WIN
Windows/Microsoft 365 documentation + Powershell & Batch scripting
Licensing
Keys (not tested)
https://gist.github.com/rvrsh3ll/0810c6ed60e44cf7932e4fbae25880df
Security
Password
Fine-grained password
Fine-grained password policies enable security and Active Directory admins to define password settings for individual user accounts and global groups. This enables far greater security than the Group Policy Default Domain Policy, which enforces a single password policy for all domain members.
Powershell
Deploy AD
Install-WindowsFeature AD-Domain-Services
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "fanha.local" `
-DomainNetbiosName "FANHA" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$trueSyntax tips
“| % “: remplace le foreach-object
Get-ADUser -Filter * -SearchBase $OUpath | % { Set-ADUser -Identity $_.DistinguishedName -Manager $managerFGO_DN }Conditions
Operator
Comparison
-eq
equals
-ne
not equals
-gt
greater than
-ge
greater than or equal
-lt
less than
-le
less than or equal
-like
string matches wildcard pattern
-notlike
string does not match wildcard pattern
-match
string matches regex pattern
-notmatch
string does not match regex pattern
-contains
collection contains a value
-notcontains
collection does not contain a value
-in
value is in a collection
-notin
value is not in a collection
-is
both objects are the same type
-isnot
the objects are not the same type
-not
negates the statement
!
negates the statement
Disable firewall
# All
netsh advfirewall set allprofiles state off
# Domain, public or private network
netsh advfirewall set domainprofile state off (publicprofile or privateprofile)Disable UAC (change value in REGEDIT)
REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /fAsk for admin privileges (script)
if(!([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList "-File `"$($MyInvocation.MyCommand.Path)`" `"$($MyInvocation.MyCommand.UnboundArguments)`""
Exit
}Connect to M365 Online Exchange
Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
(Une fenêtre de connexion Microsoft va s'ouvrir, depuis là, nous pourrons nous connecter)
Set IP configuration to adapter
Mini script pour modifier la configuration
https://www.pdq.com/blog/how-to-use-powershell-to-set-static-and-dhcp-ip-addresses/
$IP = read-host "IP"
$MaskBits = read-host "MaskBits (24)"
$Gateway = read-host "Gateway"
$Dns = read-host "DNS Servers (8.8.8.8)"
$IPType = "IPv4"
# Retrieve the network adapter that you want to configure
$adapter = Get-NetAdapter | ? {$_.Name-eq "Ethernet"}
# Remove any existing IP, gateway from our ipv4 adapter
If (($adapter | Get-NetIPConfiguration).IPv4Address.IPAddress) {
$adapter | Remove-NetIPAddress -AddressFamily $IPType -Confirm:$false
}
If (($adapter | Get-NetIPConfiguration).Ipv4DefaultGateway) {
$adapter | Remove-NetRoute -AddressFamily $IPType -Confirm:$false
}
# Configure the IP address and default gateway
$adapter | New-NetIPAddress `
-AddressFamily $IPType `
-IPAddress $IP `
-PrefixLength $MaskBits `
-DefaultGateway $Gateway
# Configure the DNS client server IP addresses
$adapter | Set-DnsClientServerAddress -ServerAddresses $DNS# Enable DHCP
$adapter = Get-NetAdapter | ? {$_.Name-eq "Ethernet"}
$interface = $adapter | Get-NetIPInterface -AddressFamily "IPv4"
$interface | Set-NetIPInterface -Dhcp Enabled Batch
Ask for admin cmd
:: BatchGotAdmin
:-------------------------------------
REM --> Check for permissions
IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" (
>nul 2>&1 "%SYSTEMROOT%\\SysWOW64\\cacls.exe" "%SYSTEMROOT%\\SysWOW64\\config\\system"
) ELSE (
>nul 2>&1 "%SYSTEMROOT%\\system32\\cacls.exe" "%SYSTEMROOT%\\system32\\config\\system"
)
REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\\getadmin.vbs"
set params= %*
echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params:"=""%", "", "runas", 1 >> "%temp%\\getadmin.vbs"
"%temp%\\getadmin.vbs"
del "%temp%\\getadmin.vbs"
exit /B
:gotAdmin
pushd "%CD%"
CD /D "%~dp0"
:--------------------------------------Delete directory and user
rmdir C:\\Users\\Helpdesk /S /Q
NET USER Helpdesk /deleteCreate New user and add in group
NET USER Helpdesk /add /active:yes /passwordchg:no /passwordreq:no
WMIC USERACCOUNT WHERE "Name='Helpdesk'" SET PasswordExpires:FALSE
NET LOCALGROUP administrateurs Helpdesk /addM365
SharedCalendar
Adding permissions
Add calendar permission to a user. Exemple: We add the permissions “Editor” to user2 on the calendar of user1.
Permissions
Owner — gives full control of the mailbox folder: read, create, modify, delete items/folders, and manage permissions;
PublishingEditor — read, create, modify, and delete items/subfolders (all permissions, except the right to change permissions);
Editor — read, create, modify, and delete items (can’t create subfolders);
PublishingAuthor — create, and read all items/subfolders. You can modify and delete only items that you have created;
Author — create and read items. Edit and delete own items;
NonEditingAuthor — full read access, and create items. You can delete only your own items;
Reviewer — read folder items only;
Contributor — create items and folders (can’t read items);
AvailabilityOnly — read Free/Busy time from the calendar;
LimitedDetails — view the availability, subject and location of appointments in the calendar;
None — no permissions to access folders and files.
Add-MailboxFolderPermission -Identity [email protected]:\\calendar -user [email protected] -AccessRights EditorEléments envoyés dans boîte partagée
Mettre les mails envoyés depuis une boîte partagée dans les éléments envoyés de cette dernière, et non dans celle de l’utilisateur
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
set-mailbox <mailbox name> -MessageCopyForSentAsEnabled $TrueRDS
Sources
https://www.petenetlive.com/kb/article/0001753
Explanation
RD Session Host: This is what does all the heavy lifting, it hosts the remote user sessions. Typically these will be the server(s) in your deployment that suffer with recourse constraints if you get something wrong. As I’ve mentioned above if you’re running 3rd Party Line of Business applications on here MAKE sure they are designed and optimised for RDS. Finally based on what your users are doing is it worth having better/faster/local storage on these servers.
RD Connection Broker: This role had two primary jobs, 1) Connect remote users to the least utilised session hosts, and 2) Reconnect users to the correct session host if they’ve dropped a connection, or have an existing open RDS session.
RD Web Server: This provides a web logon portal for RDS so that RDS desktops and applications can be accessed over HTTPS. Remember just because traffic is on HTTPS (TCP port 443) do not assume it’s trusted and non malicious. Nearly every exploit and attack these days used HTTPS or SSH to get traffic in and out of your network. Unless you are inspecting https it’s not more secure than http! Typically the RD Web server is deployed in a DMZ. In some small deployments it can also be on the RD Connection broker.
RD Licence Server: Typically this gets put on ‘Another‘ server in the environment, the draw back of this is people forget where it is, and don’t check before decommissioning a server then find out a few days later their licence server disappeared. You install this role, then register it with Microsoft, then finally add your licences to it.
Last updated