Windows/powershell: Unterschied zwischen den Versionen
Cbs (Diskussion | Beiträge) |
Cbs (Diskussion | Beiträge) |
||
(27 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 35: | Zeile 35: | ||
ImportSystemModules | ImportSystemModules | ||
+ | |||
+ | == Set Systemvariables (persistent) == | ||
+ | |||
+ | [Environment]::SetEnvironmentVariable("CHRIS", "Yadda", "Machine") | ||
+ | |||
+ | # Variable Name | ||
+ | # Value | ||
+ | # Scope: User or Machine | ||
+ | |||
+ | To see such changes you need to start a new Powershell window<br/> | ||
+ | and enter: | ||
+ | |||
+ | Get-ChildItem env: | ||
+ | |||
+ | or | ||
+ | |||
+ | Get-ChildItem env:CHRIS | ||
+ | |||
+ | or | ||
+ | |||
+ | Get-ChildItem env:CHR* | ||
== get/set netconnectionprofile == | == get/set netconnectionprofile == | ||
Zeile 62: | Zeile 83: | ||
Netdom Query Fsmo | Netdom Query Fsmo | ||
+ | |||
+ | |||
+ | |||
+ | == get last logon user == | ||
+ | |||
+ | RPC-Call: | ||
+ | |||
+ | (Get-WmiObject -Class win32_process -ComputerName $c | Where-Object name -Match explorer).getowner().user | ||
+ | |||
Zeile 96: | Zeile 126: | ||
Get-Service | Where-Object {$_.displayName.contains("smartFIX ")} | Get-Service | Where-Object {$_.displayName.contains("smartFIX ")} | ||
+ | |||
+ | or (simulate case insensitive) | ||
+ | |||
+ | Get-Service | Where-Object {$_.displayName.toLower().contains("smartfix ")} | ||
Zeile 103: | Zeile 137: | ||
Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Stop-Service | Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Stop-Service | ||
Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Restart-Service | Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Restart-Service | ||
− | |||
== Get Group Memberships of AD-Object == | == Get Group Memberships of AD-Object == | ||
Zeile 126: | Zeile 159: | ||
Get-ADUser -filter * -SearchBase "OU=Eschborn,OU=UserAccounts,OU=Accounts,DC=europe,DC=arifleet,DC=com" \ | Get-ADUser -filter * -SearchBase "OU=Eschborn,OU=UserAccounts,OU=Accounts,DC=europe,DC=arifleet,DC=com" \ | ||
-properties name,scriptpath | select name,scriptpath | -properties name,scriptpath | select name,scriptpath | ||
+ | |||
+ | |||
+ | === Bulk-Replace UPN domain of users === | ||
+ | |||
+ | <pre> | ||
+ | Import-Module ActiveDirectory | ||
+ | $oldSuffix = "olddomain.tld" | ||
+ | $newSuffix = "newdomain.tld" | ||
+ | $ou = "OU=Stuttgart,OU=UserAccounts,OU=Accounts,DC=europe,DC=newdomain,DC=tld" | ||
+ | $server = "localhost" | ||
+ | |||
+ | Get-ADUser -SearchBase $ou -filter * | ForEach-Object { | ||
+ | $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix) | ||
+ | $_ | Set-ADUser -server $server -UserPrincipalName $newUpn | ||
+ | } | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | === Bulk-Clear Manager from AD Users === | ||
+ | |||
+ | <pre> | ||
+ | $OU = "OU=Obsolete,DC=dom,DC=domain,DC=tld" | ||
+ | $users = get-aduser -Filter { mail -like "*" -and ObjectClass -eq "user" } -SearchBase $OU -Properties sAMAccountName,manager | ||
+ | |||
+ | # list managers | ||
+ | $users.manager | ||
+ | |||
+ | $users | Set-ADUser -Manager $null | ||
+ | </pre> | ||
+ | |||
== Search/Filter Computers == | == Search/Filter Computers == | ||
Get-ADComputer -SearchBase 'OU=Build,OU=MemberServers,dc=europe,dc=arifleet,dc=com' -Filter '*' | Get-ADComputer -SearchBase 'OU=Build,OU=MemberServers,dc=europe,dc=arifleet,dc=com' -Filter '*' | ||
+ | |||
+ | |||
+ | == Bulk change Group Scope == | ||
+ | |||
