I am currently building a Hyper-V lab consisting of a DC and multiple networked VMs, using Windows Server 2016. I'd like to completely disable the windows firewall for all existing and newly created VMs.
The best way that I've found to do this so far is via Group Policy for the Domain Profile. Then set Windows Firewall: Protect all network connections to disabled. What I would like to do is to have a way of scripting this out (using Powershell if possible).
I've found that by performing the above steps in the GUI, it creates a few entries in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsFirewall\DomainProfile
In each of those entries, there is a property called EnableFirewall which is set to 0. So I tried creating all of this using Powershell like this:
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft" -name WindowsFirewall
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall" -name DomainProfile
New-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -name EnableFirewall -value 0 -PropertyType DWord -Force
Unfortunately it doesn't seem to be working, so there must be something else that I'm missing.
Does anybody know how to completely disable the windows firewall for all networked machines using the command line in Windows Server 2016?
Setting up the Windows-Firewall for your domain-computers through computer-startup-script is not a great solution in my opinion.
You should definetly use Group Policy for this task.
GP does exactly what I want, I would just like a way of modifying GP using Powershell. I'm building a lab from scratch, and I'm looking to script as much of it as possible rather than using the gui.
I am not completely sure, what you are trying to achive.
You have created a lab now and I think you are trying to script a complete automatic built-up for future use. Is this correct?
If yes, then my solution is maybe what you are looking for:
Create a new GPO in your lab named "Firewall-Settings" for example.
Make all of your needed FireWall-Settings to the new GPO.
In Group Policy Editor open the main-node named „Group Policy Objects“. (important) Find the newly created GPO, right-click it and select "Backup":
Save the GPO-backup to a folder. (folder must exist)
The GPO is beeing saved and named like on the screenshot below (GUID):
That's it for the preparation. Now you maybe want to script the creation of the GPO with Powershell for future use and import the backup to obtain it's settings in a new environment:
New-GPO -Name "FireWall-Settings" | New-GPLink -Target "DC=mydomain,DC=local" # distinguishedName of Target-OU
Import-GPO -Path $PathtoGPOBackup -TargetName "FireWall-Settings" -BackupGpoName "FireWall-Settings"
The Script creates a GPO in the new environment with the name "FireWall-Settings" and links it to the target-OU.
After that you import the settings of the backup-GPO. All the domain-members in scope of the GPO will get the Windows-Firewall configured automatically.
Now the process is documented and fully automatic, if this is, what you are looking for.
Kind regards
open cmd prompt with elevated mode and run this:
netsh -r ComputerName -u Username -p Password -c advfirewall set allprofiles state off
If you want to do it for all the machines. Get all the ad computers using get-adcomputer. Run a foreach loop and put the variable istead of computername.
If you have the domain admin creds, then you are good to go with this.
Hope it helps.
Depending on the profile you want to disable, specify profiles (public, domain, private) using the -Name parameter. To disable all profiles for a networked machine, where $computerName array is the hostname of your DC, PC etc:
$computerName = 'DC1, PC1, MS1'
Invoke-Command -Computername $computerName -ScriptBlock {
Set-NetFirewallProfile -Name Domain, Public, Private -Enabled False
}
Related
I know how to set group policy to add a logon script to every user using GUI but I wanted to know how can this be done using Powershell commands(or maybe with python).
Currently, the only real way to set a GPO setting via powershell requires that you know the registry key you're changing (all GPO settings resolve to registry entries), but be aware that settings done like this won't show up with the nice descriptions in the group policy gui tools:
Get-GPO -Name 'Logon Scripts' | Set-GPRegistryValue -Context User -Key 'HKEY_CURRENT_USER\path\to\key' -Value 'Foo.bat'
Generally, the better way to do what you want is to set the AD User's ScriptPath property instead:
Get-ADUser $user | Set-ADUser -ScriptPath 'Foo.bat'
This is my first question here and I am also quite new on PowerShell, so I hope I am doing everything alright.
My problem is the following: I want to uninstall a programm on several computers, check if the registry-key is deleted and then install a new version of the programm.
The setup is located on a server within the same domain as the computers.
I want my Script to loop through the computers and execute the setup from the server for every computer. As I am quite new with PowerShell, I have no idea how to do this. I was thinking to maybe use Copy-Item, but I dont want to really move the setup, but simply execute it from the server to the computers? Any idea how to do this?
Best regards
You can try the following approach.
Note that the need to provide credentials explicitly is a workaround for the infamous double-hop problem.
# The list of computers on which to run the setup program.
$remoteComputers = 'computer1', 'computer2' # ...
# The full UNC path of the setup program.
$setupExePath = '\\server\somepath\setup.exe'
# Obtain credentials that can be used on the
# remote computers to access the share on which
# the setup program is located.
$creds = Get-Credential
# Run the setup program on all remote computers.
Invoke-Command -ComputerName $remoteComputers {
# WORKAROUND FOR THE DOUBLE-HOP PROBLEM:
# Map the target network share as a dummy PS drive using the passed-through
# credentials.
# You may - but needn't - use this drive; the mere fact of having established
# a drive with valid credentials makes the network location accessible in the
# session, even with direct use of UNC paths.
$null = New-PSDrive -Credential $using:cred dummy -Root (Split-Path -Parent $using:$setupExePath) -PSProvider FileSystem
# Invoke the setup program from the UNC share.
& $using:$setupExePath
# ... do other things
}
Is there a way to create group of users with group policy apllied to them via Powershell/CMD?
