PowerShellandothercommandsfor410

Sunday,September4,2016 6:02PM

Lesson 1
To install the Windows Server Migration Tools feature using Windows PowerShell, use the following syntax:

InstallWindowsFeature Migration [ComputerName ]
ImportSmigServerSetting
ExportSmigServerSetting

ExportDhcpServerFileC:\exportdir\dhcpexport.xml
ImportDHCPServerFileC:\exportdir\dhcpexport.xml


Lesson 2

To convert a Windows Server 2012 Server Core installation to the full GUI option, use the following Windows
PowerShell command:

InstallWindowsFeature ServerGuiMgmtInfra, ServerGuiShell Restart

To convert a full GUI server installation to Server Core, use the following command:

UninstallWindowsFeature ServerGuiMgmtInfra, ServerGuiShell Restart


To manage NIC teaming with Windows PowerShell, you use the cmdlets in the NetLbfoTeam module. To create a new
NIC team, you use the NewNetLbfoTeam cmdlet with the following basic syntax:

NewNetLbfoTeam Name TeamMembers <NIC1, NIC2, .. >
[TeamingMode LACP|Static|SwitchIndependent]
[LoadBalancingAlgorithm TransportPorts|IPAddresses |MACAddresses|HyperVPort]

To use an exported configuration file to install roles and features on another computer running Windows Server 2012,
use the following command in a Windows PowerShell session with elevated privileges:

InstallWindowsFeature ConfigrationFilePath <ExportedConfig.xml>

Lesson 3: Configuring Local Storage



Lesson 4: Configuring File and Share Access

Lesson 5: Configuring Print and Document Services


Lesson 6:

Add Workgroup Server to Server Manager

AD DS systems authenticate by using the Kerberos protocol, but Windows
workgroup computers use an alternative authentication protocol called NTLM NT
LAN Manager. Essentially, the remote server tries to log on to the workgroup server
and fails.

For the authentication to succeed, you must add the name of the workgroup server to the
TrustedHosts list on the computer running Server Manager, by using a Windows PowerShell
command with the following syntax:

SetItem wsman:\localhost\Client\TrustedHosts <servername> Concatenate Force


Manage WinRM
To manage a remote server from the MMC, you need to enable the following INBOUND Windows Firewall rules on
the REMOTE SERVER:

COM+ Network Access DCOMIn Remote Event Log Management NPIn Remote Event Log Management
RPC Remote Event Log Management RPCEPMAP

Configure Windows Firewall Rules

Install PowerShell Web Access

CONFIGURING A TEST INSTALLATION

To configure a test installation of the gateway application on a lab server, you can open an
elevated Windows PowerShell session and execute the following command:
InstallPswaWebApplication UseTestCertificate

Now, the gateway site is ready to accept client connections, using the default URL:
https://<server name>/pswa. You can change this default URL and other configuration settings
by altering the cmdlet parameters.

InstallPswaWebApplication [WebApplicationName <app name>]

[WebSiteName <site name>]
[UseTestCertificate]

The functions of the parameters are as follows:

WebApplicationName enables you to specify an alternative to the default application

name, which is pswa. This is an important modification because it changes the URL that
clients use to access the gateway. For example, adding the WebApplicationName
pshell parameter to the command line changes the URL of the gateway site to
https://<server name>/ pshell.

WebSiteName enables you to specify an alternative to the default site in which the
cmdlet installs the gateway application. By default, the cmdlet installs the gateway in the
Default Web Site site. Adding the WebSiteName mgmt parameter installs the gateway
to an existing IIS site called mgmt.