+ | <pre> | ||
+ | $MySearchBase = "ou=Groups,ou=ABC,dc=lab,dc=local" | ||
+ | |||
+ | $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Global"' -SearchBase "$MySearchBase" | ||
+ | |||
+ | # Print list | ||
+ | $MyGroupList.name | ||
+ | |||
+ | # Set scope | ||
+ | $MyGroupList | Set-ADGroup -GroupScope Universal | ||
+ | |||
+ | # Now we can change to DomainLocal | ||
+ | $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Universal"' -SearchBase "$MySearchBase" | ||
+ | |||
+ | $MyGroupList.name | ||
+ | |||
+ | $MyGroupList | Set-ADGroup -GroupScope DomainLocal | ||
+ | </pre> | ||
Zeile 148: | Zeile 233: | ||
# '''/FFT''' uses fat file timing instead of NTFS. This means the granularity is a bit less precise. | # '''/FFT''' uses fat file timing instead of NTFS. This means the granularity is a bit less precise. | ||
# '''/W:5''' reduces the wait time between failures to 5 seconds instead of the 30 second default. | # '''/W:5''' reduces the wait time between failures to 5 seconds instead of the 30 second default. | ||
+ | # '''/R:2''' reduces the repeat count of failures to 2 tries instead of the 1000000(!) default retries. | ||
# '''/Z''' ensures robocopy can resume the transfer of a large file in mid-file instead of restarting. | # '''/Z''' ensures robocopy can resume the transfer of a large file in mid-file instead of restarting. | ||
+ | # '''/B''' copy files in Backup mode. | ||
+ | # '''/ZB''' use restartable mode; if access denied use Backup mode. | ||
+ | # '''/MT[:n]''' Do multi-threaded copies with n threads (default 8). | ||
+ | # '''/CREATE''' creates directories and zero-length files only. | ||
+ | # '''/XF file [file]...''' eXclude Files matching given names/paths/wildcards. | ||
+ | # '''/XD dirs [dirs]...''' eXclude Directories matching given names/paths. | ||
# '''/XA:H''' makes robocopy ignore hidden files, usually these will be system files that we’re not interested in. | # '''/XA:H''' makes robocopy ignore hidden files, usually these will be system files that we’re not interested in. | ||
# '''/log:RobocopySync.log''' write output into logfile instead stdout. Use in combination with '''/tee''' to get output to stdout AND logfile | # '''/log:RobocopySync.log''' write output into logfile instead stdout. Use in combination with '''/tee''' to get output to stdout AND logfile | ||
# '''/COPY:copyflag[s]''' what to COPY for files (default is /COPY:DAT). (copyflags : D=Data, A=Attributes, T=Timestamps). (S=Security=NTFS ACLs, O=Owner info, U=aUditing info). | # '''/COPY:copyflag[s]''' what to COPY for files (default is /COPY:DAT). (copyflags : D=Data, A=Attributes, T=Timestamps). (S=Security=NTFS ACLs, O=Owner info, U=aUditing info). | ||
− | + | # '''/COPYALL''' Same as /COPY:DATSOU) | |
== set thumbnail-image == | == set thumbnail-image == | ||
Zeile 172: | Zeile 264: | ||
wmic /namespace:\\root\cimv2 path win32_product where "name like '%%.NET%%'" get name,version | wmic /namespace:\\root\cimv2 path win32_product where "name like '%%.NET%%'" get name,version | ||
+ | |||
+ | |||
+ | == List files/folderstructure recursively == | ||
+ | |||
+ | List files including their relative path and output full UNC Path: | ||
+ | |||
+ | <pre> | ||
+ | foreach ($myfile in $(ls -R -Name "\\SERVER\Share$\folder\foo\")) { | ||
+ | $out = "\\SERVER\Share$\folder\foo\" + $myfile | ||
+ | echo $out >> ./fileList.txt | ||
+ | } | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | == List shared folders == | ||
+ | |||
