Windows
96 TopicsA simple example of Windows PowerShell Just Enough Administration (JEA)!
Dear Microsoft and PowerShell Friends, Using PowerShell to establish a remote connection and then manage, for example, a domain controller or any other server that is a member of the domain, is really fun. But what about security? When I as a domain administrator establish a remote connection, I have a huge number of cmdlets at my disposal. #We start a "normal" remote connection and check how many cmdlets are available Enter-PSSession -ComputerName dc01 (Get-Command).count Maybe you (the administrator) do not always want to establish the remote connection to a specific server to process an existing task, but you would like to delegate this step to another person. But only in a way that this person cannot work with too many cmdlets. That's where PowerShell Just Enough Administration (JEA) comes in. With this technique you can, for example, provide a specific Active Directory group with exactly the number of cmdlets to perform the necessary work on the desired server.JEA is best suited for tasks that are clearly defined. JEA is not suitable for troubleshooting or research.The best place to start is in Active Directory: 1. Create a security group with the name Helpdesk in AD. 2. Add a user (or users) to the group After that we switch to the PowerShell ISE (on the server where you want to make the cmdlets available) or the one you trust (maybe VSCode ;-). #Are comments! #We navigate in to the following path Set-Location 'C:\Program Files\WindowsPowerShell\Modules' #Create a new directory New-Item -ItemType Directory Helpdesk #Navigate to the directory Set-Location Helpdesk #Create a new directory New-Item -ItemType Directory RoleCapabilities #Navigate to the directory Set-Location RoleCapabilities #Creates a file that defines a set of capabilities to be exposed through a session configuration New-PSRoleCapabilityFile -Path .\Helpdesk.psrc #Now we edit this file ISE .\Helpdesk.psrc In this file you can specify among others cmdlets, functions and also commands that can be used. In this example I provide "Get-Service" and "whoami". In a practical example, you would provide all the necessary commands/cmdlets needed for the specific task (just as the case may be). #Creates a file that defines a session configuration New-PSSessionConfigurationFile .\Helpdesk.pssc #Now we edit this file ISE .\Helpdesk.pssc In this file, you can specify the session configuration, a virtual administrator account, and user roles, among other things. #Let us check the settings Test-PSSessionConfigurationFile .\Helpdesk.pssc #Creates and registers a new session configuration Register-PSSessionConfiguration -Name Helpdesk -Path .\Helpdesk.pssc #We need to restart the WinRM Service Restart-Service WinRM #Gets the registered session configurations on the computer Get-PSSessionConfiguration Now switch to the system from which you want to establish a remote session. #We establish a connection Enter-PSSession -ComputerName dc01 -ConfigurationName Helpdesk -Credential grid\james.west #And check the number of cmdlets and the account created for the connection Get-Command We now have exactly the cmdlet and the command we specified. We also see that the session was established with a virtual account. This means that these credentials are not saved after the session ends. #Close the Session Exit-PSSession Back to the server. #(Optional) Deletes registered session configurations from the computer Unregister-PSSessionConfiguration -Name Helpdesk Clearly, that was not super spectacular or fancy. But I still wanted to share my experience with you. Thank you for taking the time to read this article. Kind regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler7.9KViews4likes0CommentsWindows 10 Subscription Activation via Powershell