UseTestCertificate causes the server to create a selfsigned certificate and bind it

to the website. This weakens the overall security of the site and is suitable only for a test
installation in a lab environment. The certificate associated with the site enables clients
to confirm that the server is operated by the supposed owner. This is only true, however,
when the certificate is issued by an authority that the client trusts. Any server can issue
its own selfsigned certificate, so this is not a trustworthy arrangement. Instead, you
should obtain a certificate from a thirdparty organization that is trusted by the server
administrators and by the clients

Lesson 7

Install HyperV

Create a New VM

NewVM Name MemoryStartupBytes VHDPath

NewVM Name MemoryStartupBytes NewVHDPath NewVHDSizeBytes

Configuring VM Memory

VM Smart Paging
MoveVMStorage SmartPagingFilePath
SetVM SmartPagingFilePath

VM Resource Metering
Enable first:
EnableVMResourceMetering VMName <name> ComputerName
EnableVMResourceMetering ResourcePoolName ComputerName
EnableVMResourceMetering VM <VM Object>

MeasureVM VMName <name>

MeasureVMResourcePool

NewVMResourcePool

Resetvmresourcemetering

Lesson 8

Create a New VHD

Adding Virtual Disks to Virtual Machines

AddVMHardDiskDrive VMName ControllerType ControllerNumber

 AddVMHardDiskDrive VMName DiskNumber <physical disk number>

Edit a VHD

Lesson 9

Create New Virtual Switch

Add VM Network Adapter

AddVMNetworkAdapter VMName Name SwitchName

Connect existing VM Network Adapter

ConnectVMNetworkAdapter VMName Name <network adapter name> SwitchName

Configure VM Network Adapter

SetVMNetworkAdapter VMName

Example 1
This example enables DHCP Guard on all the virtual network adapters of virtual machine Redmond. When DHCP
Guard enabled, if virtual machineRedmond replies to requests from DHCP clients, these replies are dropped.
Windows PowerShell
PSC:\>SetVMNetworkAdapterVMNameRedmondDhcpGuardOn

Example 2
This example enables port mirroring for all virtual network adapters on virtual machine Kirkland. When port mirroring
is enabled, every packet sent or received by this virtual machine is copied and sent to a monitoring virtual machine.
Windows PowerShell
PSC:\>SetVMNetworkAdapterVMNameKirklandPortMirroringSource

Example 3
This example configures the virtual network adapter named PM_Dest as the destination for port mirroring, which
configures the virtual machine namedBellevue to monitor network traffic. That is, a copy of every packet sent or
received by a monitored virtual machine connected to the same virtual switch is sent to virtual machine Bellevue
through virtual network adapter PM_Dest.
Windows PowerShell
PSC:\>SetVMNetworkAdapterVMNameBellevueNamePM_DestPortMirroringDestination

Example 4
This example enables VMQ and sets a weight of 100 on every virtual network adapter on the local host.
Windows PowerShell
PSC:\>GetVMNetworkAdapterAll|SetVMNetworkAdapterVmqWeight100

Example 5
This example configures NIC Teaming for all virtual network adapters of the virtual machine named Redmond.
Windows PowerShell
PSC:\>GetVMRedmond|SetVMNetworkAdapterAllowTeamingOn

Example 6
This example sets the same minimum bandwidth weight for all virtual network adapters of three virtual machines:
Redmond, Kirkland, and Bellevue. This configuration shares bandwidth equally among all of the virtual network
adapters of these virtual machines.
Windows PowerShell
PSC:\>GetVMNetworkAdapterVMNameRedmond,Kirkland,Bellevue|SetVMNetworkAdapter
MinimumBandwidthWeight1

Other Switches:
AllowTeaming on|off
RouterGuard on|off
StaticMacAddress
DynamicMacAddress on|off
AllowMacAddressSpoofing on|off

Configure VM Network Adapter VLAN

SetVMNetworkAdapterVlanVMNameAccessVlanId
SetVMNetworkAdapterVlanVMNameTrunkAllowedVlanIdListxyNativeVlanId

Lesson 10

SengIPAddress

Set IP Address:

netsh interface ip set address name=Local Area Connection static 192.168.0.1 255.255.255.0 192.168.0.254

Disable Windows IPv6 randomly generated interface ID

netsh interface ipv6 set global randomizeidentifiers=disabled

CONFIGURING TUNNELS MANUALLY

You can manually create semipermanent tunnels that carry IPv6 traffic through an IPv4only
network. When a computer running Windows Server 2012 or Windows 8 is functioning as
one end of the tunnel, you can use the following command:
netsh interface ipv6 add v6v4tunnel "interface" localaddress remoteaddress
In this command, interface is a friendly name you want to assign to the tunnel you are
creating; localaddress and remoteaddress are the IPv4 addresses forming the two ends of the
tunnel. An example of an actual command would be as follows:
netsh interface ipv6 add v6v4tunnel "tunnel" 206.73.118.19 157.54.206.43

Uniquelocalunicastaddress(privateipv6):fd00::/8

Lesson 11

A DHCP server should not also be an active DHCP client. Before you install the DHCP Server role, be sure to configure
the target server with a static IP address.

