On Windows Server 2016/IIS 10, I can do the following in the IIS Manager GUI with the Log File Format set to W3C:
[Web Server Name] → Logging → Select Fields → W3C Logging Fields (Standard Fields) → Check or uncheck the boxes next to Standard Fields like "User Name (cs-username)"
I would really like to be able to check or uncheck fields like cs-username from a PowerShell script. To that end, I'm trying to discover the path to these standard fields, so I can then set them:
Import-Module IISAdministration
$prop = Get-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST" -Filter /system.applicationHost/sites/sitedefaults" -Recurse
When I run this PowerShell script, it asks me to "Supply values for the following parameters: Name[0].
I think it's a bit funny that it's asking me for a name when I'm trying to discover the next path element or name. If I type in something like cs-username, it comes back with nothing, suggesting I'm in the wrong directory (assuming recurse is actually looking around).
Any thoughts?
This is what ended up working for me for IIS 10:
Set-WebConfigurationProperty `
-filter "/*/*/site/logfile" `
-name "logExtFileFlags" `
-value "Date, Time, ClientIp, etc.."
of course replacing "etc.." with all the desired fields.
Related
I know how to set group policy to add a logon script to every user using GUI but I wanted to know how can this be done using Powershell commands(or maybe with python).
Currently, the only real way to set a GPO setting via powershell requires that you know the registry key you're changing (all GPO settings resolve to registry entries), but be aware that settings done like this won't show up with the nice descriptions in the group policy gui tools:
Get-GPO -Name 'Logon Scripts' | Set-GPRegistryValue -Context User -Key 'HKEY_CURRENT_USER\path\to\key' -Value 'Foo.bat'
Generally, the better way to do what you want is to set the AD User's ScriptPath property instead:
Get-ADUser $user | Set-ADUser -ScriptPath 'Foo.bat'
I am currently building a Hyper-V lab consisting of a DC and multiple networked VMs, using Windows Server 2016. I'd like to completely disable the windows firewall for all existing and newly created VMs.
The best way that I've found to do this so far is via Group Policy for the Domain Profile. Then set Windows Firewall: Protect all network connections to disabled. What I would like to do is to have a way of scripting this out (using Powershell if possible).
I've found that by performing the above steps in the GUI, it creates a few entries in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsFirewall\DomainProfile
In each of those entries, there is a property called EnableFirewall which is set to 0. So I tried creating all of this using Powershell like this:
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft" -name WindowsFirewall
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall" -name DomainProfile
New-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -name EnableFirewall -value 0 -PropertyType DWord -Force
Unfortunately it doesn't seem to be working, so there must be something else that I'm missing.
Does anybody know how to completely disable the windows firewall for all networked machines using the command line in Windows Server 2016?
Setting up the Windows-Firewall for your domain-computers through computer-startup-script is not a great solution in my opinion.
You should definetly use Group Policy for this task.
GP does exactly what I want, I would just like a way of modifying GP using Powershell. I'm building a lab from scratch, and I'm looking to script as much of it as possible rather than using the gui.
I am not completely sure, what you are trying to achive.
You have created a lab now and I think you are trying to script a complete automatic built-up for future use. Is this correct?
If yes, then my solution is maybe what you are looking for:
Create a new GPO in your lab named "Firewall-Settings" for example.
Make all of your needed FireWall-Settings to the new GPO.
In Group Policy Editor open the main-node named „Group Policy Objects“. (important) Find the newly created GPO, right-click it and select "Backup":
Save the GPO-backup to a folder. (folder must exist)
The GPO is beeing saved and named like on the screenshot below (GUID):
That's it for the preparation. Now you maybe want to script the creation of the GPO with Powershell for future use and import the backup to obtain it's settings in a new environment:
New-GPO -Name "FireWall-Settings" | New-GPLink -Target "DC=mydomain,DC=local" # distinguishedName of Target-OU
Import-GPO -Path $PathtoGPOBackup -TargetName "FireWall-Settings" -BackupGpoName "FireWall-Settings"
The Script creates a GPO in the new environment with the name "FireWall-Settings" and links it to the target-OU.