We recently purchased E3 Subscription licenses for Windows 10. Microsoft's documentation states for exisiting enterprise deployments, the following script should be ran via a command line: @echo off FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO ( SET "ProductKey=%%A" goto InstallKey ) :InstallKey IF [%ProductKey%]==[] ( echo No key present ) ELSE ( echo Installing %ProductKey% changepk.exe /ProductKey %ProductKey% ) I'm attempting to re-write this in powershell so we can use it as a remediation step in a configuration baseline in SCCM. Below is the powershell script I wrote: $ProductKey = (Get-CimInstance -ClassName SoftwareLicensingService).OA3xOriginalProductKey if ($ProductKey){ start-process c:\Windows\System32\changePK.exe -ArgumentList "/ProductKey $ProductKey" } The script runs without error, but it's not actually completing the intended task (activating the embedded windows 10 pro key). I'm not sure where I'm going wrong. I'm pretty new to powershell so any assistance would be greatly appreciated.41KViews1like8CommentsUsing a Script to Data to Others
Hello guys Well, first of all, I apologize in advance as I still use an online translator to be able to communicate. That said, here's my question: I have a Script - nothing too complex, I'm still a beginner - that is getting a little big, with many lines. I thought about splitting them into parts, which would make it easier for me to manage. I had seen a way to write, for example, a Script that could collect information whenever another was invoked. Something similar to this example: Script 01: file1.ps1 $NPC = $Env:COMPUTERNAME $DATE = date Script 02: file2.ps1 .\file1.ps1 Write-Host "the pc name is" $NPC ... Script 03: file3.ps1 .\file1.ps1 Write-Host "Today is" $DATA... In theory this should work. Via ISE works. But not in practice. I really don't know where my fault would be and if this is really possible. Can you help me? Clarify and better understand this issue? Thanks a lot for the help everyone! And good week!Solved1.2KViews1like3CommentsPart 5 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!
Dear Microsoft Azure and Microsoft 365 Friends, This article continues with the topic Microsoft Graph PowerShell SDK. Part 1 to 4 can be found here: https://techcommunity.microsoft.com/t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3300352 https://techcommunity.microsoft.com/t5/windows-powershell/part-2-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3302366 https://techcommunity.microsoft.com/t5/windows-powershell/part-3-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3339696 https://techcommunity.microsoft.com/t5/windows-powershell/part-4-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3409310 This article is about connecting to Exchange Online. Remember: Connections to the Microsoft Graph are protected by one or more permission scopes. Service Scopes: Exchange Online(Focus in this article) Mail and Calendar SharePoint Online Files and Sites Microsoft Teams Teams, Channels, Chats and Members Mail Delegated Permissions: Mail.Read Allows reading mail in in user mailboxes Mail.ReadBasic Allows reading mail in the signed-in user's mailbox, except for body, bodyPreview, uniqueBody, attachments, extensions, and any extended properties Mail.ReadWrite Allows creating, reading, updating, and deleting mail in user mailboxes Mail.Read.Shared Allows reading mail that the user can access, including the user's own and shared mail Mail.ReadWrite.Shared Allows creating, reading, updating, and deleting mail that the user has permission to access, including the user's own and shared mail Mail.Send Allows sending mail as users in the organization Mail.Send.Shared Allows sending mail as the signed-in user, including sending on-behalf of others MailboxSettings.Read Allows reading user's mailbox settings MailboxSettings.ReadWrite Allows creating, reading, updating, and deleting user's mailbox settings IMAP.AccessAsUser.All Allows reading, updating, creating and deleting mail in user mailboxes POP.AccessAsUser.All Allows reading, updating, creating and deleting mail in user mailboxes SMTP.Send Allows sending mail as users in the organization Mail Application Permissions: Mail.Read Allows reading mail in all mailboxes without a signed-in user Mail.ReadBasic.All Allows reading all users mailboxes except Body, BodyPreview, UniqueBody, Attachments, ExtendedProperties, and Extensions Mail.ReadWrite Allows creating, reading, updating, and deleting mail in all mailboxes without a signed-in user Mail.Send Allows sending mail as any user without a signed-in user MailboxSettings.Read Allows reading user's mailbox settings without a signed-in user MailboxSettings.ReadWrite Allows creating, reading, updating, and deleting user's mailbox settings without a signed-in user Calendar Delegated Permissions: Calendars.Read Allows