Install DHCP

Authorize DHCP Server in DC
When you install the DHCP Server role on a computer that is a member of an AD DS domain,
the DHCP Server is automatically authorized to allocate IP address to clients that are also members
of the same domain. If the server is not a domain member when you install the role, and you join it
to a domain later, you must manually authorize the DHCP server in the domain. To do this, rightclick the server node
in the DHCP console and, from the context menu, select Authorize

AddDhcpServerInDCDnsNamedhcpserver.contoso.com

AddDHCPScope

ConfigureScopeOptions

TheWindowsDHCPserversupportstwokindsofoptions:
Scopeoptions:SuppliedonlytoDHCPclientsreceivingaddressesfroma
particularscope.
Serveroptions:SuppliedtoallDHCPclientsreceivingaddressesfromthe
server.

DHCPWDSConfiguration

TheWDSserverconfigurationprocedurediscussedearlierinthislessonassumesthatyou
have
installedDHCPonthesamecomputerasWindowsDeploymentServices.Inmanyinstances,
thisisnotthecase,however.
WhenyouareusinganexternalDHCPserver,youmustalsoconfigureitmanuallyto
includethecustomoptionthatprovidesWDSclientswiththenameoftheWDSserver.
ToconfigurethisoptiononaWindowsServer2008DHCPserver,usethefollowing
procedure.
CONFIGUREACUSTOMDHCPOPTION
GETREADY.LogontoWindowsServer2012,usinganaccountwithAdministrative
privileges.
1.IntheServerManagerwindow,clickToolsandthenclickDHCP.TheDHCPconsole
appears.
2.ExpandtheserverandIPv4nodes.
3.RightclicktheIPv4nodeand,fromthecontextmenu,selectSetPredefined
Options.ThePredefinedOptionsandValuesdialogboxappears
4.ClickAdd.TheOptionTypedialogboxappears,asshowninFigure1121.
5.IntheNametextbox,typePXEClient.
6.FromtheDatatypedropdownlist,selectString.
7.IntheCodetextbox,type060.
8.ClickOKtwicetoclosetheOptionTypeandPredefinedOptionsandValues
dialogboxes.
9.Inthescopepane,rightclicktheServerOptionsnodeand,fromthecontextmenu,
selectConfigureOptions.TheServerOptionsdialogboxappears.
10.IntheAvailableOptionslistbox,scrolldownandselectthe060PXEClientoptionyou
justcreated,asshowninFigure1122.
3.RightclicktheIPv4nodeand,fromthecontextmenu,selectSetPredefined
Options.ThePredefinedOptionsandValuesdialogboxappears,asshownin
Figure1120.
Figure1121
TheOptionTypedialogbox
DeployingandConfiguringtheDHCPService|323
ManyrouterscanfunctionasDHCPrelayagents,butinsituationswheretheycannot,you
canconfigureaWindowsServer2012computertofunctionasarelayagentbyusingthe
followingprocedure.
DEPLOYADHCPRELAYAGENT
GETREADY.LogontoWindowsServer2012,usinganaccountwithAdministrativeprivileges.
1.IntheServerManagerwindow,clickManageandthenclickAddRolesandFeatures.
TheAddRolesandFeaturesWizardappears,displayingtheBeforeyoubeginpage.
ployingaDHCPRelayAgent
THEBOTTOMLINE
IfyouopttocreateacentralizedorhybridDHCPinfrastructure,youneedaDHCPrelay
agentoneverysubnetthatdoesnothaveaDHCPserveronit.
CERTIFICATIONREADY
ConfigureDHCPrelay
agent.
Objective4.2
Figure1122
TheServerOptionsdialogbox
11.IntheStringvaluetextbox,typethenameorIPaddressofyourWDSserver.Then,
clickOK.
CLOSEtheDHCPconsole.
Thisprocedureaddsthe060customoptionvalueyoudefinedtoalltheDHCPOFFER
packetstheDHCPserversendsouttoclients.Whenaclientcomputerbootsfromalocal
device,suchasaharddriveorCDROM,the060optionhasnoeffect.However,whena
clientperformsanetworkbootafterreceivingandacceptinganofferedIPaddressfromthe
DHCPserver,itconnectstotheWDSserverspecifiedinthe060PXEClientoptionanduses
ittoobtainthebootimagefileitneedstostart.

