Install RDS with Powershell on local server - powershell

I'm pretty new to Powershell and wanted to create a script that install the Remote Desktop Service which is a prerequisite of my application. (I'm on R2012 btw)
I already found that it's possible to do so with a domain account on a remote server (due to the restart needed during installation). I used:
New-RDSessionDeployment [-ConnectionBroker] <String> [-SessionHost] <String[]> [[-WebAccessServer] <String> ]
Now, I want to install RDS on my local server when I launch my Powershell script (as I can do with the Server Manager GUI). The goal is to install RDS and my application in the same Powershell script without the need to do it using a remote server.
Is it possible to do so ? Should I use the role-based RDS installation or is there any tricks I can use to bypass the local server restart (like maybe a workflow) ?

You just need to add the RDS Feature
Add-WindowsFeature –Name RDS-RD-Server –IncludeAllSubFeature -Restart
If you don't include -Restart the restart is not performed - but will be needed before the feature can be used.

Yes , on the context that you need to use New-SessionDeployment but having being said you still need the remotedesktop module to be imported first using
Import-Module RemoteDesktop
Now you need have RD Connection Broker, RD Web Access, and RD Session Host by using:
New-SessionDeployment –ConnectionBroker server.domain.com
–WebAccessServer server.domain.com –SessionHost server.domain.com
Now you need a Licensing Role, use:
Add-RDServer -Server server2.domain.com -Role RDS-LICENSING
-ConnectionBroker server1.domain.com
NOw we have use the deployment for the licensing , use :
Set-RDLicenseConfiguration -LicenseServer server2.domain.com -Mode PerUser
-ConnectionBroker server1.domain.com
Now you can use ,
New-RDSessionCollection and can publish New-RDRemoteapp
This should help you in proceeding further.

Related

WOL works outside of Powershell

Regardless of what Script I use I can not get PowerShell 5.1 to trigger a boot on my Hyper-V Host.
I can use the solarwinds WakeonLan tool to boot the server, but I would like to find a solution that would work natively.
I tried many scripts I had found online and as a last ditch effort, I installed the "WakeOnLAN 1.0" Module but while it says it executes successfully the server does not boot
PS C:\WINDOWS\system32> Invoke-WakeOnLan 52:a4:4c:52:d7:52 -Verbose
VERBOSE: Wake-on-Lan Packet sent to 52:a4:4c:52:d7:52
What could cause the server only to boot with the SolarWinds WakeOnLan.exe but not natively in Powershell?
As it may be relevant the computer I am attempting to send the MagicPacket from is a MultiNic Machine but only 1 NIC is IP'd on the subnet of the Hyper-V server.
Other Scripts I attempted to use:
https://www.pdq.com/blog/wake-on-lan-wol-magic-packet-powershell/
https://powershell.one/code/11.html
Something like this works for me with remote powershell, going to the same subnet the down computers are on. Fast startup also has to be disabled in the windows 10 registry (HiberbootEnabled=0).
$mac = #{comp002 = '00:11:22:33:44:55'; comp003 = '00:11:22:33:44:56'}
$compsDown = 'comp002','comp003'
# (,) is silly workaround to pass array as invoke-command arguments
icm comp001 invoke-wakeonlan.ps1 -args (,$mac[$compsDown])

Connect to Azure VM from local

i'm absolutely beginner in power-shell scripting and windows automation.so any help would be appreciated.
i have access to a Azure-VM in my local pc at office. There are some tasks that i need to do daily on my local and VM machine. i am trying to automate these tasks with powershell.
At one step i need to copy some CSV files from my VM to local and this is where i'm stuck.
How do i connect to provided AzureVM from my local machine?(i'm not an admin for azure portal)
I have User-Name , Password & my VM name(****.cloudapp.net) to connect in Remote Desktop Connection. i want to know if i can connect to provided VM and copy some files if yes then how!
i have been searching for ways to connect but cant find any solution.
i have installed azure module for powershell, tried Get-AzureVM but this does not work. As i said earlier any help would be really appreciated. thanks
First, please check port 5985 is listening on Azure VM using
netstat -ano
Then you need to add an inbound rule to allow the port 5985 on the NSG associated with the Azure VM in the azure portal. For the error message
The WinRM client cannot process the request
you need to add the remote Azure VM to the local machine's TrustedHosts list by executing the following command in the commands prompt as an administrator:
winrm set winrm/config/client #{TrustedHosts="Azure VM public IP address"}
I can copy a file folder named test from Azure VM to a local folder named tesp with powershell commands as below:
$c = Get-Credential
$sess =New-PSSession -ComputerName ip address -Port 5985 -Credential $c
Copy-Item -FromSession $sess -Path d:\test -Destination c:\tesp -Recurse
More information about Powershell Remoting.