After that you import the settings of the backup-GPO. All the domain-members in scope of the GPO will get the Windows-Firewall configured automatically.
Now the process is documented and fully automatic, if this is, what you are looking for.
Kind regards
open cmd prompt with elevated mode and run this:
netsh -r ComputerName -u Username -p Password -c advfirewall set allprofiles state off
If you want to do it for all the machines. Get all the ad computers using get-adcomputer. Run a foreach loop and put the variable istead of computername.
If you have the domain admin creds, then you are good to go with this.
Hope it helps.
Depending on the profile you want to disable, specify profiles (public, domain, private) using the -Name parameter. To disable all profiles for a networked machine, where $computerName array is the hostname of your DC, PC etc:
$computerName = 'DC1, PC1, MS1'
Invoke-Command -Computername $computerName -ScriptBlock {
Set-NetFirewallProfile -Name Domain, Public, Private -Enabled False
}
I'd like to simply add some .Net Authorization rules in IIS (7.5 / win 2008 R2) using a powershell script with PS snap in. So far I was able to add some "allow" rules but not any deny ones.
Each time I try, it either does nothing or creates an "allow" rule, which seems odd, like if it was defaulting to allow all the time.
I tried with add-webconfigurationproperty and add-webconfiguration with no luck.
Maybe one of you has the correct command line to use?
For instance:
Add-WebConfiguration "/system.web/authorization" -value #{ElementTagName="Deny";users="*"} -PSPath "IIS:\Sites\Mysite"
Add-WebConfigurationProperty "/system.web/authorization" -Name "collection" -value #{ElementTagName='deny';users='test'} -PSPath "IIS:\Sites\Mysite"
will create 2 "allow" rules.
Same behavior if I remove ElementTagName='deny'. So weird. Like if the deny "mode" was to be accessed in some different way.
And for instance, if I go to IIS 8 and try to generate the script after adding a deny rule, the command line suggested is not working either.
How can I fix this?
The command you should use to add a deny rule in your example is:
Add-WebConfigurationProperty "/system.web/authorization" -PSPath "IIS:\Sites\Mysite" -Name "." -value #{users='test'} -Type "deny"
This bothered me too & I also had trouble getting appcmd to do the same thing. I did get it working in the end & found that the -Type parameter was the important one. This wasn't all that clear to me from the documentation which just says:
The type of property to add.
I currently have several websites running under IIS. For ease lets call them site1, site2, and site3
My powershell script accepts a parameter from the user of which number site to work with. I am attempting to turn off site3 with simply the parameter 3
I thought it would be something along the lines of
stop-website | where-object {$_.name -like "*3*"}
this line is executed, but brought to a prompt for "name"
The Name property seems to accept wildcards (although help states otherwise) so you should be able to stop it with this:
Stop-Website -Name *3*
"Move-QADObject : 0000202B: RefErr: DSID-031007EF, data 0, 1 access points"
I get this error when I try the following:
Move-QADObject -identity $results_ep.dn -NewParentContainer "OU=Users,OU=AB,DC=domain,DC=local" -Credential $cred_ep
I am running this script from domain A, and the target domain where the object should be moving is domain B (hence the credentials).
Anyone know whats up?
The default tree in Active Directory is not OU=Users,dc=domain,dc=com but rather cn=Users,dc=domain,dc=com ( CN= not the OU= for Users).
Try change OU=Users with CN=Users
EDIT:
Reading better your question I see just now that you want move object to a different domain,
from get-help move-qadobject:
... omissis ...
Use this cmdlet to move an object between containers within an Active Directory domain (the cmdlet cannot move an object to a different domain).
... omissis ...
Read here to do it with Quest.ActiveRoles.ADManagement sanp-in.
If you are in a Windows Server 2008 R2 DC you can move in a different domain using Windows PowerShell module named Active Directory:
Move-ADObject -Identity "CN=Mary Vick,OU=Accounting,DC=SS64,DC=com" -TargetPath "OU=Accounting,DC=Europe,DC=SS64,DC=com" -TargetServer "server64.europe.SS64.com"
Better of all I think is using native Microsoft commandline like ADMT