I have 12 servers (session hosts) with tens of thousands firewall rules on each of them. Rules are creating when users are logging in and system is not deleting them when the're logging off (probably a bug which was fixed in WS2016, but in 2019 is here again).
I have tried to delete the rules with powershell's Remove-NetFirewallRule, but it's useless because of a performance. It takes 33 hours to delete 40k rules (20 rules per minute). Now I'm trying to achieve it with netsh.exe which is much quicker (1000 rules per minute), but I'm unable to find out how to filter out rules with "Any" in profile (these I want to keep).
I have tried to filter the rules with powershell and then push it to netsh:
$rulesToRemove = Get-NetFirewallRule | where {$_.profile -ne "Any"} | select displayName
foreach($rule in $rulesToRemove) { netsh advfirewall firewall delete rule name=$rule }
and it's working for some rules and for others not - "No rules match the specific criteria". I tried to push displayName, name and several other values, but most of the rules simply didn't match the criteria. The only condition here is the fw rule name, so I tried to get the names with netsh and I got something like this for example:
#{Microsoft.Windows.Cortana_1.11.6.17763_neutral_neutral_cw5n1h2txyewy?mc-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}
and even this didn't work for netsh as rule name :(.
QUESTION: Is there a way how to delete tens of thousands FW rules by script in a reasonable time?
Like Bill_Stewart says, and you can also dot reference it.
$rulesToRemove = (Get-NetFirewallRule | where {$_.profile -eq "Any"}).DisplayName
foreach($rule in $rulesToRemove) { netsh advfirewall firewall delete rule name=$rule }
This script will remove most of them; just add the rest if they have similar name. It's not fancy, but it works. The remove-command searches through both in and out firewall lists and removes all that match with the displayname. Run it regularly and it will not use many resources:
Write-Host '*** Deleting: '
remove-netfirewallrule -DisplayName "Your account"
remove-netfirewallrule -DisplayName "Work or school account"
remove-netfirewallrule -DisplayName "cortana"
remove-netfirewallrule -DisplayName "SmartScreen"
remove-netfirewallrule -DisplayName "Windows Default Lock Screen"
remove-netfirewallrule -DisplayName "Windows Shell Experience"
remove-netfirewallrule -DisplayName "Xbox Game UI"
remove-netfirewallrule -DisplayName "Email and accounts"
There's a reg edit to stop this from happening once you've deleted the orphaned rules.
Addresses an issue that slows server performance or causes the server to stop responding because of numerous Windows firewall rules. To enable this solution, use regedit to modify the following and set it to 1:
Type: “DeleteUserAppContainersOnLogoff” (DWORD)
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
Related
I must add a domain user to the local group "Remote Desktop Users" via GPO.
And since I'm building Domain Controller images in an automated way, I want to create a policy to set a domain user as part of the Remote Desktop Users local group of each domain joined Windows client machine using PowerShell.
I've been trying to manage the Restricted Groups from a GPO via PowerShell, but without success.
I found the following code, but it returns only a .xml that I can check the groups located at the Restricted Groups from a GPO.
https://social.technet.microsoft.com/Forums/en-US/a956c361-3852-4ec2-a6e3-15475e67bdaa/listing-gpo-restricted-groups-with-powershell?forum=winserverpowershell
If there's a way to export the GPO as .XML or any other format and edit it and import that changes, it would be also fine.
Another forum that I found and it's a good solution but it's still manually, is the following one. I'd like to automate that steps via PowerShell, but it has been hard to do.
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-group-policy-preferences-to-manage-the-local-administrator/ba-p/259223
Please, does anyone know some automated way to create a GPO that includes a domain user to a local group?
Thanks all!
Try **Invoke-Command** and **Add-LocalGroupMember**
ForEach ($ServerName in $Servers)
{
Invoke-command -ComputerName $ServerName -ScriptBlock {Add-LocalGroupMember -Group "Remote Desktop User" -Member "Admin02", "MicrosoftAccount\username#Outlook.com", "AzureAD\DavidChew#contoso.com", "CONTOSO\Admins"}
}
https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
Create new GPO: Computer Configuration / Policies / Windows Settings / Security Settings / Restricted Groups
or if neecessary is done by powershell script create GPO
Configuring PowerShell Startup Scripts with Group Policy
and launch script:
Add-LocalGroupMember -Group "Remote Desktop User" -Member "Admin02", "MicrosoftAccount\username#Outlook.com", "AzureAD\DavidChew#contoso.com", "CONTOSO\Admins"
Wake On Lan is enabled, subnet directed broadcast method, port = 9 (I've tried several other ports).