Powershell remoting - cannot execute an exe as another user

I've a commandline program (c#) that encrypts config files based on machine key.
A powershell script copies the build to a Target Server, modifies configs accordingly and installs windows services.
All the windows services run as local system account (standard user, non-admin) - let's call this account "locuser".
The Target Server is a Win 2012 R2 Server. All of the above is achieved by PS remoting from the Build Server to this Target server.
Now, I need to run the encrypt commandline program as "locuser", so that the program can use the account specific key to do the encryption.
I know that this can be easily achieved by calling Start-Process cmdlet with -Credentials parameter. Well, here's the catch, the above works fine, if I remote in (RDP) to the Target Server and then run the Start-Process .... -Credential $cred from a Powershell Console.
However, I need this to be working while I remote-in (using my scripts) to the TargetServer whilst deploying. When I remote-in to the TargetServer I use credentials that has Admin privileges.
I've tried the following
I've granted "locuser" both "Full Control" and "Invoke (Execute)" permissions by using the Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI command. I've run this command for both Microsoft.Powershell and Microsoft.Powershell32 - Still get Access Denied
I've edited the "Local Security Policy"->"Local Policies"->"User Rights Assignment"->Impersonate a client after authentication - and added both the Admin account (that I login with) and the "locuser" account - Still get Access Denied
I've also granted locuser admin rights - Still get Access Denied
I'm pretty sure, there is some configuration on the PS Remoting Side of things that I'm missing out but can't figure out what - because all Powershell throws me is a Access Denied error (see screenshot) with little to no useful information to troubleshoot further.
Also, checked Event logs for any traces but to no avail.
You've fallen prey to the dreaded Double Hop. Basically you're authenticating from computer A to computer B, then trying to authenticate again from computer B to computer C (which also happens to be B in this case).
If at all possible, you would be better off ending the session and starting a new one with the locuser credentials, then just calling Start-Process. Another, more messy approach is to use schtasks.
I can tell you how to do it in the same session but it's a bit messy and very complicated, and should only be a last resort:
On the originating server (Build Server):
Run the command Enable-WSManCredSSP -Role Client -Delegate [name] where [name] is an IP or DNS address / range including any target servers (eg "192.168.1.*")
Open GPEdit.msc, navigate to Computer Configuration\Administrative Templates\System\Credentials Delegation and check that the rules Allow delegating fresh credentials and Allow delegating fresh credentials with NTLM... are enabled and include [name]
On the Target Server:
Run the command Enable-WSManCredSSP -Role Server
Running the command:
Invoke-Command [targetserver] [-Credential $cred] -Scriptblock {
## do stuff
Invoke-Command . -Credential $locusercred -Authentication Credssp -ScriptBlock {
Start-Process -FilePath $sc #etc
}
}
Some things to be aware of:
Firstly I used this setup to create a local session, then remote from there (so A-A-B instead of A-B-B) so the Group Policy stuff might be in the wrong place but pretty sure it's right.
Secondly I found that credentials are a pain to get working in sessions (in this case $locusercred). I did get it going natively but weirdly it suddenly couldn't decrypt the securestring. I ended up saving a securestring with a defined key to the registry so it can always be decrypted from any account, you may need to come up with your own solution there.
All this stuff is explained in the free eBook "The Secrets of PowerShell Remoting", if you go for the double-hop approach I recommend giving it a read.

Install role services using command line

I am taking a Windows Server class and I am supposed to install/uninstall some role services using CLI and PowerShell.
Now it was easy to figure out using PowerShell since there are Install-WindowsFeature and Uninstall-WindowsFeature cmdlets.
But my lab assignment is asking me to provide commands for the CLI.
Is there a way to install/uninstall role services from the CLI?
Just to note: I am using Microsoft's MOAC Lab Set.
Install-WindowsFeature –Name feature_name -ComputerName computer_name -Restart

Why do I get an UnauthorizedAccessException running Octopus Tentacle as an administrator via Chef?

