We Keep Coding

How to set IP Address Restrictions for Management Service in IIS through PowerShell?

I'm looking for a way to script the whole IIS configuration through PowerShell and I've already done most of it. The problem I'm facing right now is how to set 'IP Address Restrictions' for Management Service in IIS.
I know there is a simple way to do it for a domain or a site but my goal is to limit the number of IP's being able to deploy to IIS.
Including screenshot for clarification:
IIS Management Service

Following #BruceZhang advice, I've firstly set up the required value using the UI, then looked up the registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server\RemoteRestrictions' and found out the encrypted value for my ip address. From now on setting it up was only a matter of changing the value for this key in the registry through PowerShell script. It works fine, thanks!
Stop-Service -Name "WMSVC"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WebManagement\Server" -Name "RemoteRestrictions" -Value /wEZAgAAAAEAAABnAgAAABkBAAAAAAAAABkDAAAAAQAAAC4EA8ADqAMdAx0CAAAALgQD/wP/A/8D/wMAAAB
Start-Service -Name "WMSVC"

How to disable windows firewall for all networked machines using the command line in Windows Server 2016?

I am currently building a Hyper-V lab consisting of a DC and multiple networked VMs, using Windows Server 2016. I'd like to completely disable the windows firewall for all existing and newly created VMs.
The best way that I've found to do this so far is via Group Policy for the Domain Profile. Then set Windows Firewall: Protect all network connections to disabled. What I would like to do is to have a way of scripting this out (using Powershell if possible).
I've found that by performing the above steps in the GUI, it creates a few entries in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsFirewall\DomainProfile
In each of those entries, there is a property called EnableFirewall which is set to 0. So I tried creating all of this using Powershell like this:
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft" -name WindowsFirewall
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall" -name DomainProfile
New-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -name EnableFirewall -value 0 -PropertyType DWord -Force
Unfortunately it doesn't seem to be working, so there must be something else that I'm missing.
Does anybody know how to completely disable the windows firewall for all networked machines using the command line in Windows Server 2016?

Setting up the Windows-Firewall for your domain-computers through computer-startup-script is not a great solution in my opinion.
You should definetly use Group Policy for this task.
GP does exactly what I want, I would just like a way of modifying GP using Powershell. I'm building a lab from scratch, and I'm looking to script as much of it as possible rather than using the gui.
I am not completely sure, what you are trying to achive.
You have created a lab now and I think you are trying to script a complete automatic built-up for future use. Is this correct?
If yes, then my solution is maybe what you are looking for:
Create a new GPO in your lab named "Firewall-Settings" for example.
Make all of your needed FireWall-Settings to the new GPO.
In Group Policy Editor open the main-node named „Group Policy Objects“. (important) Find the newly created GPO, right-click it and select "Backup":
Save the GPO-backup to a folder. (folder must exist)
The GPO is beeing saved and named like on the screenshot below (GUID):
That's it for the preparation. Now you maybe want to script the creation of the GPO with Powershell for future use and import the backup to obtain it's settings in a new environment:
New-GPO -Name "FireWall-Settings" | New-GPLink -Target "DC=mydomain,DC=local" # distinguishedName of Target-OU
Import-GPO -Path $PathtoGPOBackup -TargetName "FireWall-Settings" -BackupGpoName "FireWall-Settings"
The Script creates a GPO in the new environment with the name "FireWall-Settings" and links it to the target-OU.
After that you import the settings of the backup-GPO. All the domain-members in scope of the GPO will get the Windows-Firewall configured automatically.
Now the process is documented and fully automatic, if this is, what you are looking for.
Kind regards

open cmd prompt with elevated mode and run this:
netsh -r ComputerName -u Username -p Password -c advfirewall set allprofiles state off
If you want to do it for all the machines. Get all the ad computers using get-adcomputer. Run a foreach loop and put the variable istead of computername.
If you have the domain admin creds, then you are good to go with this.
Hope it helps.