I've worked with my network team to allow subnet directed broadcasts, and it does work using Right Click Tools (run from server) using same subnet directed broadcast method and same ports, including port 9.
Scheduled deployments are set to Wake Up but when the deadline passes the computers do not wake up. I have two other SCCM servers that I'm able to run scheduled deployments on just fine.
I've disabled Wake On Lan, monitored to make sure it is removed, enabled it again, monitored to verify it finishes installing, but it still isn't working.
I have rebooted the server as well.
This is indeed a bug in SCCM Current Branch 1802, and there was no charge for my Microsoft Premiere Support ticket. We did get the problem resolved.
There were two missing registry keys, and a missing folder, that appeared to be the culprit. We did add/change a couple of other keys, but they did not change the symptoms at all.
From MS Support:
"CB 1802 is lacking the following registry keys (exported from my UPGRADED environment):"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Inbox Source\Inbox Definitions\77]
"Inbox Name"="SMS_AMT_PROXY_WOL"
"Location Type"=dword:00000001
"NAL Path"=""
"Relative Path"="inboxes\amtproxymgr.box\wol.box"
"Service Rights"=dword:00000054
"User Rights"=dword:00000000
"Guest Rights"=dword:00000000
"Monitoring Enabled"=dword:00000001
(and)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Inbox Source\Inbox Instances\77]
"Inbox Name"="SMS_AMT_PROXY_WOL"
"Location Type"=dword:00000001
"Assistant Flags"=dword:00000000
"NAL Path"=""
"Relative Path"="inboxes\amtproxymgr.box\wol.box"
"UNC Path"="\\PRI1.CONTOSO.LOCAL\SMS_P01\inboxes\amtproxymgr.box\wol.box"
"Monitoring Enabled"=dword:00000001
On my server I had to add the two keys by creating new keys using the next available number in Inbox Definitions and Inbox Instances (mine was 76).
I also had to create the wol.box folder inside of the amtproxymgr.box folder. I simply copied the existing folder named "bad" and named it wol.box.
Make sure the UNC path has your actual server FQDN name AND SCCM site name share. The above example is from the MS support person's test install.
Yes the double backslashes are there for single backslash, and quadruple for double. Not sure why but that is how many reg keys work.
As soon as I had these registry keys and the wol.box folder, the persistent errors that had been occurring every five seconds, immediately ceased and new data showed in the log that matched what I see on my other two server.
Windows 10 allows the user to schedule when updates are applied, but not when they are downloaded.
One way to control Windows 10 update downloads is to manually define the wifi connection as a metered connection, and then to manually set it back to unmetered again.
My ISP allows free downloads between midnight and 6am. It would therefore be best if I could schedule Windows updates to happen during this time.
Is it possible to use Task Scheduler and a Windows script to change from metered to unmetered on a schedule.
If yes, any pointers on how to do it?
Thanks
Brendon
First, use this command to get names of your wlan profiles:
netsh wlan show profiles
Second, use this command to get current settings:
netsh wlan show profile name="Your profile name"
It prints "Cost : Fixed" if connection is metered, "Cost : Unrestricted" if non-metered
To change between metered and non-metered use these:
netsh wlan set profileparameter name="Your profile name" cost=Unrestricted
netsh wlan set profileparameter name="Your profile name" cost=Fixed
Thanks JIT. Just to add to that, you can use
netsh mbn
to run the same commands for a cellular connection.
When running the psexec command to remotely install or execute something on a sever on the same network the following error was displayed.
Couldn't access ServerName
The network name cannot be found
Make sure that the default admin$ share is enable on ServerName
Most references suggested that you add the following to the registry, but in my case this was already added to the server. This did not resolve the issue.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
and create or modify a REG_DWORD value LocalAccountTokenFilterPolicy and set its value to 1
Solution:
You need to add the 'admin$' share which is your C:\Windows location.
Go to C:\windows and right-click --> Properties
Hit advance sharing
Click the check box Share this folder
Enter the name admin$ and hit Permissions
I would recommend removing 'Everyone' and adding just the users that the PsExec command will use to execute.
Run the PsExec command again and this should resolve your issue.
Edit:
You can also turn on your AutoShareServer in the registry, which will automatically create the admin shares.
Start regisry regedit
Search for key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
Change the AutoShareServer key to 1
You can also enable amins$ share by enabling File and Printer Sharing (SMB-In) Firewall Rule.
