I'm looking to write a PowerShell script to verify the security configuration of MSMQ on some of our servers, e.g. the contents of the Security tab when I run compmgmt.msc, then go to Computer Management (local) -> Services and Applications -> Message Queueing, then right-click -> Properties -> Security tab.
Note that this is not the same as Service Security (which I'm aware I can retrieve via Get-WmiObject -Query 'SELECT * FROM win32_service' | % PathName | Get-Acl.
MSMQ apparently has its own unique ACL set and custom permissions which I want to query to ensure that certain Service Principals have the correct permissions as part of a release script.
Does anybody know how to access these custom permissions ON WINDOWS SERVER 2008 ? I'm also aware that there's an MSMQ PowerShell module, but it's only available in 2012 and later versions of Windows Server.
You can import the System.Messaging assembly and use the .NET methods directly. You find a code example here on SO...
Related
SCCM is the method we deploy Windows updates to clients. We have a portion of computers that have a local group policy setting under:
Local Computer policy > Administrative Templates > Windows Components > Windows update
The setting is called "Specify intranet Microsoft update service location"
Basically the wuahandler.log is complaining of :
Enabling WUA Managed server policy to use server: http://servername.domain.local:8530
Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://servername.domain.local:8531 and Policy ENABLED
Failed to Add Update Source for WUAgent of type (2) and id ({C2F93D44-EAB3-4D5E-9330-7806157D92AD}). Error = 0x87d00692.
I can see that for whatever reason SCCM is not modifying the local group policy and its causing a conflict.
The pc's that have no issue have both the local group policy and policies under hklm > policies > windows update as the correct name (with port 8531).
I am basically asking how can i change the "specify intranet microsoft update service location ' using powershell or an automated method to remediate the 300 pc's that have a mismatched port number. modifying the HKLM keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ive already taken care of. But this is not doing anything to resolve my issue.
any help would be appreciated.
There are many articles all over the web on using PowerShell and local policy management. Just search for them. Using a string like 'PowerShell manage local policy' and you will get a long list to consume.
There is even a module via the MS PowershellGallery.com for Local Policy Management.
Find-Module -Name 'PolicyFileEditor' |
Save-Module -Path "$env:USERPROFILE\Documents\WindowsPowerShell\Modules" -Force
Install-Module -Name 'PolicyFileEditor'
And blogged about its use is here:
How to manage Local Group Policy with Powershell
You can even just secedit.
Take a look at this Q&A
So, sure you can mess with Local Policy, be if your SCCM settings getting overridden by a higher authority, then any setting you'd do wit PowerShell would as well.
Please make sure that in case of SCCM/MECM or installations with system user (NT-Authority\System) you do not use -Scope CurrentUser, otherwise you will have the same problem as described here: https://github.com/PowerShell/PowerShellGetv2/issues/651
In a system context Install-Module does not create a Documents folder in the system profile if -Scope CurrentUser is used.
If you want to use -Scope CurrentUser anyway, you have to create the folder "C:\Windows\system32\config\systemprofile\Documents\PowerShell\Modules" or at least "C:\Windows\system32\config\systemprofile\Documents" first, so that the module is installed for the system user.
On Windows Server 2012 Datacenter with Microsoft Dynamics CRM 2016 installed, I want to run a deployment command but for every commands I get this error: "(500) Internal Server Error".
I first run this:
Add-PSSnapin Microsoft.Crm.PowerShell
and it will work fine and when I check it with get-pssnapin and Get-Help *Crm*, every thing is fine and every thing that I need is registered. but when I want to run a cmdlets command like these, I face the error: Get-CrmSetting or Get-CrmCertificate or ...
For example for Get-CrmSetting TraceSettings it give me this error:
How can I solve this problem and error?
Thanks
According to this article, you might want to try:
Get-CrmSetting –SettingType TraceSettings
Here are a couple more items to investigate, from this article:
To use the XRM tooling cmdlets, you need PowerShell version 3.0 or
later. To check the version, open a PowerShell window and run the
following command: $Host
Set the execution policy to run the signed PowerShell scripts. To do
so, open a PowerShell window as an administrator and run the
following command: Set-ExecutionPolicy -ExecutionPolicy AllSigned
Verify the (CRMDeploymentServiceAppPool Application Pool identity) has SQL SEVER SysAdmin permission. This is needed to perform any CRM configuration changes and organizational operations.
Note: it does not matter if the account executing the PowerShell is a system admin or SQL server sysadmin because these operations are executed via the deployment web service.
Deployment Web Service (CRMDeploymentServiceAppPool Application Pool identity)
....Sysadmin permission on the instance of SQL Server to be used for the configuration and organization databases.