Depending on the profile you want to disable, specify profiles (public, domain, private) using the -Name parameter. To disable all profiles for a networked machine, where $computerName array is the hostname of your DC, PC etc:
$computerName = 'DC1, PC1, MS1'
Invoke-Command -Computername $computerName -ScriptBlock {
Set-NetFirewallProfile -Name Domain, Public, Private -Enabled False
}

How to create group of users and link group policy to them via powershell/cmd Windows Server 2012 R2

Is there a way to create group of users with group policy apllied to them via Powershell/CMD?
My machine is not joined to a domain.
I want to prepare a script which I will use multiple times on other local computers/ machines to recreate group policy.
I want e.g restrict user access to Control Panel, Internet Access and stuff like that.
Thanks from advance for answers

For computers not joined to the domain, you can't use Group Policy. You will need to use Local Policy. Many of the items that you are looking for will simply be registry value that you can easily set with a PowerShell script. For example the policy for Hiding Fast User Switching toggles can be toggled like this:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name HideFastUserSwitching -Value 0
You can look up where the values are by reading the .admx templates
Alternatively you could use David Wyatt's PowerShell module to read and modify policy files.
Finally the last option would be create the policy on one computer and then overwrite the .pol files on all the computers and then gpupdate /force. This of course could be scripted with PowerShell.
Copy-Item \\ExampleComputer1\C$\Windows\System32\GroupPolicy\Machine\Registry.pol \\ExampleComputer2\C$\Windows\System32\GroupPolicy\Machine\Registry.pol -Force
Copy-Item \\ExampleComputer1\C$\Windows\System32\GroupPolicy\User\Registry.pol \\ExampleComputer2\C$\Windows\System32\GroupPolicy\User\Registry.pol -Force
Security Templates would have to be exported from the Security Templates mmc snapin and then imported on the other computers with secedit
secedit /configure /db %temp%\temp.sdb /cfg yourcreated.inf

Using that solution --> Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name HideFastUserSwitching -Value 0
Doesn't work.
I mean e.g:
Set-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" -Name NoRecycleBinIcon -Value 1
.admx template.
It should make my desktop recyclebin gone. This is just an example other settings also stays unchanged.

Drive Mapping with Azure Scale Sets using Desired State Configuration

I am running into an interesting issue. Maybe you fine folks can help me understand what's happening here. If there's a better method, I'm all ears.
I am running a DSC Configuration on Azure and would like to map a drive. I've read this really isn't what DSC is for, but I am not aware of any other way of doing this outside of DSC with Azure Scalesets. Here's the portion of the script I am running into issues:
Script MappedDrive
{
SetScript =
{
$pass = "passwordhere" | ConvertTo-SecureString -AsPlainText -force
$user = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "username",$pass
New-PSDrive -Name W -PSProvider FileSystem -root \\azurestorage.file.core.windows.net\storage -Credential $user -Persist
}
TestScript =
{
Test-Path -path "W:"
}
GetScript =
{
$hashresults = #{}
$hashresults['Exists'] = test-path W:
}
}
I've also attempted this code in the SetScript section:
(New-Object -ComObject WScript.Network).MapNetworkDrive('W:','\\azurestorage.file.core.windows.net\storage',$true,'username','passwordhere')
I've also tried a simple net use command to map the drive instead of the fancy, New-Object or New-PSDrive cmdlets. Same behavior.
If I run these commands (New-Object/Net Use/New-PSDrive) manually, the machine will map the drive if I run it with a separate drive letter. Somehow, the drive is attempting to be mapped but isn't mapping.
Troubleshooting I've done:
There is no domain in my environment. I am simply attempting to create a scale set and run DSC to configure the machine using the storage account credentials granted upon creation of the storage account.
I am using the username and password that is given to me by the Storage Account user id and access key (randomly generated key, with usually the name of the storage account as the user).
Azure throws no errors on running the DSC module (No errors in Event Log, Information Only - Resource execution sequence properly lists all of my sequences in the DSC file.)
When I log into the machine and check to see if the drive is mapped, I run into a disconnected network drive on the drive letter I want (W:).
If I open Powershell, I receive an error: "Attempting to perform the InitializeDefaultDrives operation on the 'FileSystem' provider failed."
If I run "Get-PSDrive" the W: drive does not appear.
If I run the SetScript code manually inside a Powershell Console, the mapped drive works fine under a different drive letter.
If I try to disconnect the W: drive, I receive "This network connection does not exist."
I thought maybe DSC needed some time before mapping and added a Sleep Timer, but that didn't work. Same behavior.