+ | get-WmiObject -class Win32_Share | ||
+ | |||
== get ACL folder permissions == | == get ACL folder permissions == | ||
Zeile 177: | Zeile 287: | ||
get-acl C:\folder | Format-List | get-acl C:\folder | Format-List | ||
+ | <pre> | ||
+ | $children = get-childitem e:\ | ||
+ | foreach($child in $children) { | ||
+ | echo $child.name | ||
+ | (get-acl e:\$child).access | ft -auto IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags | ||
+ | echo "" | ||
+ | echo "" | ||
+ | } | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | == set ACL folder permissions == | ||
+ | |||
+ | Traverse through whole tree: | ||
+ | |||
+ | <pre> | ||
+ | foreach ($folder in Get-ChildItem -Path .\Programme -Recurse -Directory) { | ||
+ | $AccessRule = New-Object System.Security.Accesscontrol.FileSystemAccessRule ("domain\user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") | ||
+ | $acl = Get-Acl $folder.fullname | ||
+ | $acl.SetAccessRuleProtection($false, $true) # Inheritance on | ||
+ | $acl.SetAccessRule($AccessRule) | ||
+ | Set-Acl -Path $folder.FullName -AclObject $acl | ||
+ | } | ||
+ | </pre> | ||
+ | |||
+ | This folder only: | ||
+ | |||
+ | <pre> | ||
+ | foreach ($folder in get-item \\<server>\e$\Folder) { | ||
+ | $AccessRule = New-Object System.Security.Accesscontrol.FileSystemAccessRule ("domain\user", "ListDirectory", "None", "None", "Allow") | ||
+ | $acl = Get-Acl $folder.fullname | ||
+ | $acl.SetAccessRuleProtection($true, $false) # Inheritance off | ||
+ | $acl.SetAccessRule($AccessRule) | ||
+ | Set-Acl -Path $folder.FullName -AclObject $acl | ||
+ | } | ||
+ | </pre> | ||
== get/set/copy NTFS permissions == | == get/set/copy NTFS permissions == | ||
Zeile 210: | Zeile 356: | ||
+ | |||
+ | == setspn == | ||
+ | |||
+ | List SPN: | ||
+ | |||
+ | setspn -L <accountname> | ||
+ | |||
+ | setspn -L <hostname> | ||
+ | |||
+ | Register new SPN: | ||
+ | |||
+ | setspn -R <server> | ||
+ | |||
+ | It will register SPN "HOST/server" and "HOST/{DNS of server}"<br/><br/> | ||
+ | |||
+ | Register additional SPN (alias) for <server>: | ||
+ | |||
+ | setspn -S host/<serveralias> <server> | ||
+ | |||
+ | |||
+ | Delete SPN from host: | ||
+ | |||
+ | setspn -D host/<serveralias> <server> | ||
== SCCM Related == | == SCCM Related == | ||
Zeile 237: | Zeile 406: | ||
} | } | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | |||
+ | == SSL/TLS == | ||
+ | |||
+ | yadda | ||
+ | |||
+ | |||
+ | === Disable SSL 2.0 === | ||
+ | |||
+ | <pre> | ||
+ | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | ||
+ | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 –PropertyType DWORD | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | === Disable SSL 3.0 === | ||
+ | |||
+ | <pre> | ||
+ | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | ||
+ | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 –PropertyType DWORD | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | === Enable TLS 1.1 & TLS 1.2 === | ||
+ | |||
+ | <pre> | ||
+ | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | ||
+ | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | ||
+ | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD | ||
+ | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD | ||
+ | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 –PropertyType DWORD | ||
+ | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD | ||
+ | |||
+ | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | ||
+ | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | ||
+ | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD | ||
+ | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD | ||
+ | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 –PropertyType DWORD | ||
+ | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD | ||
</pre> | </pre> |
Version vom 29. November 2019, 08:53 Uhr
Snippets for powershell
Note that Exchange-related powershell commands should be listed here
Inhaltsverzeichnis
- 1 execution policy
- 2 external AD-snapin
- 3 get loadable modules
- 4 import system modules
- 5 Set Systemvariables (persistent)
- 6 get/set netconnectionprofile
- 7 get primary DC (PDC)
- 8 get last logon user
- 9 timeserver settings
- 10 Get Service names
- 11 Get Group Memberships of AD-Object
- 12 Search/Filter Users
- 13 Search/Filter Computers
- 14 Bulk change Group Scope
- 15 DNS
- 16 robocopy
- 17 set thumbnail-image
- 18 get .Net Version installed
- 19 List files/folderstructure recursively
- 20 List shared folders
- 21 get ACL folder permissions
- 22 set ACL folder permissions
- 23 get/set/copy NTFS permissions
- 24 setspn
- 25 SCCM Related
- 26 SSL/TLS
execution policy
Set-ExecutionPolicy Unrestricted
possible values:
help about_Execution_Policies
external AD-snapin
http://software.dell.com/products/active-roles/powershell.aspx
Nach der Installation dann mit folgendem command einbinden:
Add-PSSnapin Quest.ActiveRoles.ADManagement
Und damit kannst du dann tolle Sachen machen wie:
Get-QADGroup -ContainsMember username
get loadable modules
Get-Module -ListAvailable
import system modules
ImportSystemModules
Set Systemvariables (persistent)
[Environment]::SetEnvironmentVariable("CHRIS", "Yadda", "Machine")
- Variable Name
- Value
- Scope: User or Machine
To see such changes you need to start a new Powershell window
and enter:
Get-ChildItem env:
or
Get-ChildItem env:CHRIS
or
Get-ChildItem env:CHR*
get/set netconnectionprofile
PS C:\> Get-NetConnectionProfile Name : arifleet.com InterfaceAlias : Internal InterfaceIndex : 1 NetworkCategory : DomainAuthenticated IPv4Connectivity : LocalNetwork IPv6Connectivity : LocalNetwork Name : Network InterfaceAlias : Internet InterfaceIndex : 3 NetworkCategory : Public IPv4Connectivity : LocalNetwork IPv6Connectivity : LocalNetwork PS C:\> Set-NetConnectionProfile -InterfaceIndex 3 -NetworkCategory Private
get primary DC (PDC)
Netdom Query Fsmo
get last logon user
RPC-Call:
(Get-WmiObject -Class win32_process -ComputerName $c | Where-Object name -Match explorer).getowner().user
timeserver settings
query source servers:
w32tm /query /source
set source servers:
net stop w32time; w32tm /config /syncfromflags:manual /manualpeerlist:10.2.8.3; w32tm /config /reliable:yes; net start w32time;
Without stopping w32time:
w32tm /config /syncfromflags:manual /manualpeerlist:"time.domain.tld time2.domain.tld" /reliable:yes /update
Sync with timeservers:
w32tm /resync /force
Get Service names
Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Select name
get services and run state:
Get-Service | Where-Object {$_.displayName.contains("smartFIX ")}
or (simulate case insensitive)
Get-Service | Where-Object {$_.displayName.toLower().contains("smartfix ")}
get list of services that start with watch* (case sensitive)
Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Start-Service Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Stop-Service Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Restart-Service
