Ok I am attempting to transfer a manual change to powershell,
Attempting to grant IIS_IUSRS access to /LM/SmtpSvc/ and /LM/SmtpSvc/1/ nodes in the IIS Metabase.
I have googled extensively and can not find an example of what i am looking for.
I have been trying to play with
$smtp = [wmiclass]‘root\MicrosoftIISv2:IIsSmtpServerSetting'
But I am in a little over my head with WMI.
Any help would be appreciated. This setting is required for resolving
This.
Not an exact answer, but the best I have so far. Following the Guide here I chose option 1 and changed the app pool to network service. I will still work on a way to do the permissions settings with powershell.
Update (solution untested)
I found this answer on another post that details how to do it using scripts in the iis6.0 resource toolkit. To get these scripts on server 2012 you have to install the IIS6.0 resource toolkit, the only way i can find to do a silent install of this one was located here from there you can call the scripts using cscript.exe. I stuck with the changing user on the app pool option because it fits in with other things as well.
Related
I've been trying to figure out how a few security settings in M365 tenant can be configured via Powershell.
I was looking into Privacy Management in the admin console which has a bunch of settings I required, for eg- data retention period for subject right requests.
I was not able to find anything in the Microsoft documentations, but by some hit and trial I found a command - Get-PrivacyManagementRule . Turns out it has a lot of settings I was looking for.
I'm currently not sure whether I can use this command or this will eventually be deprecated since there is literally 0 information about this command from Microsoft.
Can anyone with more info on this help me out ?
I'm busy writing a script as a project to Audit Windows Servers for PCI compliance, One of the things my project lead has asked me to attempt to get to try to get a list of all hosts that are connected to a domain, however this script needs to be able to be run on any windows server without being able to import any modules, so I'm stuck with whatever tool already exists on a bare machine.
Ive already written parts of the script that can rely on the 'active directory' modules but I also need to find a way to get information without any DNS or Domain roles installed.
The closest I can get to achieving this is by using the 'netdom' command however this relies on usernames and passwords that I cannot query for in the auditing script.
Ive tried tools like nslookup and a few other things I've come across while looking for answers online, but most of it seems to rely on modules that I cannot install on the machines that the script will need to run on.
Does anyone know if this can actually be done? and if so how can I achieve this?
Edit: for a bit more clarity, I need a way to get a list of all machines in the domain from machines that are NOT a domain controller and I cannot alter these machines at all.
As per boxdog's comment "([adsisearcher]"objectcategory=computer").findall()" command works just fine
I have created a gMSA like this:
New-ADServiceAccount -name Cust00000 -DNSHostName Cust00000.domain.com -PrincipalsAllowedToRetrieveManagedPassword "IIS_IUSRS" -ManagedPasswordIntervalInDays 60
And life seems to be good. However, when I run
Test-ADServiceAccount Cust00000
This is what I get:
False
WARNING: Test failed for Managed Service Account Cust00000. If standalone Managed Service Account, the account is
linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does
not have permission to use the group MSA or this computer does not support all the Kerberos encryption types required
for the gMSA. See the MSA operational log for more information.
I checked event viewer -> Application and Services Logs -> Microsoft -> Windows -> Apps -> Microsoft-Windows-TWinUI/Operational but this does not appear to be correct. Where (and possibly what) is the MSA operational log?
EDIT: For the overall issue, I had tried Install-ADServiceAccount but it wasn't working. I gave up on that and finally got it working (for a gMSA named Domain\sirdank$) with Set-ADServiceAccount sirdank -PrincipalsAllowedToRetrieveManagedPassword "$env:computername$" I've also had luck with passing "Domain Computers" instead of "$env:computername$".
Having a similar issue right now. I think the log you are looking for is in Event Viewer under Microsoft/Windows/Security-Netlogon/Operational log; you might see some 9001/9002 events (Task Category of MSA) which might give you some color on what is happening.
Got this from a recent TechNet blog post that describes troubleshooting gMSA account creation/testing issues. Take a look, it might be relevant to your overall issue: https://blogs.technet.microsoft.com/joelvickery/cannot-install-service-account-the-provided-context-did-not-match-the-target/
Alternate link (it appears the same post was cross-posted with a different title): https://blogs.technet.microsoft.com/runcmd/the-rc4-removal-files-part-1-whats-in-an-error-message/
First of all, I'm not sure if this is generic to services in general, but the problem I'm having is pretty specific, it has got to do with the SageTV service component.
Since there isn't much help over at the SageTV forums regarding this specific subject, I thought maybe this was a generic issue with services and therefore worth asking here at Stackoverflow.
Here goes:
I'm running the SageTV windows service with a plugin activated which is supposed to execute external programs. When running under the Local System Account (with the "Interact with the desktop option" enabled), this works fine. For testing purposes I'm using notepad.exe as the program to execute.
Then I created a new user (let's call it mediabrowser) and changed the SageTV service so it would run as that user. When I do that, the SageTV plugin no longer executes notepad. It just does nothing, I don't get any errors or anything, it's just that nothing happens when notepad should be getting executed.
The mediabrowser user has administrative priviliges. The option to interact with the desktop is only available for the Local System Account, and I believe that normal users are always allowed to interact with the desktop anyways.
Is this a general issue with services? If so, what permissions might my mediabrowser user need in order for this to work? I'm pretty sure this is because of permission differences between my mediabrowser user and the Local System Account.
Thanks in advance ...
Uhhh OK. Now I feel like an idiot. I just launched the tast manager on the machine and I can see that there are tons of notepad.exe processes under the mediabrowser user so I guess that notepad IS being executed correctly. It's just not being shown on the desktop.
So I guess this just works :-)
I'm using MAMP-pro to serve my domain to the outside world.
I'm not a very experienced sys-admin, though I've slogged my way through a few basic things. I know what apache is, and I can read-most-of but not generate-without-guide related .conf files.
I've got a perl script which I've tested from the command line and it works (outputs as desired.)
When I try to access said script from the browser, I get 404.
I've tried placing the script at:
/Users/me/Sites/mydomain.com/htdocs/mycgi.pl
/Users/me/Sites/mydomain.com/cgi-bin/mycgi.pl
/Users/me/Sites/mydomain.com/htdocs/cgi-bin/mycgi.pl
and accessing it as:
http://www.mydomain.com/mycgi.pl
http://www.mydomain.com/cgi-bin/mycgi.pl
and all the various combinations, all to no avail (404.)
The script and its container directory have permissions 755.
So, what other steps am I missing? Are there any good set-up guides? I tried the MAMP-Pro manual, but it is filled with such information as "the cancel button cancels the current operation" and not really anything useful. Google turned up several hits that all seem to talk about how to make this work on localhost, but I'm trying to serve this to the outside world.
Any hints?
Thanks!
The official online documentation has a section on virtual hosts. When creating a host for www.mydomain.com you can choose the DocumentRoot which is called "Disk location" within MAMP PRO. If you still get a 404 error, take a look into the error_log for a more specific reason (i.e., where Apache tries to find the file in question).