reading events in user calendars Calendars.Read.Shared Allows reading events in all calendars that the user can access, including delegate and shared calendars Calendars.ReadWrite Allows creating, reading, updating, and deleting events in user calendars Calendars.ReadWrite.Shared Allows creating, reading, updating, and deleting events in all calendars the user has permissions to access Calendar Application Permissions: Calendars.Read Allows reading events of all calendars without a signed-in user Calendars.ReadWrite Allows creating, reading, updating, and deleting events of all calendars without a signed-in user Connecting to Exchange Online: Set-Location C:\ Clear-Host #If needed Import-Module Microsoft.Graph #Set the API to the 'beta' endpoint Select-MgProfile -Name "beta" #We check the profile Get-MgProfile #Connection for Creating, Reading, Updating, and Deleting Mail $scopes = @("Mail.ReadWrite") Connect-MgGraph -Scopes $scopes #We search for my a UserID Get-MgUser #An example $User = Get-MgUser -UserId "ab8637c3-39ba-47f3-ad53-7fcd9a3f49a6" $mailfolders = Get-MgUserMailFolder -UserId $User.Id -All $mailfolders #Connection for Sending Mail as Users in the Organization $scopes = @("SMTP.Send") Connect-MgGraph -Scopes $scopes #Connection for Creating, Reading, Updating, and Deleting Events in User Calendars $scopes = @("Calendars.ReadWrite") Connect-MgGraph -Scopes $scopes #An example $User = Get-MgUser -UserId "ab8637c3-39ba-47f3-ad53-7fcd9a3f49a6" $calendar = Get-MgUserCalendar -UserId $User.Id -All $calendar #Core Connection for Managing Mail and Calendar $scopes = @("Mail.ReadWrite","Calendars.ReadWrite") Connect-MgGraph -Scopes $scopes So that's it again for part 5, we'll see you again in the next part! A little preview, in the next part we'll talk about SharePoint Online and Microsoft Teams in the Microsoft Graph. See you soon. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler2.3KViews1like2CommentsBatch file: filename with ampersand (&)
Hello, I have a simple bat file named "test&.bat" with this content: @echo off echo This is test.bat pause When I use "Run as administrator" on the file, the pause command is not handled. When I double-click on the file, it works. When I rename the file as "test.bat", it works even with "Run as administrator". Do you have any idea why the ampersand character causes troubles with "Run as administrator"?Solved15KViews1like4CommentsService control manager cached credentials
Our AD joined, ESU licensed win7 pro devices have a 4-5 application services that log on using and AD account as opposed to the local system account. Code snippet listed herechanging-the-password-on-a-serviceampaposs-user-account shows how to update the password in Service Control Manager(SCM) through C++. I'm using ADSI in Powershell to update password in AD. However, can Powershell be utilised to update password cached in SCM too?2.1KViews1like3CommentsIssue with Uninstall-Module in PowerShell
Hi, I have installed the latest version of the module PowerShell Get (2.2.4.1) Now I wanted to uninstall the older version 1.0.0.1, but I can' t do that with the Uninstall-Module cmdlet. Host System: Windows Server 2012R2 PowerShell Version: 5.1.14409.1018 I tried that: Uninstall-Module -Name PowerShellGet -RequiredVersion 1.0.0.1 The following error message: PackageManagement\Uninstall-Package : No match was found for the specified search criteria and module name PowerShellGet. At C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:2157 char:21 + ... $null = PackageManagement\Uninstall-Package @PSBoundParameters + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Microsoft.Power...ninstallPackage:UninstallPackage) [Uninst , Exception + FullyQualifiedErrorId : NoMatchFound,Microsoft.PowerShell.PackageManagement.Cmdlets.UninstallPackage But the folders are in C Any Idea?5.9KViews1like2CommentsMeasure network traffic
Hi, Any good ideas how to measure amount of network traffic single CMDLet is causing? Let say you run: Get-Service -ComputerName yourServer.domain.com What would be the easiest way to measure amount of network traffic caused by this? Like to compare different CMDLets and above was only an simple example. In m mind Network monitor / WireShark are not so useful options in here. Wish to get just two numbers: - Sent Bytes - Received Bytes1.1KViews1like1Comment