I'm using Chef to configure a Windows 2012 Server (RTM), including installing the Octopus Tentacle service so I can then deploy software onto this instance using Octopus Deploy.
My workstation (the Chef client) is running Windows 7 x64 SP1. The server is hosted in VMware Workstation, and is running Windows 2012 Server x64 RTM. It's booted from a sysprepped baseline image, and everything's working really nicely until the Chef recipe tries to create a new Octopus certificate.
The octopus.rb Chef recipe wraps a chunk of Powershell, and the bit that actually does the Octopus Tentacle installation looks like this:
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{source_path_tanticle}", "#{install_path_tanticle}")
Start-Process -FilePath msiexec -ArgumentList /i, "#{install_path_tanticle}", /quiet -Wait | out-file -filepath C:\\Octopus.log -append
netsh advfirewall firewall add rule name="Octopus" dir=in action=allow protocol=TCP localport=#{tanticle_port} | out-file -filepath C:\\Octopus.log -append
cd "C:\\Program Files (x86)\\Octopus Tentacle\\Agent"
.\\tentacle.exe configure --appdir="C:\\Applications" --port=#{tanticle_port} --trust="#{octopus_server_Thumbprint}" | out-file -filepath C:\\Octopus.log -append
.\\tentacle.exe new-certificate | out-file -filepath C:\\Octopus.log -append
.\\tentacle.exe register-with --server=$octopusServer --publicHostname=$publicDnsName --environment=$environment --role=web --apikey=$octopusServerApiKey | out-file -filepath C:\\Octopus.log -append
When this script calls tentacle.exe new-certificate it's throwing an UnauthorizedAccessException:
Generating and installing a new cetificate...
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
at Octopus.Shared.Security.CertificateGenerator.Generate(String fullName, Boolean exportable) in c:\w\e6923628be6eaf72\source\Octopus.Shared\Security\CertificateGenerator.cs:line 25
at Octopus.Tentacle.Commands.NewCertificateCommand.Execute() in c:\w\e6923628be6eaf72\source\Octopus.Tentacle\Commands\NewCertificateCommand.cs:line 31
at Octopus.Shared.Startup.CommandProcessor.Process(String[] args) in c:\w\e6923628be6eaf72\source\Octopus.Shared\Startup\CommandProcessor.cs:line 40
The Chef client service is running as Administrator (at least, when I dump $env:username into the octopus.log file created during install, it says Administrator) so I'm not sure what file/folder/resource the Octopus tentacle is trying to access.
The actual Chef command being run to bootstrap the node is:
knife bootstrap windows winrm 192.168.202.137 -x Administrator -P p#ssw0rd -r 'role[web_server]'
where 192.168.202.137 is the IP address of the newly-booted Win2012 server and p#ssw0rd is the local administrator password on that server.
Running the same commands manually on the server whilst logged in as Administrator works perfectly, so it's something to do with the chef/winrm/powershell remoting.
One theory is that I'm hitting some sort of DCOM/WinRM security edge case because I'm running different OSes on the client and server (Win7 x64 vs Win2012) - but given the invocation chain here is cmd.exe -> Ruby -> WinRM -> Ruby -> Powershell I'm a little lost as to how I would remedy, or even verify, such a problem...
Is it possible that when you invoke PowerShell over WinRM, the profile for the administrator user isn't being loaded? Can you force loading of the user profile?
Still not quite sure why this occurs, but working around it by getting mixlib-shellout to do a psuedo-"run as" seems to work well. Note that this is still as exactly the same user, but somehow on Windows it appears you can be logged in as the user without actually being fully logged in as the user....
In theory, start-process should be able to do the same thing (without the need for the user's password) but making that run reliably was a world of pain, and so for the moment we're sticking with mixlib-shellout.
In case it's a permissions problem, try granting Read and Enroll and Write access to Everyone by using the Sites and Services snap-in for MMC. You can set the access rights on the Security tab by expanding the following items: Services, Public Key Services, Certificate Templates. Note that the Show Services Node check box must be selected on the View menu to see the Services tab.