Im using windows10 Enterprise template on vcenter and im creating users on vm using this powershell script:
I have a powershell script that creates new users on new vm that has windows10 Enterprise,
This is the script:
param (
[Parameter(Mandatory=$True)]
[string]$pass,
[Parameter(Mandatory=$True)]
[string]$user,
[Parameter(Mandatory=$True)]
[string]$gr
)
$Password = ConvertTo-SecureString -AsPlainText $pass -Force
New-LocalUser $user -Password $Password -PasswordNeverExpires
Add-LocalGroupMember -Group $gr -Member $user
If i create new user through admin user the new user profile loads in 20 sec
Is there a way to speed up user profile first log in using this script?
Thanks
This is pretty normal for windows. New-LocalUser does not create the profile, (home directory, user settings, registry, etc.) so you need an additional step to get windows to complete the first-time setup.
This answer about using the windows CreateProfile API to create a user-profile on-demand is probably what you're looking for.
A simpler way is to just do part of the profile creation ahead of time by starting a process as that user. This skips processing some desktop items like Theme setup, but may speed up the profile creation enough for what you need:
Start-Process notepad -Credential $myUserCreds
And when using templates, Microsoft also recommends customizing the Default user profile to speed up new user profile creation. This lets windows just copy most things from the default profile rather than generate entirely new settings. It should be done as you sysprep your VM for templating:
Create an Unattend.xml file that contains the Copy Profile parameter (Microsoft-Windows-Shell-Setup\CopyProfile). By using this Copy Profile parameter, the settings of the user who is currently logged on are copied to the default user profile.
Example sysprep command:
%systemroot%\system32\sysprep\sysprep.exe /oobe /shutdown /generalize /unattend:c:\answerfile\unattend.xml
Related
I am facing a difficulty on installing RSAT to remote windows 10 workstations via gpo. My main goal is to use Get-ADuser command as a necessity to gain information from my Windows domain.
I created a PowerShell script using the following command:
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online
Yet when I run it, a message appears asking for elevated privileges.
So I tried to add credentials in order to automate the installation and changed the script to :
$Username = 'domain\domain_adm'
$Password = '*******'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
Start-Process -FilePath powershell.exe -ArgumentList{Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online} -credential $Cred
And from a normal PowerShell window, it works. But, it doesn't when I am trying to use it from gpo.
Could you please assist me?
The goal is to install via GPO Get-ADuser (maybe RSAT) to domain workstations with OS Windows 10
For a small number of machines Powershell is not a bad option. If you have access to GPOs then you should use then. RSAT is "Windows feature". You can use WSUS. https://4sysops.com/archives/install-rsat-1809-and-other-optional-features-in-wsus-environments/ You could also use the software that you use to install software on the machine on the network . Many of software distribution packages run as root when it installs software. In this case just give that team the line below.
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online
Why are you putting credentials in clear text in a script file? That
is just bad practice and should not be done.
Installing software is an Admin level thing, local, GPO, or
otherwise, because it's a system-wide change.
Lastly, this is not a PowerShell code/programming issue and not something PowerShell can fix relative to how you are trying to do this. It's specifically how do I use GPO to enable a Windows feature or install software, using PowerShell?
So, could be considered off-topic for Stackoverflow and more a question for SuperUser or StackExchange.
All that being said, you can still use PowerShell to do this, but doing so by using PowerShell to set a scheduled task to the targets and set that to the admin creds at run once at login.
You can write a separate script to create the scheduled task.
You can use the below script for the RSAT install effort via the task.
Use PowerShell to Create Scheduled Tasks
New-ScheduledTask
Very similar to this approach with updating PowerShell help:
PowerShell: Update-Help via Scheduled Task in Group Policy Preferences
As far as what js2010 has stated. That was true for earlier versions of Windows 10. The current state of things is as noted below.
Install RSAT for Windows 10 1809 and 1903 and 1909 automated
RSAT (Remote Server Administration Tools) in Windows 10 v1809 and
v1903 are no longer a downloadable add-on to Windows. Instead, its
included as a set of "Features on Demand" directly in Windows.