Go to Control Panel > System ans Security > Windows Defender Firewall > Advance Settings > Inbound Rules. Right click on File and Printer Sharing (SMB-In) from the list and select Enable Rule`. Normally, there are two File and Printer Sharing (SMB-In), one is for Domain profile and one is for Public & Private profile. I'm not sure which profile should be applied, Domain or Public or Private. For me, it's Domain profile.
In my case it was a network problem like mentioned in the error message.
I needed to allow SMB traffic on port 445 on the target machine. PSExec worked straight away after adding the firewall rule to allow that traffic.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last year.
Improve this question
I want to rename the network interface name to a default name, for example "Ethernet", via dos.
I know netsh interface set interface name=”Local Area Connection” newname=”Ethernet” is the way to do it.
I am running a script and it will not know the name of the interace, correct? So, I need it to rename it to a default before I set the IP address for the interface.
How can I do this without knowing the name of the interface?
Is there a way to get the name of the interface somehow and then change it?
netsh (a tool MS tried to wean us off and gave up)
To get the WLAN interface names: netsh wlan show interfaces
help states: show interfaces - Shows a list of the wireless LAN interfaces on the system.
To get LAN interface names: netsh lan show interfaces
help states: show interfaces - Shows a list of the current wired interfaces on the system.
To get names of all interfaces: netsh interface show interface
help states: show interfaces - Displays interfaces.
The command for LAN does need Wired AutoConfig service, which is usually not started.
This Batch script would start the service, get (the last) LAN interfaces name, change it to a new name, stop the Wired AutoConfig service again.
sc.exe start dot3svc
for /f "tokens=1* delims=: " %%a in ('netsh lan show interfaces') do if %%a == Name set activeAdapter=%%b
echo %activeAdapter%
netsh interface set interface name="%activeAdapter%" newname="Ethernet"
sc.exe stop dot3svc
Limitations:
It assumes there is only one wired interface
It will stop Wired AutoConfig service whether it was running or not at the start
For Wifi interfaces, change in above script 'lan' to 'wlan' and remove both sc.exe service start/stop
PowerShell
To get better control of what interface is renamed PowerShell will be an easier choice.
This will probably work in most cases:
Get-NetAdapter | Where-Object { $_.HardwareInterface -eq $True -and $_.MediaType -eq "802.3" } | Rename-NetAdapter -NewName "Ethernet"
HardwareInterface will eliminate virtual interfaces, e.g. VMWare
MediaType 802.3 will only show "wired" interfaces and not Wifi, Broadband or others.
In a script file, use the above version of the command, shorthand version would be:
Get-NetAdapter | ? HardwareInterface | ? MediaType -eq "802.3" | Rename-NetAdapter "Ethernet"
There are more options how to select the desired interface. Check all parameters by which it can be selected:
(Get-NetAdapter)[0] | Format-List -Property * -Force
e.g.
List all made by Realtek (Realtek vendor 10ec, Intel: 8086):
Get-NetAdapter | ? ComponentID -like "PCI\VEN_10EC*"
Not virtual:
Get-NetAdapter | ? Virtual -eq $false
Connector Present:
Get-NetAdapter | ? ConnectorPresent
Then there is WMI object
Get-WmiObject -Class Win32_NetworkAdapterConfiguration
Registry
In a case that you changed a Network adapter card and a new one is using a name: Ethernet 2 or similar and you want to rename it back to "Ethernet",
there will be an error saying:
"You were not connected because a duplicate name exists on the network. If joining a domain, go to System in Control Panel to change the computer name and try again. If joining a workgroup, choose another workgroup name."
Which is of course erroneous error message about renaming a computer.
PowerShell would say correctly: An attempt was made to create an object and the object name already existed.
But going to Control Panel\Network and Internet\Network Connections and trying to rename the interface there would not help either.
It seems the only option for such case is to find corresponding key in these registry paths:
HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade\NetworkDriverBackup\Control\Network\{4d36e972-e325-11ce-bfc1-08002be10318}\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade\NetworkDriverBackup\Control\NetworkSetup2\Interfaces\
and remove the key for the old interface (not the whole paths as written above!), then restart.
Renaming by cmd batch, PS or in Control Panel should now work.
You can do quite a lot with Powershell, which depending on how new your server is, may be installed. Google "Get-WmiObject -Class Win32_NetworkAdapterConfiguration" to see more info.