Lesson12

DNS

GlobalQueryBlockList:Listofprotocolswhicharen'tallowedtobeupdatedviaDynamicDNSupdate;

SetDnsServerGlobalQueryBlockList
GetDnsServerGlobalQueryBlockList

dnscmd[<ServerName>]/info/globalqueryblocklist

WindowsServer2012includesanewWindowsPowerShellmodulethat,forthefirsttime,enables
youto
manageDNSserversfromthecommandlinewithoutusingelaborateWindowsManagement
Information
(WMI)scripts.AfterinstallingtheDNSServerroleusingtheInstallWindowsFeaturescmdlet,
youcan
createazoneontheDNSserverusingtheAddDnsServerPrimaryZonecmdletwiththefollowing
basicsyntax:

ADDPRIMARYZONE
AddDnsServerPrimaryZoneName<name>
ReplicationScopeForest|Domain|Legacy|Custom
[DynamicUpdateNone|Secure|NonSecureAndSecure]

Forexample,tocreateazonecalledParisintheadatum.comdomain,youwouldusethe
followingcommand:
AddDnsServerPrimaryZoneNameParis.adatum.com
ReplicationScopeForest

ADDRESOURCERECORDA
TocreateanAddressresourcerecordwithWindowsPowerShell,youusethe
AddDnsServerResourceRecordAcmdlet,usingthefollowingsyntax:

AddDnsServerResourceRecordAName<name>
ZoneName<name>IPv4Address<address>

Forexample,tocreatearesourcerecordforahostcalledClient1,usethefollowing
command:

AddDnsServerResourceRecordANameClient1
ZoneNameparis.adatum.comIPv4Address192.168.4.76

DNSFORWARDER
GetDNSServerForwarder

SetDNSServerForwarderIPAddress
(replacesDNSServerForwardingtoIPspecied)

RemoveDNSServerForwarderIPAddress

AddDNSServerForwarderIPAddressipaddresstoforwardto

ADDCONDITIONALFORWARDER

AddDNSServerCondionalForwarderZoneNameTailspintoys.comMasterServersParentDomainDNSIPReplicaonScope
"Forest

TricktopreventDNSfromresolvinginternethostnames:
Createaprimaryzonenamed"."
Thisconvertstheservertoarootserver.
https://support.microsoft.com/enus/kb/231794

Lesson13

InstallADDS
installwindowsfeatureaddomainservices

InstallNewForest
Installaddsforest

AddNewDomainController
Installaddsdomaincontroller

AddNewDomaintoexistingforest
InstallADDSDomain

IFMInstallFromMedia
CreateIFMMediafirstonDC:
TocreateInstallFromMedia(IFM)media,youmustruntheNtdsutil.exeprogram
onadomaincontrollerrunningthesameversionofWindowsthatyouintendtodeploy.
Theprogramisinteractive,requiringyoutoenterasequenceofcommandssuchas
thefollowing:
Ntdsutillaunchestheprogram.
ActivateinstancentdsfocusestheprogramontheinstalledADDSinstance.
IfmswitchestheprogramintoIFMmode.
CreateFull|RODC<pathname>createsmediaforeitherafullread/writedomain
controllerorareadonlydomaincontrollerandsavesittothefolderspecifiedbythe
pathnamevariable.

Ntdsutil>activateinstancentds>Ifm>CreateFullc:\ifm

TransferIFMmediatocomputeryouwanttoinstallon.