My machine is not joined to a domain.
I want to prepare a script which I will use multiple times on other local computers/ machines to recreate group policy.
I want e.g restrict user access to Control Panel, Internet Access and stuff like that.
Thanks from advance for answers
For computers not joined to the domain, you can't use Group Policy. You will need to use Local Policy. Many of the items that you are looking for will simply be registry value that you can easily set with a PowerShell script. For example the policy for Hiding Fast User Switching toggles can be toggled like this:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name HideFastUserSwitching -Value 0
You can look up where the values are by reading the .admx templates
Alternatively you could use David Wyatt's PowerShell module to read and modify policy files.
Finally the last option would be create the policy on one computer and then overwrite the .pol files on all the computers and then gpupdate /force. This of course could be scripted with PowerShell.
Copy-Item \\ExampleComputer1\C$\Windows\System32\GroupPolicy\Machine\Registry.pol \\ExampleComputer2\C$\Windows\System32\GroupPolicy\Machine\Registry.pol -Force
Copy-Item \\ExampleComputer1\C$\Windows\System32\GroupPolicy\User\Registry.pol \\ExampleComputer2\C$\Windows\System32\GroupPolicy\User\Registry.pol -Force
Security Templates would have to be exported from the Security Templates mmc snapin and then imported on the other computers with secedit
secedit /configure /db %temp%\temp.sdb /cfg yourcreated.inf
Using that solution --> Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name HideFastUserSwitching -Value 0
Doesn't work.
I mean e.g:
Set-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" -Name NoRecycleBinIcon -Value 1
.admx template.
It should make my desktop recyclebin gone. This is just an example other settings also stays unchanged.
I want to access this path Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age in local group policy editor and modify its value through powershell script. I have tried to import module group (Get-Command -Module group*) but no methods/module is found.I have tried the following way in powershell and it didn't work.
Set-ItemProperty -Path \Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -Name Maximum password age -Value 20
Can someone help me in modifying the value through powershell scripting.
I am new to powershell scripting,so please ignore if any wrong info is
provided.
You can find it in windows registry, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
MaximumPasswordAge REG_DWORD
You can get/set Registry values, somewhat counter-intuitively with the [get/set]-itemproperty commands.
Example:
Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ -Name AllowCredSSP
However, this likely won't reflect in the Local Group Policy Editor interface.
Look up LGPO.exe, documentation is scarce, but it seems to work:
https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/
(Current download is in the "Security Compliance Toolkit")
https://www.microsoft.com/en-us/download/details.aspx?id=55319
For parameters like max password age, I think best way is to use net.exe commant. Try to execute
net.exe accounts /?
For more complicated group policies in computer without domain, you can prepare policies in one computer, export it to file, and inport in other computers, by using secedit.exe
Try to google secedit /export, secedit /import usage
You can call secedit from powershell without any problems
I need to set the share permissions of a remote share from a Powershell 4 script. I've looked at this page, specifically the command Grant-SmbShareAccess but that cmdlet sets permissions on local shares, I would love to have seen a -ComputerName parameter but, alas, there isn't one.
I want to do something like: Grant-SmbShareAccess -ComputerName MYREMOTESERVER -Name <share_name> -AccountName <domain_account> -AccessRight Full
Any ideas on how to do this? My remote server could be a Windows Server or a NetApp vFiler.
EDIT
I tried Matt's suggestion of Invoke-Command in the comments against a NetApp vFiler and got this error:
Connecting to remote server MYREMOTESERVER failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Changing the security of the share in Windows Explorer works fine.
Grant-SmbShareAccess is a CDXML command, which means that it uses CIM. As you've already noticed, it should only work on a Windows system running at least PSv3 (in this case the WMI class used only exists on Windows 8 and Server 2012 or higher).
There may be other ways to do this against a non-Windows server, but I would try the PowerShell Access Control Module:
$SharePath = "\\ServerName\ShareName"
$Principal = <account name here>
# Add permission to $Principal (-Force will suppress the prompt)
Get-SecurityDescriptor -Path $SharePath -ObjectType LMShare |
Add-AccessControlEntry -Principal $Principal -LogicalShareRights FullControl -Apply #-Force
# Verify:
Get-SecurityDescriptor -Path $SharePath -ObjectType LMShare |
Get-AccessControlEntry
I honestly don't know if this will work since I've only tested it against Windows servers and I don't deal with share permissions very often. Try it out, and if it works, I'll take this part out of the answer.
For Windows Server SMB shares, use the -CimSession parameter.
For non-Windows SMB shares, I would not expect the Windows SMB administration cmdlets to work with them.
The Netapp Powershell toolkit will help with this. Once installed you can import the module into your script, and manage your shares. Here is a rough example that connects to a filer, prompts for a sharename, then configures that share with some default permissions:
# Import the Netapp Powershell Module
import-module dataontap
# Connect to the filer
connect-nacontroller *filername*
# Get the sharename
$sharename = Read-Host -Prompt 'Enter the share you want to configure'
# Configure the CIFS Permissions
Set-NaCifsShareAcl $sharename "Authenticated users" -AccessRights "Change"
Set-NaCifsShareAcl $sharename filername\administrators -AccessRights "Full Control"
Set-NaCifsShareAcl $sharename domain\somegroup -AccessRights "Full Control"
Remove-NaCifsShareAcl $sharename everyone