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsFirewall\DomainProfile
In each of those entries, there is a property called EnableFirewall which is set to 0. So I tried creating all of this using Powershell like this:
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft" -name WindowsFirewall
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall" -name DomainProfile
New-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -name EnableFirewall -value 0 -PropertyType DWord -Force
Unfortunately it doesn't seem to be working, so there must be something else that I'm missing.
Does anybody know how to completely disable the windows firewall for all networked machines using the command line in Windows Server 2016?
Setting up the Windows-Firewall for your domain-computers through computer-startup-script is not a great solution in my opinion.
You should definetly use Group Policy for this task.
GP does exactly what I want, I would just like a way of modifying GP using Powershell. I'm building a lab from scratch, and I'm looking to script as much of it as possible rather than using the gui.
I am not completely sure, what you are trying to achive.
You have created a lab now and I think you are trying to script a complete automatic built-up for future use. Is this correct?
If yes, then my solution is maybe what you are looking for:
Create a new GPO in your lab named "Firewall-Settings" for example.
Make all of your needed FireWall-Settings to the new GPO.
In Group Policy Editor open the main-node named „Group Policy Objects“. (important) Find the newly created GPO, right-click it and select "Backup":
Save the GPO-backup to a folder. (folder must exist)
The GPO is beeing saved and named like on the screenshot below (GUID):
That's it for the preparation. Now you maybe want to script the creation of the GPO with Powershell for future use and import the backup to obtain it's settings in a new environment:
New-GPO -Name "FireWall-Settings" | New-GPLink -Target "DC=mydomain,DC=local" # distinguishedName of Target-OU
Import-GPO -Path $PathtoGPOBackup -TargetName "FireWall-Settings" -BackupGpoName "FireWall-Settings"
The Script creates a GPO in the new environment with the name "FireWall-Settings" and links it to the target-OU.
After that you import the settings of the backup-GPO. All the domain-members in scope of the GPO will get the Windows-Firewall configured automatically.
Now the process is documented and fully automatic, if this is, what you are looking for.
Kind regards
open cmd prompt with elevated mode and run this:
netsh -r ComputerName -u Username -p Password -c advfirewall set allprofiles state off
If you want to do it for all the machines. Get all the ad computers using get-adcomputer. Run a foreach loop and put the variable istead of computername.
If you have the domain admin creds, then you are good to go with this.
Hope it helps.
Depending on the profile you want to disable, specify profiles (public, domain, private) using the -Name parameter. To disable all profiles for a networked machine, where $computerName array is the hostname of your DC, PC etc:
$computerName = 'DC1, PC1, MS1'
Invoke-Command -Computername $computerName -ScriptBlock {
Set-NetFirewallProfile -Name Domain, Public, Private -Enabled False
}

How to set value for local group policy(gpedit.msc) using power shell script

I want to access this path Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age in local group policy editor and modify its value through powershell script. I have tried to import module group (Get-Command -Module group*) but no methods/module is found.I have tried the following way in powershell and it didn't work.
Set-ItemProperty -Path \Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -Name Maximum password age -Value 20
Can someone help me in modifying the value through powershell scripting.
I am new to powershell scripting,so please ignore if any wrong info is
provided.
You can find it in windows registry, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
MaximumPasswordAge REG_DWORD
You can get/set Registry values, somewhat counter-intuitively with the [get/set]-itemproperty commands.
Example:
Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ -Name AllowCredSSP
However, this likely won't reflect in the Local Group Policy Editor interface.
Look up LGPO.exe, documentation is scarce, but it seems to work:
https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/
(Current download is in the "Security Compliance Toolkit")
https://www.microsoft.com/en-us/download/details.aspx?id=55319
For parameters like max password age, I think best way is to use net.exe commant. Try to execute
net.exe accounts /?
For more complicated group policies in computer without domain, you can prepare policies in one computer, export it to file, and inport in other computers, by using secedit.exe
Try to google secedit /export, secedit /import usage
You can call secedit from powershell without any problems