DEMOTEDC(Removingadomaincontroller)

UninstallADDSDomainControllerForceRemoval
LocalAdminisdtratorPassword<password>Force

GlobalCatalogConfig
ActiveDirectorySitesandServicesDefaultFirstSiteName>Servers>ServerA>
RightclickNTDSsettingsnode,properties

TestifDomainisRegisteredinDNS
dcdiag/test:registerindns/dnsdomain:<domainname>/v

FSMOROLES

ForestWideRoles:
SchemaMaster
TheschemaissharedbetweeneveryTreeandDomaininaforestandmustbeconsistentbetweenall
objects.Theschemamastercontrolsallupdatesandmodificationstotheschema.
DomainNaming
WhenanewDomainisaddedtoaforestthenamemustbeuniquewithintheforest.TheDomain
namingmastermustbeavailablewhenaddingorremovingaDomaininaforest.

DomainWideRoles:
RelaveID(RID)Master
AllocatesRIDstoDCswithinaDomain.Whenanobjectsuchasauser,grouporcomputeriscreated
inADitisgivenaSID.TheSIDconsistsofaDomainSID(whichisthesameforallSIDscreatedin
thedomain)andaRIDwhichisuniquetotheDomain.
WhenmovingobjectsbetweendomainsyoumuststartthemoveontheDCwhichistheRIDmaster
ofthedomainthatcurrentlyholdstheobject.
PDCEmulator
ThePDCemulatoractsasaWindowsNTPDCforbackwardscompatibility,itcanprocessupdatestoa
BDC.
Itisalsoresponsiblefortimesynchronisingwithinadomain.
Itisalsothepasswordmaster(forwantofabetterterm)foradomain.Anypasswordchangeis
replicatedtothePDCemulatorassoonasispractical.Ifalogonrequestfailsduetoabadpassword
thelogonrequestispassedtothePDCemulatortocheckthepasswordbeforerejectingthelogin
request.
InfrastructureMaster
Theinfrastructuremasterisresponsibleforupdatingreferencesfromobjectsinitsdomaintoobjects
inotherdomains.Theglobalcatalogueisusedtocomparedataasitreceivesregularupdatesforall
objectsinalldomains.

NOTE:RIDMASTERISREQUIREDTOBEONLINEFORDOMAINJOINS.IFRIDMASTERDCISOFFLINE,
COMPUTERSCANNOTJOINDOMAIN

TransferringFSMOROLES
Incommandline(>meanspressenter)

Ntdsutil>
roles>
connections>
connecttoserverservername(nameofserveryouaretransferringrolestocanbetheserver
youareonrightnow)>
q>
transferrole(rolename)>
q>
q>

Listofrolenamesforntdsutil:

Ridmaster
Schemamaster
Domainnamingmaster
Pdc
Infrastructuremaster

(totransferpdcemulator,typetransferpdc,NOTtransferpdcemulator)

Lesson14
AddingUsers:

Dsadd.exeUser
"CN=ElizabethAndersen,OU=Research,DC=adatum,DC=local"
samid"eander"
fn"Elizabeth"
ln"Andersen"
disabledno
mustchpwdyes
pwd"Pa$$w0rd"

newADUser
Name"ElizabethAndersen"
SamAccountName"eander"
GivenName"Elizabeth"
SurName"Andersen"
path'OU=Research,DC=adatum,dc=local'
Enabled$true
AccountPassword"Pa$$w0rd"
ChangePasswordAtLogon$true

FilterUsersbyLogonDate
$logonDate = NewObject System.DateTime2007, 1, 1
GetADUser filter { lastLogon le $logonDate }

ImportCSVusersFinance.csv|foreach
{NewADUserSamAccountName$_.SamAccountName
Name$_.NameSurname$_.Surname
GivenName$_.GivenNamePath
"OU=Research,DC=adatum,DC=COM"AccountPassword
Pa$$w0rdEnabled$true}

AddingComputer

dsaddcomputer<ComputerDN>

newADComputerName<computername>path<distinguishedname>

JoiningComputertoDomain
netdomjoin<computername>/Domain:<DomainName>
[/UserD:<User>/PasswordD:<UserPassword>][/OU:OUDN]

Addcomputerdomainname

Limithowmanyadobjectssomeonecanadd:
dsaddquota

JoiningaDomainWhileOine

Inthesecases,itispossibletoperformanoinedomainjoin,byusinga
commandlineprogramcalledDjoin.exe.

