WIN

Windows/Microsoft 365 documentation + Powershell & Batch scripting

Licensing

Keys (not tested)

https://gist.github.com/rvrsh3ll/0810c6ed60e44cf7932e4fbae25880df

Security

Password

Fine-grained password

https://www.techtarget.com/searchsecurity/tutorial/How-to-enable-Active-Directory-fine-grained-password-policies

Fine-grained password policies enable security and Active Directory admins to define password settings for individual user accounts and global groups. This enables far greater security than the Group Policy Default Domain Policy, which enforces a single password policy for all domain members.

Powershell

Deploy AD

Install-WindowsFeature AD-Domain-Services
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "fanha.local" `
-DomainNetbiosName "FANHA" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

Syntax tips

“| % “: remplace le foreach-object

Get-ADUser -Filter * -SearchBase $OUpath | % { Set-ADUser -Identity $_.DistinguishedName -Manager $managerFGO_DN }

Conditions

Operator

Comparison

-eq

equals

-ne

not equals

-gt

greater than

-ge

greater than or equal

-lt

less than

-le

less than or equal

-like

string matches wildcard pattern

-notlike

string does not match wildcard pattern

-match

string matches regex pattern

-notmatch

string does not match regex pattern

-contains

collection contains a value

-notcontains

collection does not contain a value

-in

value is in a collection

-notin

value is not in a collection

-is

both objects are the same type

-isnot

the objects are not the same type

-not

negates the statement

Disable firewall

# All
netsh advfirewall set allprofiles state off

# Domain, public or private network
netsh advfirewall set domainprofile state off (publicprofile or privateprofile)

Disable UAC (change value in REGEDIT)

REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Ask for admin privileges (script)

if(!([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
 Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList "-File `"$($MyInvocation.MyCommand.Path)`"  `"$($MyInvocation.MyCommand.UnboundArguments)`""
 Exit
}

Connect to M365 Online Exchange

Install-Module ExchangeOnlineManagement

Import-Module ExchangeOnlineManagement

Connect-ExchangeOnline 

(Une fenêtre de connexion Microsoft va s'ouvrir, depuis là, nous pourrons nous connecter)

Set IP configuration to adapter

Mini script pour modifier la configuration
https://www.pdq.com/blog/how-to-use-powershell-to-set-static-and-dhcp-ip-addresses/

$IP = read-host "IP"
$MaskBits = read-host "MaskBits (24)"
$Gateway = read-host "Gateway"
$Dns = read-host "DNS Servers (8.8.8.8)"
$IPType = "IPv4"

# Retrieve the network adapter that you want to configure
$adapter = Get-NetAdapter | ? {$_.Name-eq "Ethernet"}

# Remove any existing IP, gateway from our ipv4 adapter
If (($adapter | Get-NetIPConfiguration).IPv4Address.IPAddress) {
 $adapter | Remove-NetIPAddress -AddressFamily $IPType -Confirm:$false
}
If (($adapter | Get-NetIPConfiguration).Ipv4DefaultGateway) {
 $adapter | Remove-NetRoute -AddressFamily $IPType -Confirm:$false
}

 # Configure the IP address and default gateway
$adapter | New-NetIPAddress `
 -AddressFamily $IPType `
 -IPAddress $IP `
 -PrefixLength $MaskBits `
 -DefaultGateway $Gateway
 
# Configure the DNS client server IP addresses
$adapter | Set-DnsClientServerAddress -ServerAddresses $DNS

# Enable DHCP
$adapter = Get-NetAdapter | ? {$_.Name-eq "Ethernet"}
$interface = $adapter | Get-NetIPInterface -AddressFamily "IPv4"
$interface | Set-NetIPInterface -Dhcp Enabled

Batch

Ask for admin cmd

:: BatchGotAdmin
:-------------------------------------
REM  --> Check for permissions
    IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" (
>nul 2>&1 "%SYSTEMROOT%\\SysWOW64\\cacls.exe" "%SYSTEMROOT%\\SysWOW64\\config\\system"
) ELSE (
>nul 2>&1 "%SYSTEMROOT%\\system32\\cacls.exe" "%SYSTEMROOT%\\system32\\config\\system"
)