I had a similar problem before, while it didn't involve DSC, mounting an Azure File share would be fine until the server would be restarted, then it would appear as a disconnected drive. This happend if i used New-Object/Net Use/New-PSDrive with the persist option.
The answer to that issue, i found in the updated docs
Persist your storage account credentials for the virtual machine
Before mounting to the file share, first persist your storage account
credentials on the virtual machine. This step allows Windows to
automatically reconnect to the file share when the virtual machine
reboots. To persist your account credentials, run the cmdkey command
from the PowerShell window on the virtual machine. Replace
with the name of your storage account, and
with your storage account key.
cmdkey /add:<storage-account-name>.file.core.windows.net /user:<storage-account-name> /pass:<storage-account-key>
Windows will now reconnect to your file share when the virtual machine
reboots. You can verify that the share has been reconnected by running
the net use command from a PowerShell window.
Note that credentials are persisted only in the context in which
cmdkey runs. If you are developing an application that runs as a
service, you will need to persist your credentials in that context as
well.
Mount the file share using the persisted credentials
Once you have a remote connection to the virtual machine, you can run
the net use command to mount the file share, using the following
syntax. Replace with the name of your storage
account, and with the name of your File storage share.
net use <drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name>
example :
net use z: \\samples.file.core.windows.net\logs
Since you persisted your storage account credentials in the previous
step, you do not need to provide them with the net use command. If you
have not already persisted your credentials, then include them as a
parameter passed to the net use command, as shown in the following
example.
Edit:
I don't have an Azure VM free to test it on, but this works fine on a Server 2016 hyper-v vm
Script MapAzureShare
{
GetScript =
{
}
TestScript =
{
Test-Path W:
}
SetScript =
{
Invoke-Expression -Command "cmdkey /add:somestorage.file.core.windows.net /user:somestorage /pass:somekey"
Invoke-Expression -Command "net use W: \\somestorage.file.core.windows.net\someshare"
}
PsDscRunAsCredential = $credential
}
In my brief testing the drive would only appear after the server was rebooted.

What I imagine is happening here:
DSC runs under the NT AUTHORITY\SYSTEM account and unless the Credential attribute has been set, the Computer account is used when pulling the files from a network share. But looking at how Azure Files operate, permissions shouldn't be an issue, but running this whole process under NT AUTHORITY\SYSTEM could. I suggest you try to run DSC as a user of your VM's and see if that works.
ps. You could also try to perform the same operation against a VM with network share where you are confident that share\ntfs permissions are correct. You might need to enable anonymous user to access your share for that to work.

How to set the proxy server for Exchange in outlook 2007 and other setting automatically using the windows registry?