TheoinedomainjoinprocedurerequiresyoutoruntheDjoin.exeprogramtwice,onceon
acomputerwithaccesstoadomaincontroller,andthenagainonthecomputertobejoined.
Whenconnectedtothedomaincontroller,theprogramgatherscomputeraccountmetadata
forthesystemtobejoinedandsavesittoale.Thesyntaxforthisphaseoftheprocessisas
follows:

djoin/provision/domain<domainname>
/machine<computername>/savele<lename.txt>

djoin/requestODJ/loadle<lename.txt>
/windowspath%SystemRoot%/localos

DjoinrequestsanoinedomainjoinAFTERacomputerrestarts

AssigningUserRights
UserrightsareGroupPolicysengsthatprovideuserswiththecapabilitytoperformcertainsystemrelatedtasks.
Forexample,loggingonlocallytoadomaincontrollerrequiresthatauserhastheLogOnLocallyrightassignedto
hisorheraccountorbeamemberoftheAccountOperators,Administrators,BackupOperators,PrintOperators,or
ServerOperatorsgrouponthedomaincontroller.Othersimilarsengsincludedinthiscolleconarerelatedto
userrightsassociatedwithsystemshutdown,takingownershipprivilegesoflesorobjects,restoringlesand
directories,andsynchronizingdirectoryservicedata.Formoreinformaononuserrightsassignment,referto
Objecve6.2,CongureSecurityPolicies,inLesson17

DisableorEnableUserAccount

DisableADAccountIdenty<accountname>
EnableADAccountIdenty<accountname>

Lesson15

AddNewOU

NewADOrganizationalUnitNameUserAccountsPath"DC=FABRIKAM,DC=COM"

CreangNewGroups

dsaddgroup"CN=Sales,DC=adatum,DC=com"member
"CN=Administrator,CN=Users,DC=adatum,DC=com

TocreateanewgroupobjectbyusingWindowsPowerShell,youusetheNewADGroupcmdlet,withthe
followingsyntax:
NewADGroup
Name<groupname>
SamAccountName<SAMname>
GroupCategoryDistribuon|Category
GroupScopeDomainLocal|Global|Universal
Path<disnguishedname>

Forexample,tocreateaglobalsecuritygroupcalledSalesintheChicagoOU,youusethefollowingcommand:

NewADGroupNameSalesSamAccountNameSales
GroupCategorySecurityGroupScopeGlobal
PathOU=Chicago,DC=Adatum,DC=Com

RestrictedGroupsPolicies
WhenyoucreateRestrictedGroupspolicies,youcanspecifythemembershipforagroupandenforceit,sothat
noonecanaddorremovemembers.Youcanmodifymembershipwithothertools,butnextmegpupdatehappens,group
membershiplistwillbeoverwrienbythepolicy.

ModifyingGroups

dsmodgroup<GroupDN>[parameters]

Canadd,removemembers;
Changegrouptypeandscope

ThemostcommonlyusedcommandlineparametersforDsmod.exeareasfollows:
secgrpyes|nosetsthegrouptypetosecuritygroup(yes)ordistribuongroup(no).
scopel|g|usetsthegroupscopetodomainlocal(l),global(g),oruniversal(u).
addmbr<members>addsmemberstothegroup.ReplacememberswiththeDNsof
oneormoreobjects.
rmmbr<members>removesmembersfromthegroup.Replacememberswiththe
DNsofoneormoreobjects.
chmbr<members>replacesthecompletelistofgroupmembers.Replacemembers
withtheDNsofoneormoreobjects.
Forexample,toaddtheAdministratorusertotheGuestsgroup,youusethefollowing
command:
dsmodgroup"CN=Guests,CN=Builn,DC=adatum,DC=com"
addmbr"CN=Administrator,CN=Users,DC=adatum,DC=com"

Lesson16

CentralStore
Bydefault,GPOles(ADMandADMXles)arestoreoneachcomputer.Thiscreatedunnecessarybloat.CentralStorexesthis
bystoringGPOlesondomaincontrollersandhavingcomputersaccessthose.