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\\getadmin.vbs"
    set params= %*
    echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params:"=""%", "", "runas", 1 >> "%temp%\\getadmin.vbs"

    "%temp%\\getadmin.vbs"
    del "%temp%\\getadmin.vbs"
    exit /B

:gotAdmin
    pushd "%CD%"
    CD /D "%~dp0"
:--------------------------------------

Delete directory and user

rmdir C:\\Users\\Helpdesk /S /Q
NET USER Helpdesk /delete

Create New user and add in group

NET USER Helpdesk /add /active:yes /passwordchg:no /passwordreq:no
WMIC USERACCOUNT WHERE "Name='Helpdesk'" SET PasswordExpires:FALSE
NET LOCALGROUP administrateurs Helpdesk /add

M365

SharedCalendar

Adding permissions

Add calendar permission to a user. Exemple: We add the permissions “Editor” to user2 on the calendar of user1.

Permissions
- Owner — gives full control of the mailbox folder: read, create, modify, delete items/folders, and manage permissions;
- PublishingEditor — read, create, modify, and delete items/subfolders (all permissions, except the right to change permissions);
- Editor — read, create, modify, and delete items (can’t create subfolders);
- PublishingAuthor — create, and read all items/subfolders. You can modify and delete only items that you have created;
- Author — create and read items. Edit and delete own items;
- NonEditingAuthor — full read access, and create items. You can delete only your own items;
- Reviewer — read folder items only;
- Contributor — create items and folders (can’t read items);
- AvailabilityOnly — read Free/Busy time from the calendar;
- LimitedDetails — view the availability, subject and location of appointments in the calendar;
- None — no permissions to access folders and files.

Add-MailboxFolderPermission -Identity [email protected]:\\calendar -user [email protected] -AccessRights Editor

Eléments envoyés dans boîte partagée

Mettre les mails envoyés depuis une boîte partagée dans les éléments envoyés de cette dernière, et non dans celle de l’utilisateur

Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline 
set-mailbox <mailbox name> -MessageCopyForSentAsEnabled $True

RDS

Sources

https://www.petenetlive.com/kb/article/0001753

Explanation

RD Session Host: This is what does all the heavy lifting, it hosts the remote user sessions. Typically these will be the server(s) in your deployment that suffer with recourse constraints if you get something wrong. As I’ve mentioned above if you’re running 3rd Party Line of Business applications on here MAKE sure they are designed and optimised for RDS. Finally based on what your users are doing is it worth having better/faster/local storage on these servers.

RD Connection Broker: This role had two primary jobs, 1) Connect remote users to the least utilised session hosts, and 2) Reconnect users to the correct session host if they’ve dropped a connection, or have an existing open RDS session.

RD Web Server: This provides a web logon portal for RDS so that RDS desktops and applications can be accessed over HTTPS. Remember just because traffic is on HTTPS (TCP port 443) do not assume it’s trusted and non malicious. Nearly every exploit and attack these days used HTTPS or SSH to get traffic in and out of your network. Unless you are inspecting https it’s not more secure than http! Typically the RD Web server is deployed in a DMZ. In some small deployments it can also be on the RD Connection broker.

RD Licence Server: Typically this gets put on ‘Another‘ server in the environment, the draw back of this is people forget where it is, and don’t check before decommissioning a server then find out a few days later their licence server disappeared. You install this role, then register it with Microsoft, then finally add your licences to it.

PreviousSys NextAnsible

Last updated 11 months ago

hashtagLicensing

hashtagKeys (not tested)

hashtagSecurity

hashtagPassword

hashtagFine-grained password

hashtagPowershell

hashtagDeploy AD

hashtagSyntax tips

hashtagConditions

hashtagDisable firewall

hashtagDisable UAC (change value in REGEDIT)

hashtagAsk for admin privileges (script)

hashtagConnect to M365 Online Exchange

hashtagSet IP configuration to adapter

hashtagBatch

hashtagAsk for admin cmd

hashtagDelete directory and user

hashtagCreate New user and add in group

hashtagM365

hashtagSharedCalendar

hashtagAdding permissions

hashtagEléments envoyés dans boîte partagée

hashtagRDS

hashtagSources

hashtagExplanation