I'm new to using the windows registry.
Here is my problem and the context:
I need to write a powershell script that will automatically change the following settings in outlook 2007 for a new account in such a way that you will only need to enter the LogonDomain\UserName and Password as outlined in step 2:
Step 1:
Tools -> Account Setting... -> double click the email account -> More Settings... -> Connection -> check the box "Connect to Microsoft Exchange using HTTP" -> Exchange Proxy Setting... -> enter the proxy server (e.g. exmail.example.com) -> check the box "On fast networks..." and "On slow networks..." -> Set "Basic Authentication" in drop down bar -> Ok -> Ok -> next -> finish
Step 2:
Restart Outlook -> Enter LogonDomain and UserName -> Enter Password -> Repeat Step 1 except this time uncheck the box "On fast networks..."
note: some of the setting from step 1 will already be set when you do step 2, such as the name of the proxy server for exchange.
To find the changes made to the registry I used the application RegFromApp, which records every registry change made by a specific process, Outlook in this case. I wrote two scripts to make the changes recorded by RegFromApp after manually carrying out step 1 and 2 on a new account.
When I try to execute step 1 on a new account it fails to make the changes. However, if I manually carry out step 1 and then execute step 2 the appropriate changes are made. Then if I execute step 1 the settings are changed appropriately! Unfortunately, only having step 2 automated isn't good enough. I think the problem lies with "the enter the proxy server" part of step 1. Nowhere in my script lies the string, "exmail.example.com." There are loads of hexadecimal values changed and it possible that "exmail.example.com" is encoded into one of those, but I don't know.
Q: Does anyone know how to set the proxy server for exchange using the registry, if it's possible to do so, or if there is even a reg key for this setting?
Thanks
Patrick

Below is the READ_ME.txt I made for anyone in my company who wishes to do something similar
Task: Set the proxy server for Exchange in outlook 2007
Requirements:
-RegFromApp (\nas\it\MS\ExchangeSetup)
-PowerShell
Method:
-Open Outlook and RegFromApp.
-Select outlook as the process to monitor in RegFromApp
-Make the appropriate changes to the outlook settings.
-The changes to the registry will be recorded in RegFromApp.
-Write a Powershell script to make these changes to the registry.
-To execute the Powershell script automatically you need to make a .BAT file that changes the execution policy
of PowerShell to RemoteSigned temporarily and restores it Restricted for security reasons.
Notes:
-RegFromApp will provide you with every change made to the registry. Only a few of are actually needed to make the appropriate changes to
the settings in Outlook.
-This method should be capable of making changes to any setting of any program running on Window XP or higher and was recommended by a user
on stackoverflow who had to roll out similar changes to a network of 10000 computers.
-To run this script execute exchange_setup.BAT located at \nas\it\MS\ExchangeSetup
PowerShell Script:
Stop-Process -processname outlook
$regkey1 = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a"
$regkey2 = "HKCU:\Software\Microsoft\Exchange"
set-itemproperty -path $regkey1 -name 00036623 -value ([byte[]](0x2b,0x00,0x00,0x00)) #this value is used for binary regkeys
set-itemproperty -path $regkey1 -name 001f6622 -value ([byte[]](0x65,0x00,0x6D,0x00,0x61,0x00,0x69,0x00,0x6C,0x00,0x2E,0x00,0x6A,0x00,0x6F,0x00,0x6E,0x00,0x65,0x00,0x73,0x00,0x65,0x00,0x6E,0x00,0x67,0x00,0x2E,0x00,0x63,0x00,0x6F,0x00,0x6D,0x00,0x00,0x00))
set-itemproperty -path $regkey1 -name 001f6625 -value ([byte[]](0x00,0x00))
set-itemproperty -path $regkey1 -name 00036627 -value ([byte[]](0x01,0x00,0x00,0x00))
set-itemproperty -path $regkey1 -name 00036601 -value ([byte[]](0x84,0x19,0x00,0x00))
set-itemproperty -path $regkey2 -name LogonDomain -value jonesgroup #this value is used for string regkeys
[System.Diagnostics.Process]::Start("outlook").WaitForExit()
set-itemproperty -path $regkey1 -name 00036623 -value ([byte[]](0x23,0x00,0x00,0x00))
[System.Diagnostics.Process]::Start("outlook")
.BAT file:
powershell.exe -executionpolicy remotesigned -file \\nas\it\MS\ExchangeSetup\exchange_setup.ps1
set-executionpolicy restricted