Tousea
CentralStore,however,youmustcreatetheappropriatefolderintheSYSVOLvolumeon
adomaincontroller.
Bydefault,toolssuchastheGroupPolicyManagementconsolesavetheADMX
lestothe\%systemroot%\PolicyDenionsfolder,whichonmostcomputersis
C:\Windows\PolicyDenions.TocreateaCentralStore,youmustcopytheenre
PolicyDenionsfoldertothesamelocaonastheGroupPolicytemplates,thatis,
%systemroot%\SYSVOL\sysvol\<domainname>\Policies,or,inUNCnotaon,
\\<domainname>\SYSVOL\<domainname>\Policies.

NewGPO

NewGPOName<name>Domain<name>StarterGpoName<name>

WhenyouruntheNewGPOcmdlet,thecmdletreturnsthenameofthenewlycreatedG
pipethatnametotheNewGPLinkcmdlet,whichlinkstheGPOtothedomain,site,orOU
usingthefollowingsyntax:

NewGPLinkName<linkname>Target<LDAPpath>

Forexample,tocreateanewGPOcalledTest1andlinkittotheadatum.comdomain,you
followingcommand:

NewGPONameTest1|NewGPLinkTarget"dc=adatum,dc=com"

Enforce
ConguringtheEnforcesengonanindividualGPOlinkforcesaparcularGPOssengs
toowdownthroughtheADDShierarchy,withoutbeingblockedbychildOUs.

Becausechildcontainersengs
canoverwritethesengsthatwereinvokedataparentcontainer,youcanassigntheEnforce
aributetoaGPOlinktoforceaparentseng,prevenngitfrombeingoverwrienbya
conicngchildseng.TheEnforceopondeniesthecapabilityofchildobjectstoapply
theBlockPolicyInheritanceseng.

LoopbackProcessing
Asthenameimplies,LoopbackProcessingenablestheGroupPolicyprocessingorderto
circlebackandreapplythecomputerpoliciesaeralluserpoliciesandlogonscriptsrun.
Whenyouenableloopbackprocessing,youcanchoosetheMergeoponortheReplace
opon.WhenyouselecttheMergeopon,aeralluserpoliciesrunthesystemreapplies
thecomputerpolicysengs,whichenablesallcurrentGPOsengstomergewiththe
reappliedcomputerpolicysengs.Ininstanceswhereconictsarisebetweencomputer
andusersengs,thecomputerpolicysupersedestheuserpolicy.Thisoccursbeforethe
desktopispresentedtotheuser.Thesystemsimplyappendsthesengstothosethatwere
alreadyprocessed.MergingmightnotoverwriteallthesengsimplementedbytheUser
Conguraonsengs.

Lesson17
ImportGPO

importgpoBackupGpoNameTestGPOTargetNameTestGPOpathc:\backups

OPTIMIZINGGROUPPOLICYPROCESSING
WhenyoucreateaGPOthatcontainscomputerorusersengs,butnotboth,youcandis
ablethesengareathatisnotconguredforfasterprocessing.Forexample,tocongure
acomputerpolicythatappliestoallcomputerswithinanOU,youshoulddisabletheUser
Conguraonnodesengssothatthepolicyprocessingisfaster.Whenonepartofthe
policyisdisabled,systemsignorethatseconanddisregardthesengsinit.

Lesson18
SOFTWARERESTRICTIONPOLICIES
HashRules
Creangahashruleforan
applicaonexecutablepreventstheapplicaonfromrunningifthehashvalueisnotcorrect.
Becausethehashvalueisbasedontheleitself,youcanmovethelefromonelocaon
toanotheranditwillsllfuncon.Iftheexecutableleisalteredinanyway,suchasifit
ismodiedorreplacedbyawormorvirus,thehashruleinthesowarerestriconpolicy
preventsthelefromrunning.