Specify domain controller with get-aduser in powershell

Get-ADUser -identity $ntaccount1 -properties name, samaccountname, mail, enabled, passwordlastset
Is it possible, when looking up the user account information in powershell, to specify a domain controller to use? We have some DC's that get the data faster than others.
From Get-Help Get-ADUser -Parameter *
-Server <string>
Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a
corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain
Services, Active Directory Domain Services or Active Directory Snapshot instance.
Domain name values:
Fully qualified domain name
Examples: corp.contoso.com
NetBIOS name
Example: CORP
Directory server values:
Fully qualified directory server name
Example: corp-DC12.corp.contoso.com
NetBIOS name
Example: corp-DC12
Fully qualified directory server name and port
Example: corp-DC12.corp.contoso.com:3268
The default value for the Server parameter is determined by one of the following methods in the order that they are listed:
-By using Server value from objects passed through the pipeline.
-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
-By using the domain of the computer running Powershell.
The following example shows how to specify a full qualified domain name as the parameter value.
-Server "corp.contoso.com"
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
I know that this is a bit of an old question, but I would like to expand on the answer given, to aid anyone else who had a similar query.
The following allows you to define a specific Domain Controller, which the entire of a script would be able to use... Why might you want to do this when the -server parameter is available to Get-ADUser, New-ADUser, Set-ADObject, etc?
Well I put together a script that creates an AD user, sets multiple properties and creates an exchange mailbox - However, one set of properties revolves around the RDS properties on a 2008 R2 user account, which cannot be set from within New-ADUser. I had to create a function that calls ADSI and uses psbase.invokeSet to update the settings. There is no parameter setting for -server that I'm aware of.
This in itself wouldn't be a big deal, but the script also creates an Exchange mailbox for the user. As my Exchange server is in different AD Site from my workstation, the user account gets created on my local DC, but the mailbox isn't set, because the DC in the same site as the Exchange server hasn't yet received a replicated copy of the new user account.
The solution I found is as follows and is courtesy of http://www.joseph-streeter.com/?p=799
Having loaded import-module activedirectory, you'll have access to AD options in the New-PSDrive commandlet which among everything else allows you to define a new Active Directory Provider to work with.
New-PSDrive -Name <<NameofYourChoice>> -PSProvider ActiveDirectory -Server <<DC Server>> -Root "//RootDSE/" -Scope Global
Once created, you can then change the working Provider with the following command.
CD <<NameofYourChoice>>:
To view the existing list of Providers, type Get-PSDrive. AD is the default Active Directory Provider created when using the ActiveDirectory commandlet. You should also see your newly created Provider.
So for instance if my remote DC is called RemoteDC I would run:
New-PSDrive -Name RemoteAD -PSProvider ActiveDirectory -Server RemoteDC -Root "//RootDSE/" -Scope Global
to create a new Provider called RemoteAD. If I then run:
CD RemoteAD:
All further active directory related commands in the script or the active shell will work with the new Provider RemoteAD. If I would need to change back to my original Provider, I'd simply type
CD AD:
Hope someone finds this useful...
This is what i use:
Get-ADUser -server dcservername.domain.local -identity username

How to execute RunOnce for a specific user on Windows 7?

I know that I can set a runonce key in the Win7 registry globally, which will be executed no matter which user logs on the next time, using this registry key:
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
I need to do an initialization only for a specific user, so I wonder if there is a way to programatically (using Powershell) set a runonce-entry that is only executed if one specific user logs on, also if this user is not an Administrator.
Do you know of a way to do this? Thanks.
I think this question and the other (http://stackoverflow.com/questions/10908727/how-can-i-programatically-find-a-users-hkey-users-registry-key-using-powershell) are related:
Anyways, here is how you do it:
$User = New-Object System.Security.Principal.NTAccount($env:UserName)
$sid = $User.Translate([System.Security.Principal.SecurityIdentifier]).value
New-PSDrive HKU Registry HKEY_USERS
Get-Item "HKU:\${sid}"
Set-ItemProperty -Path "HKU:\${sid}\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name Command -Value "notepad.exe"

How can I programmatically find a users HKEY_USERS registry key using powershell?

I wonder if there is a way to find a local user's registry key in HKEY_USERS if you know the login-name of that user on the local machine. I want to programmatically add stuff to a specific user's registry keys (Autorun for example), but I only know the username. How can I determine which of the cryptic users in HKEY_USERS actually belongs to a specific username?
$User = New-Object System.Security.Principal.NTAccount($env:UserName)
$sid = $User.Translate([System.Security.Principal.SecurityIdentifier]).value
The above snippet gives you the SID of the logged-in user. This when appended to the HKEY_USERS givs you the right path for that username.
New-PSDrive HKU Registry HKEY_USERS
Get-Item "HKU:\${sid}"
This answer is not complete, as HKEY_USERS does not contain all the users, just those that are currently active.
You'll need to load the registry hive for the user(s) you want to work with using
reg load hku\ThatUserName C:\Users\ThatUserName\NTUSER.DAT
See this SO answer for an example of how to load the registry hive for all the user(s).
You can then access the registry for that user with
Set-Location HKU:\ThatUserName
Or call New-PSDrive to give the user's registry it's own drive, like so:
New-PSDrive -Name HKThatUser -PSProvider Registry -Root HKU\ThatUserName
Set-Location HKThatUser:
Be sure to unload the registry, and do garbage collection to ensure the hive is released when done:
reg unload hku\ThatUserName
[gc]::collect()
See this post for more info
This does it for me
ls 'hklm:software/microsoft/windows nt/currentversion/profilelist' | ? {
$_.getvalue('profileimagepath') -match 'Steven'
} | % pschildname
Example