70-410 Archives | AvB Powershell

Category Archives: 70-410

Remote manage a non-domain server in servermanager

Posted on 16 October 2015 by Albert van Boerum Leave a comment

By default you cannot remote manage a non-domain server in servermanager, to which you are not authenticated. This happens for example when your computer is a member of a domain and the server you wish to manage is not a member of that same domain. That server is in a workgroup or a member of an other domain with no trust relationship.

To manage that computer you can add it to the trusted hosts list with a powershell command.

Set-Item wsman:/localhost\Client\TrustedHosts servername.domain.com -Concatenate -Force

1	Set-Item wsman:/localhost\Client\TrustedHosts servername.domain.com -Concatenate -Force

The concatenate switch is used to add the server to the list of trusted hosts. If you do not add this switch the current list will be overwritten.

Posted in 70-410, Server management

Create a share on a fileserver

Posted on 16 September 2015 by Albert van Boerum Leave a comment

In this post I’ll explain how to create a share on a fileserver, set permissions and other options for the share.

Prepare the server

To create a share on a fileserver, first make sure the the File Server role is installed on the server. This feature is installed by default.

Get-WindowsFeature fs-fileserver

1	Get-WindowsFeature fs-fileserver

Get the current shares

C:\Windows\system32> Get-SmbShare

1	C:\Windows\system32> Get-SmbShare

Create a new share

Fist make sure you have a folder on the server. Next create the share.

New-SMBShare -Path c:\marketing -Name Marketing -Readaccess Everyone -FullAccess Administrator

1	New-SMBShare -Path c:\marketing -Name Marketing -Readaccess Everyone -FullAccess Administrator

to remotely create the share add the -cimsession option to the command.

New-SMBShare -CimSession Fileserver1 -Path c:\marketing -Name Marketing -Readaccess Everyone -FullAccess Administrat

1	New-SMBShare -CimSession Fileserver1 -Path c:\marketing -Name Marketing -Readaccess Everyone -FullAccess Administrat

Change permissions on a share

You want to keep the share permissions as simple as possible. To grant more detailed permissions you can use NTFS permissions on the folder or files. Bare in mind that Deny rights overrule the Allow rights.

To view the current permissions on a share:

Get-SMBShareAccess -Name Marketing

1	Get-SMBShareAccess -Name Marketing

To add permissions to a share

Grant-SmbShareAccess -Name test -AccessRight Change -AccountName company\marketing

1	Grant-SmbShareAccess -Name test -AccessRight Change -AccountName company\marketing

To remove permissions from a share

Revoke-SmbShareAccess -Name Marketing -AccountName company\sales

1	Revoke-SmbShareAccess -Name Marketing -AccountName company\sales

Configure Access-based Enumeration

You can hide folders from users that have no access to them. This is called Access-based enumeration. To enable this on a share disables users to view the folders where they do not have at least read access:

Set-SmbShare -Name Marketing -FolderEnumerationMode AccessBased

1	Set-SmbShare -Name Marketing -FolderEnumerationMode AccessBased

Posted in 70-410, File management, Server management

Enumerate Group Membership

Posted on 11 September 2015 by Albert van Boerum Leave a comment

With powershell you can get an insight about the nested group in the AD and enumerate group membership.

Which users are members of the Domain Admins group?

Get-ADGroupMember "Domain Admins" | ft name

1	Get-ADGroupMember "Domain Admins" \| ft name

In which groups is an user a member?

Get-ADPrincipalGroupMembership user | ft name

1	Get-ADPrincipalGroupMembership user \| ft name

Is a user a nested member of the Domains Admins group?

Get-ADUser -Filter 'memberof -recursivematch "cn=domain admins,cn=users,dc=test,dc=internal"' | ft name

1	Get-ADUser -Filter 'memberof -recursivematch "cn=domain admins,cn=users,dc=test,dc=internal"' \| ft name

Posted in 70-410, AD

Reset or change the active directory services restore password

Posted on 11 September 2015 by Albert van Boerum Leave a comment

To reset or change the active directory services restore password you must use the ntdsutil command. This command lets you access and change settings in the ADS.

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: set dsrm password
Reset DSRM Administrator Password:_

PS C:\> ntdsutil

C:\Windows\system32\ntdsutil.exe: set dsrm password

Reset DSRM Administrator Password:_

Posted in 70-410, AD

Make a server a Domain Controller

Posted on 11 September 2015 by Albert van Boerum Leave a comment

New domain and forest.

To make a windows server a DC (domain controller) you must first install the feature. I first use the get-WindowsFeature to see if the correct feature is targeted.

get-WindowsFeature ad-domain-services | Install-WindowsFeature –IncludeManagementTools

1	get-WindowsFeature ad-domain-services \| Install-WindowsFeature –IncludeManagementTools

After the feature is installed, load the correct module and install the servers as a Domain controller for a new domain and forrest.

Import-Module ADDSDeployment

Install-ADDSForest `
 -CreateDnsDelegation:$false `
 -DatabasePath "C:\Windows\NTDS" `
 -DomainMode "Win2012R2" `
 -DomainName "test.internal" `
 -DomainNetbiosName "TEST" `
 -ForestMode "Win2012R2" `
 -InstallDns:$true `
 -LogPath "C:\Windows\NTDS" `
 -NoRebootOnCompletion:$false `
 -SysvolPath "C:\Windows\SYSVOL" `
 -Force:$true

Import-Module ADDSDeployment

Install-ADDSForest `

-CreateDnsDelegation:$false `

-DatabasePath "C:\Windows\NTDS" `

-DomainMode "Win2012R2" `

-DomainName "test.internal" `

-DomainNetbiosName "TEST" `

-ForestMode "Win2012R2" `

-InstallDns:$true `

-LogPath "C:\Windows\NTDS" `

-NoRebootOnCompletion:$false `

-SysvolPath "C:\Windows\SYSVOL" `

-Force:$true

Existing domain and forest.

I you have already a domain and forest up and running you must add a server to this domain.

Install-WindowsFeature -Name ad-domain-services
Install-ADDSDOmainController -DomainName test.internal -Credential (Get-Credential test\administrator)

1 2	Install-WindowsFeature -Name ad-domain-services Install-ADDSDOmainController -DomainName test.internal -Credential (Get-Credential test\administrator)

Demote a server.

To remove the domain controller function from a server use.

uninstall-ADDSDomainController

1	uninstall-ADDSDomainController

Use the get-help with this cmdlet to see the options you can use.

Posted in 70-410, AD, Server management

Access offline files (.wim, .vhd or .vhdx) using DISM

Posted on 11 September 2015 by Albert van Boerum Leave a comment

On the installation DVD of a Windows installation you find a file called install.wim. This file contains the complete installation of a new windows installation.

If you want to alter this installation you must use the DISM command. Deployment Image Servicing and Management (DISM.exe) is a command-line tool that can be used to service a Windows image or to prepare a Windows Preinstallation Environment (Windows PE) image. DISM can be used to service a Windows image (.wim) or a virtual hard disk (.vhd or .vhdx).

The steps for altering a file, in this case the install.wim file, follow these steps.

Posted in 70-410, Hyper-V, Server management