CERTIFICATERULES
Acercateruleusesthedigitalcercateassociatedwithanapplicaontoconrm
itslegimacy.Youcanusecercaterulestoenablesowarefromatrustedsourcetorun
ortopreventsowarethatdoesnotcomefromatrustedsourcefromrunning.Youcanalso
usecercaterulestorunprogramsindisallowedareasoftheoperangsystem.

PATHRULES
Apathruleidenessowarebyspecifyingthedirectorypathwheretheapplicaonis
storedinthelesystem.

Pathrulescanspecifyeitheralocaoninthelesystemwhereapplicaonlesarelocatedora
registrypathseng.Registrypathrulesprovideassurancethattheapplicaonexecutableswill
befoundeveniftheapplicaonismovedtoadierentfolder.

NETWORKZONERULES
NetworkzonerulesapplyonlytoWindowsInstallerpackagesthataempttoinstallfrom
aspeciedzone,suchasalocalcomputer,alocalintranet,trustedsites,restrictedsites,or
theInternet.YoucancongurethistypeofruletoenableWindowsInstallerpackagestobe
installedonlyiftheycomefromatrustedareaofthenetwork.Forexample,anInternetzone
rulecanrestrictWindowsInstallerpackagesfrombeingdownloadedandinstalledfromthe
Internetorothernetworklocaons.

APPLOCKER

YoucanuseWindowsPowerShelltocreateanewAppLockerpolicy,usingacombinaonofthe

GetAppLockerFileInformaon

and

NewAppLockerPolicycmdlets.

TheGetAppLockerFileInformaoncmdletreturnstheinformaonaboutale(orles)neededtocreatethe
policy,includingthepublisherinformaon,thelehash,andthelepath,asshowninFigure1824.

YoucanpipetheresultsoftheGetAppLockerFileInformaoncmdletdirectlytotheNewAppLockerPolicycmdlettocreatethe
policy,usingthefollowingsyntax:

GetAppLockerFileInformaon<path>
|NewAppLockerPolicyRuleTypePublisher|Hash|Path
User<securityprincipal>

Forexample,tocreateanewAppLockerpolicyfortheWindowsCalculatorapplicaon,youcanusethe
followingcommand:
GetAppLockerFileInformaonC:\Windows\System32\Calc.exe
|NewAppLockerPolicyRuleTypeHash
UserEveryone

Lesson19Firewall

ChangeNetworkProle
PSC:\>$Profile=GetNetConnectionProfileInterfaceAliasEthernet1

PSC:\>$Profile.NetworkCategory="Private"

PSC:\>SetNetConnectionProfileInputObject$Profile

CreateFirewallRulesusingPowerShell
YoucancreatenewWindowsFirewallruleswithWindowsPowerShellbyusingtheNew
NetFirewallRulecmdlet
withthefollowingbasicsyntax:

NewNetFirewallRuleDisplayName<name>
DirectionInbound|OutboundActionBlock|Allow
LocalPort<number>ProtocolTCP|UDPProgram<name>

Forexample,tocreatearulethatblocksallinboundtrafficthroughTCPport80

NewNetFirewallRuleDisplayName"Block80"
DirectionInboundActionBlock
LocalPort80ProtocolTCP

Firewallcmds:
Netshadvfirewall
(lookuponlineforexamples,listtooextensive)

ImportandExportfirewallrules:
netsh advfirewall export "c:\advfirewallpolicy.wfw"
netsh advfirewall import "c:\advfirewallpolicy.wfw"

GPO and Firewall

Group Policy does not overwrite the entire Windows Firewall confi guration, as importing a
policy fi le does. When you deploy fi rewall rules and settings by using Group Policy, the rules
in the GPO are combined with the existing rules on the target computers. The only exception
is when you deploy rules with the same names as existing rules. Then, the GPO settings
overwrite these found on the target computers

Connection Security Rules

Connection security rules defi ne the type of protection you want to apply to the
communications that conform to Windows Firewall rules.

netshadvfirewall set global statefulftp enable

Allows connections for FTP traffic that initially connects on one port, but has data connecting through a different
dynamic port.