Get Group Memberships of AD-Object
Get-ADPrincipalGroupMembership -identity <USER>
Search/Filter Users
Get-ADUser reference: @M$
Get-ADUser -Filter * -Properties DisplayName, EmailAddress, Title -SearchBase 'OU=Fleetservices User,DC=fleetservices,DC=intra' \ -Server 'Fleetservices.intra'
or export result to CSV-File
Get-ADUser -Filter * -Properties DisplayName, EmailAddress, Title -SearchBase 'OU=HPI,DC=fleet,DC=int' \ -Server 'Fleet.int' | Export-CSV c:\temp\FleetInt.csv
get logon scripts of ad-users:
Get-ADUser -filter * -SearchBase "OU=Eschborn,OU=UserAccounts,OU=Accounts,DC=europe,DC=arifleet,DC=com" \ -properties name,scriptpath | select name,scriptpath
Bulk-Replace UPN domain of users
Import-Module ActiveDirectory $oldSuffix = "olddomain.tld" $newSuffix = "newdomain.tld" $ou = "OU=Stuttgart,OU=UserAccounts,OU=Accounts,DC=europe,DC=newdomain,DC=tld" $server = "localhost" Get-ADUser -SearchBase $ou -filter * | ForEach-Object { $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix) $_ | Set-ADUser -server $server -UserPrincipalName $newUpn }
Bulk-Clear Manager from AD Users
$OU = "OU=Obsolete,DC=dom,DC=domain,DC=tld" $users = get-aduser -Filter { mail -like "*" -and ObjectClass -eq "user" } -SearchBase $OU -Properties sAMAccountName,manager # list managers $users.manager $users | Set-ADUser -Manager $null
Search/Filter Computers
Get-ADComputer -SearchBase 'OU=Build,OU=MemberServers,dc=europe,dc=arifleet,dc=com' -Filter '*'
Bulk change Group Scope
$MySearchBase = "ou=Groups,ou=ABC,dc=lab,dc=local" $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Global"' -SearchBase "$MySearchBase" # Print list $MyGroupList.name # Set scope $MyGroupList | Set-ADGroup -GroupScope Universal # Now we can change to DomainLocal $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Universal"' -SearchBase "$MySearchBase" $MyGroupList.name $MyGroupList | Set-ADGroup -GroupScope DomainLocal
DNS
set secure zone transfer servers
For all Zones:
Get-DnsServerZone | Select-Object zonename | Set-DnsServerPrimaryZone -SecureSecondaries TransferToSecureServers -SecondaryServers <IP-1>,<IP-2>,<IP-n>
robocopy
robocopy F:\SOURCE D:\DESTINATION\ /MIR /FFT /Z /W:5 /tee /log:RobocopySync.log
- /MIR specifies that robocopy should mirror the source directory and the destination directory. Beware that this may delete files at the destination.
- /FFT uses fat file timing instead of NTFS. This means the granularity is a bit less precise.
- /W:5 reduces the wait time between failures to 5 seconds instead of the 30 second default.
- /R:2 reduces the repeat count of failures to 2 tries instead of the 1000000(!) default retries.
- /Z ensures robocopy can resume the transfer of a large file in mid-file instead of restarting.
- /B copy files in Backup mode.
- /ZB use restartable mode; if access denied use Backup mode.
- /MT[:n] Do multi-threaded copies with n threads (default 8).
- /CREATE creates directories and zero-length files only.
- /XF file [file]... eXclude Files matching given names/paths/wildcards.
- /XD dirs [dirs]... eXclude Directories matching given names/paths.
- /XA:H makes robocopy ignore hidden files, usually these will be system files that we’re not interested in.
- /log:RobocopySync.log write output into logfile instead stdout. Use in combination with /tee to get output to stdout AND logfile
- /COPY:copyflag[s] what to COPY for files (default is /COPY:DAT). (copyflags : D=Data, A=Attributes, T=Timestamps). (S=Security=NTFS ACLs, O=Owner info, U=aUditing info).