....
(500) Internal Server Error, refers to a HTTP response status code. This means that the Powershell command is calling a URL and the URL is reporting a error.
You need to know the URL to really find out what the problem is. One way you can get the URL, is downloading Fiddler Classic. Once installed, you have to enable HTTPS decryption.
In my case the URL was...
https://<my-crm-domain>/XrmDeployment/2011/deployment.svc?wsdl
When I ran this URL on the server where CRM is installed, I got an exception stating...
Could not load file or assembly 'Microsoft.Crm.Application.Components.Application'
All this meant, I needed to copy a file, Microsoft.Crm.Application.Components.Application.dll, from C:\Program Files\Dynamics 365\CRMWeb\bin into folder C:\Program Files\Dynamics 365\CRMWeb\XRMDeployment\bin.
Once this was done, the URL worked and therefor my PowerShell command as well.
Salam every body
I need help to learn how
to Install,Configure and Manage dns using only powershell on Windows 2008?
This should get you started.
Installing DNS Server Role via Powershell
Open an elevated Powershell window and enter the following commands.
Import-Module Servermanager
Add-WindowsFeature 'DNS' -restart
For a more general guide about installing server roles via powershell, take a look at this page: Adding Server Roles and Features
On that page, just CTRL+F for Powershell.
Configuring DNS Server Role via Powershell
Since configuration is a very general topic, here's the link to the documentation:
Domain Name System (DNS) Server Cmdlets
You can list all the available commands with Get-Command –Module DnsServer
I tried about a dozen PowerShell scripts that I found and not one even created a single share.
We are migrating from Win 2008 and SQL Server 2008 R2 to Windows 2012 and SQL Server 2014.
I have to create a ton of shares and assign a lot of varying permissions.
I'm looking for (ideally) a Powershell script (but can live with VB or anything else) that can go through a list of shares and permissions and create/assign them.
For example
E:\Folder1\A Share1 Domain\Tom Read
E:\Folder1\A Share1 Domain\Dick Full
E:\Folder1\A Share1 Domain\Harry Change
So it would go through every line, see if the share exists, if not create it, then assign the permissions.
On Server 2012R2 you can use the New-SmbShare cmdlet : https://technet.microsoft.com/en-us/library/jj635722(v=wps.630).aspx
On older versions you have to fall back to WMI to do it :https://msdn.microsoft.com/en-us/library/aa389393(v=vs.85).aspx (the article even has a PS example).
With Set-Acl you can set the ACLs for the shares.
As you can see all the tools to acomplish this are available in a default installation of Windows Server.
I need to connect to an Exchange 2010 server using C# and Powershell. The Exchange 2007 Docs want me to add a snap in
RunspaceConfiguration rsConfig = RunspaceConfiguration.Create();
PSSnapInException snapInException = null;
PSSnapInInfo info = rsConfig.AddPSSnapIn("Microsoft.Exchange.Management.PowerShell.Admin", out snapInException);
Runspace myRunSpace = RunspaceFactory.CreateRunspace(rsConfig);
myRunSpace.Open(rsConfig);
Other samples on the net want me to use WSMan like this
WSManConnectionInfo connectionInfo = new WSManConnectionInfo(false, "ExchangeServer.ibm.com", 80, "/Powershell", "http://schemas.microsoft.com/powershell/Microsoft.Exchange", credential);
So my questions are:
What is the effective difference between these techniques?
Are they interchangeable?
In Exchange 2007 you used a management snapin in a local runspace to run the cmdlets. All the changes were made under your credentials.
In Exchange 2010 that changed. Maintenance is done through a remote session provided by the Exchange server. The actual changes are done by the Exchange server on your behalf using a proxy account, and Exchange determines whether you're authorized to make those changes according to the RBAC roles you belong to. The changes are logged in the Admin Audit log.
There is a snapin for Exchange 2010, but using it by adding it into a local session is not supported by MS, and not all of the cmdlets work properly in that environment. Most cmdlets do work, but it bypasses RBAC, and and any changes made in that environment do not get logged to the Admin Audit Log.
Your first example is simply instantiating a new Runspace on the local system, which does not use WS-MAN. The second portion is leveraging the WS-MAN service, which requires that you configure it on all of the systems you'll be connecting to ahead of time.
To be honest, if you don't need to use WS-MAN to connect to a remote system, I would just avoid it and use the Exchange team's recommended practice. WS-MAN is (read: can be) fairly simple to set up and use, but it adds a layer of complexity that may simply be unnecessary, and cause additional troubleshooting headaches.