Download: Install-RSATv1809v1903v1909.ps1
Long term Scheduled Task management can be accomplished via GPO as well, as noted here:
Managing Scheduled Tasks from Group Policy
You can download RSAT as an msu file: https://www.microsoft.com/en-us/download/details.aspx?id=45520
EDIT: Ok, as for 1809 and above, my first thoughts are a gpo startup script, or using invoke-command.
I hope someone can help me with the following :
I’ve created a script to install a web site based on an existing site.
The script performs several steps - copy dirs, restore a DB, create website and application pool etc. It runs fine from the Powershell CLI under an Administrator account.
I created a WinForms frontend for this script that references Powershell and also executes that script just fine.
Now I want to create a web frontend for it. (as explained here : http://devinfra-us.blogspot.com/2011/02/using-powershell-20-from-aspnet-part-1.html)
However I can’t get the ‘new-website’ cmdlet to work via the web frontend. All the other steps in the script work, including ‘new-WebappPool’ (I can see the new appPool in IIS manager). I don’t get any errors..
I’ve made sure the script runs with Administrator rights (security is not a concern at this point)
Below is some output from the Powershell transcript :
**********************
Windows PowerShell transcript start
Start time: 20200106164117
Username: NNN-WEB\adminArr <-- Administrator account
RunAs User: NNN-WEB\adminArr
Machine: NNN-WEB (Microsoft Windows NT 10.0.14393.0)
Host Application: c:\windows\system32\inetsrv\w3wp.exe -ap DefaultAppPool -v v4.0 -l webengine4.dll -a \\.\pipe\iisipmd4bdced8-d455-428b-b9ef-8b3e2bfb38dd -h C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config -w -m 0 -t 20 -ta 0
Process ID: 8448
PSVersion: 5.1.14393.3383
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.3383
BuildVersion: 10.0.14393.3383
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
You could use the below PowerShell command to create a site in iis:
Import-Module WebAdministration
New-WebAppPool NewAppPool
New-Website -Name "mike" -Port 8086 -PhysicalPath c:\casp -ApplicationPool NewAppPool
Do not forget to refresh the iis after running the command.
Although in my script I also used the commands mentioned in Jalpa's example, I tried his example script anyway. I got the error 'Cannot add duplicate collection entry of type 'site' with unique key attributes 'name, id' respectively set to 'mike3, 2' - which I didn't get using my own script...
Thanks to this error, I figured out that if there are already some existing sites, you also have to specify the 'ID' parameter of the new-website command - so like 'new-website -Name "testsite" -Id 4 etc.'. The ID has to be a number not in use by any other sites.
This made it work :-)
I am trying to run some of the SQL SERVER command using Powershell script by enabling Integrate Security on (Expecting to connect SQL server using Winodows Access) and calling that powershell script into Jenkins Pipeline but its throwing me error as "Unable to connect to target server 'ABC\SQL17'. Please verify the connection information such as the server name, login credentials, and firewall"
I have followed following steps as try
1. Created Jenkins Job as "Jenkins Pipeline"
2. Called Groovy script under Pipeline script to call Powershell script.
3. Added Credentials my windows login details as Global and linked this credentials with Jenkins logged in user.
4. And scheduled job with same user.
I want Jenkins to use my windows credentials to run this powershell but that is not using the same which I have given and its throwing error as User do not have access
Following is sample script I have used to call powershell using batch file in groovy script
node {
stage('Deploy Dacpac to SQL Server') {
script{
bat 'start cmd.exe /c D:\\Source\\Test.bat'
}
}
}
Please advise how can I use my credentials to run such script.
Thank you in advance for your responses !
After hunting few articles and blogs I got solution for this, I have changed project type from Pipeline to Free Style project and directly called power shell script under Build Step tab.
And Used Secret Key from build Environment and provided two variable to stored user name and password with encryption(Use Credential plugin for encryption and masked password ).
Snapshot for configuration
You can use script as below
$SrvPassword = ConvertTo-SecureString "$($ENV:SrvPassword)" -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ("$ENV:SrvUser", $SrvPassword)
$SessionDetails = New-PSSession -ComputerName "ServerName" -Credential $Credential
Invoke-Command -Session $SessionDetails -Command {
C:\Test.ps1
}
Context:
Created a Domain Controller with Active Directory Setup.
Created another Server with Jenkins-2 installed.(DNS Points correctly to the Domain Controllers)
Installed the Active Directory Plugin
Installed the Powershell Plugin
Created a Powershell Job, with command
Copy-Item -Path \\SFTPServer\Docs\file.txt $Home
Steps:
List item Logged in to Jenkins Server Machine with credentials of globomantics.local\administrator
List item Started Jenkins to be available on localhost:8080
List item Logged in into Jenkins using credentials of globomantics.local\someunderprivilegeduser
List item Run the above created Powershell Job
What happens:
Powershell window appears and runs the command .. in the context of AD User globomantics.local\administrator
What is required:
Powershell command runs in the context of globomantics.local\someunderprivilegeduser
I understand that when we logged into jenkins using globomantics.local\someunderprivilegeduser, a kerberos ticket is generated on this machine. How can i use that ticket to run this powershell command? OR if my approach is completely wrong, what else to do?
Note: let's say globomantics.local\someunderprivilegeduser is NOT allowed to read \\SFTPServer\Docs\file.txt, In this case the Powershell Job should fail. BUT, since the job runs in the context of globomantics.local\administrator, the Job runs successfully.
I have a windows 2003 box setup with virtual box and I can't powershell to work with it.
I try this on my windows 7 machine
Get-Service –ComputerName myserver
I get back
Get-Service : Cannot open Service Control Manager on computer 'myserver'. This operation might require other privileges.
At Script1.ps1:2 char:4
+ gsv <<<< -cn myserver
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
While searching around I found I should try and use Enable-PSRemoting.
I did this and now when I try to use it I get
WinRM already is set up to receive requests on this machine. WinRM
already is set up for remote management on this machine.
Yet I still get the same error. Is this because I am using a virtual machine? I setup the virtual OS to be on my domain and I can even use my AD account credentials to log in.
I can get other information back from it.
So it is not like I can't connect to it with powershell.
With PowerShell V2 you've got two approachs for remote commands.
Commands with built-in remoting :
A small set of commands in PowerShell v2 have a -ComputerName parameter, which allows you to specify the target machine to access.
Get-Process
Get-Service
Set-Service
Clear-EventLog
Get-Counter
Get-EventLog
Show-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Write-EventLog
Restart-Computer
Stop-Computer
Get-HotFix
These commands do their own remoting either because the underlying infrastructure already supports remoting or they address scenarios that are of particular importance to system management. They are built on the top of DCOM and, on the access point of view, you can use them when you can establish a session with the remote machine with commands like NET.exe or PSExec.exe.
You are trying to use one of them and you've got a problem with credentials (-cred parameter), because your token credentials can't be used to establish an admin session to the remote machine.
The PowerShell remoting subsystem :
Before you can use PowerShell remoting to access a remote computer, the remoting service on that computer has to be explicitly enabled. You do so using the Enable-PSRemoting cmdlet. If you are working in workgroup you also need to enable the server to enter on your client computer with this command (on your client computer as administrator):
Set-Item WSMan:\localhost\Client\TrustedHosts *
Then, you will use New-PSSession Cmdlet (with -computername and -credentials) to create a session object. Then Invoke-Command (with -session and -scriptblock) cmdlet allows you to remotely invoke a scriptblock on another computer. This is the base element for most of the features in remoting. You can also use Enter-PSSession to establish an interactive (SSL like) PowerShell command line with the server.
Useful link : Layman’s guide to PowerShell 2.0 remoting
Test this :
$sess = New-PSSession -ComputerName myServer-Credential (Get-Credential)
Invoke-Command -Session $sess -ScriptBlock {get-service}
...
Remove-PSSession -Session $sess
If it is still important, here is my workaround:
I got an unprivileged user called 'usser' who wants powershell(v2) remoting from client A to server B.
Steps:
enable-psremoting on Targetserver B as admin
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI on Targetserver B as admin
Add "usser" with full privileges
Now comes the exciting part:
sc sdshow scmanager on Targetserver B as admin
Copy the SDDL output
sc sdset scmanager (f.e.:)"D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)" , in the Output you have to fill after this part (A;;CCLCRPWPRC;;;SY) this = (A;;KA;;;SID)
SID stands of course for the SID of the unprivileged "usser"-user
when everything should be fine, it will similiar looks like this :
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;S-1-5-21-4233383628-1788409597-1873130553-1161)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Hope you will enjoy that little but complicated workaround.
Viewing and manipulating services requires administrative privileges on the target machine.
I was able to duplicate your error message by attempting to run Get-Service -ComputerName MyServer while logged in as a user account that doesn't have administrative rights to the server in question.
You can resolve this by either granting the workstation user account administrative privileges on the target server or by creating a a local group on the server and granting invocation privileges to members of that group. If you want to do the latter, see the following article.
msgoodies: Using a PS Session without having Administrative Permissions
Building on #scusi marcus's brilliant answer here:
Let's say I have an unprivileged/limited user called 'user1' who wants powershell(v2+) remoting from client machine A to targetserver B.
Steps:
From elevated powershell prompt on targetserver B, run enable-psremoting. Accept several Y/N dialog confirmations or else run with -force switch.
In same elevated prompt as step 1, Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI
In the resulting dialog, add "user1". Read privileges should be sufficient unless you are planning on remotely manipulating services, in which case you will want Full Control.
On targetserver B, from an elevated (non-powershell) prompt or as an administrator, run sc sdshow scmanager. Copy the SDDL output. May look something like this: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
UPDATE: If we add the limited user to the target computer's Remote Management Users group, we can add (A;;LCRPWPDTLO;;;RM) to the D: portion of the above SDDL string, and skip steps 5 and 6 below.
Determine the SID of the underprivileged user account (in our case, "user1"). (Hint: try wmic useraccount where name='user1' get sid)
Insert the following text into the output we copied in step 5: (A;;KA;;;*SID*) where *SID* is the SID of the user determined in step 5. Insert it somewhere in a place before the S: part of the SDDL string retrieved in step 4. So now you should have a string looking something like this: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;S-1-5-21-4233383628-1788409597-1873130553-1161)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
On targetserver B, run sc sdset scmanager followed by our new modified SDDL string. So the entire command would look something like this:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;S-1-5-21-4233383628-1788409597-1873130553-1161)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
You should now be able to remotely access the Service Control Manager on the remote server while logged into client machine A as "user1".
On client machine A, you may find that when you run Get-Service –ComputerName remoteserver not all services are listed. You may need to repeat the above process (starting at step 4) for a specific service that you need remote access to, but which is not listed in your Get-Service output on client machine A. For instance, if the sqlserveragent service is not listed (but you know it is present on the targetserver), you would again log in to targetserver B and execute sc sdshow but this time not for scmanager but for the sqlserveragent service, so sc sdshow sqlserveragent. You would again receive some SDDL output that would need to be manipulated as above. At this point, it may be worth learning more about SDDL (Google it - this link was helpful for me), with the main caveat to watch for the D: and S: portions of the SDDL string and make sure you aren't messing with the S: part.
I know that this isn't the ideal answer to this question, but I was having a similar issue trying to use PowerShell to talk to a Windows 7 box. Turns out, WMI hadn't been installed with the native PSv2 that comes with Win7.
As soon as I installed v3 as part of the WMI 3.0 package, the problem solved itself. I'd suggest making sure that all the relevant WMI services are running on your server. Unless you have conflicts, I'd also recommend upgrading to WMI 3.0.