- /COPYALL Same as /COPY:DATSOU)
set thumbnail-image
from an exchange server
Import-RecipientDataProperty -Identity dSchlenzig -Picture -FileData \ ([Byte[]]$(Get-Content -path ".\thumb-DOMARI.jpg" -Encoding Byte -ReadCount 0))
from an AD
$photo = [byte[]](Get-Content path of pic -Encoding byte) Set-ADUser username -Replace @{thumbnailPhoto=$photo}
get .Net Version installed
wmic /namespace:\\root\cimv2 path win32_product where "name like '%%.NET%%'" get name,version
List files/folderstructure recursively
List files including their relative path and output full UNC Path:
foreach ($myfile in $(ls -R -Name "\\SERVER\Share$\folder\foo\")) { $out = "\\SERVER\Share$\folder\foo\" + $myfile echo $out >> ./fileList.txt }
get-WmiObject -class Win32_Share
get ACL folder permissions
get-acl C:\folder | Format-List
$children = get-childitem e:\ foreach($child in $children) { echo $child.name (get-acl e:\$child).access | ft -auto IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags echo "" echo "" }
set ACL folder permissions
Traverse through whole tree:
foreach ($folder in Get-ChildItem -Path .\Programme -Recurse -Directory) { $AccessRule = New-Object System.Security.Accesscontrol.FileSystemAccessRule ("domain\user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") $acl = Get-Acl $folder.fullname $acl.SetAccessRuleProtection($false, $true) # Inheritance on $acl.SetAccessRule($AccessRule) Set-Acl -Path $folder.FullName -AclObject $acl }
This folder only:
foreach ($folder in get-item \\<server>\e$\Folder) { $AccessRule = New-Object System.Security.Accesscontrol.FileSystemAccessRule ("domain\user", "ListDirectory", "None", "None", "Allow") $acl = Get-Acl $folder.fullname $acl.SetAccessRuleProtection($true, $false) # Inheritance off $acl.SetAccessRule($AccessRule) Set-Acl -Path $folder.FullName -AclObject $acl }
get/set/copy NTFS permissions
Copy some folder eg. E:\Data to F:\DataNew
Since the old and new foldernames differ, we'll have to get the permissions of the root folder:
cd E:\data icacls . /save ..\DATA-root_perms.txt /c
now we tell icacls that it should get the content of our root folder and traverse (/t) through folder-structure:
icacls .\ /save ..\DATA_perms.txt /c /t
now we have 2 permission files which we can restore on the new folder:
cd F:\DataNew icacls . /restore E:\DATA-root_perms.txt /c icacls .\ /restore E:\DATA_perms.txt /c
If you have the same folder name, e.g. you copy from E:\data to F:\data you can do this:
cd e: icacls .\Data /save .\DATA_perms.txt /c /t icacls F: /restore E:\DATA_perms.txt /c
where:
/t Traverse through folders /c Continue on errors
setspn
List SPN:
setspn -L <accountname>
setspn -L <hostname>
Register new SPN:
setspn -R <server>
It will register SPN "HOST/server" and "HOST/{DNS of server}"
Register additional SPN (alias) for <server>:
setspn -S host/<serveralias> <server>
Delete SPN from host:
setspn -D host/<serveralias> <server>
SCCM Related
Pull pending updates and install
function Get-CMMissingUpdate { param ( $computer = "localhost" ) Get-WmiObject -Query "SELECT * FROM CCM_SoftwareUpdate" -Namespace "ROOT\ccm\ClientSDK" -ComputerName $computer } function Install-CMMissingUpdate { param ( $computer = "localhost" ) ([wmiclass]'ROOT\ccm\ClientSDK:CCM_SoftwareUpdatesManager').InstallUpdates([System.Management.ManagementObject[]] ( Get-WmiObject -Query 'SELECT * FROM CCM_SoftwareUpdate' -namespace 'ROOT\ccm\ClientSDK')) }
SSL/TLS
yadda
Disable SSL 2.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 –PropertyType DWORD
Disable SSL 3.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 –PropertyType DWORD
Enable TLS 1.1 & TLS 1.2
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD