Celoxocis

## fix_roaming_profile_perms.bat
REM usage: fix_perms.bat <username>
REM Recursively assign ownership to Administrators.  Answer prompts with "Y".
takeown /R /A /F %1 /D Y
REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user
cacls %1 /T /E /P "Administrators":F
cacls %1 /T /E /P SYSTEM:F
cacls %1 /T /E /P %1:F
REM Set owner back to UserName
subinacl.exe /noverbose /subdirectories %1\*.* /setowner=%1

## Global Catalog
Deaktivieren
Set-ADObject -Identity (Get-ADDomainController -Identity $env:ComputerName).NTDSSettingsObjectDN -Replace @{options='0'}

Aktivieren
Set-ADObject -Identity (Get-ADDomainController -Identity $env:ComputerName).NTDSSettingsObjectDN -Replace @{options='1'}

wobei "$env:ComputerName" = aktueller DC.

## RID check
dcdiag /test:ridmanager /v

danach runter scrollen zu:
Starting test: RidManager

    * Available RID Pool for the Domain is 2100 to 1073741823
    * NE-DC1.adatum.com is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 1600 to 2099
    * rIDPreviousAllocationPool is 1600 to 2099

## cryptos
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" -Name "Functions" -Value "TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA"

## Install-ADDSDomainController
# Install-ADDSDomainController -NoGlobalCatalog:$true -Credential (Get-Credential) -CriticalReplicationOnly:$false -DatabasePath "C:\Windows\NTDS" -DomainName "adatum.com" -InstallDns:$false -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -ReplicationSourceDC "NE-DC1.adatum.com" -SiteName "Default-First-Site-Name" -SysvolPath "C:\Windows\SYSVOL" -Force:$true
Invoke-Command -ComputerName NE-DC2 { Install-ADDSDomainController -NoGlobalCatalog:$true -Credential (Get-Credential) -CriticalReplicationOnly:$false -DatabasePath "C:\Windows\NTDS" -DomainName "adatum.com" -InstallDns:$false -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -ReplicationSourceDC "NE-DC1.adatum.com" -SiteName "Default-First-Site-Name" -SysvolPath "C:\Windows\SYSVOL" -Force:$true -SafeModeAdministratorPassword (Read-Host -Prompt "SafeModeAdministratorPassword" -AsSecureString) }

## powershell_commands.md

      
              1 file
            
          
              2 forks
            
          
              0 comments
            
          
              1 star
            
          
                Celoxocis
                / powershell_commands.md
            
            
              Created
              February 14, 2018 13:26
            
              
                Collection of handy PowerShell commands
              
          
    PowerShell Commands

Sanity check (i.e., change term window size)

mode con:cols=150 lines=50
Set execution policy

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Unset execution policy

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Undefined

  
## CaPolicy.inf
[Version]
Signature=”$Windows NT$”
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
URL=http://pki.adatum.com/pki/cps.html
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years

## Install Certificate Services
# On RootCA
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType StandaloneRootCA -CACommonName "Bedrock Root Certificate Authority" -KeyLength 4096 -HashAlgorithm SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -ValidityPeriod Years -ValidityPeriodUnits 20 -Force

# On SubCA
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "Bedrock Enterprise Certificate Authority" -KeyLength 4096 -HashAlgorithm SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -Force

## Post-Install Configuration
$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\BEDROCK-ROOT%8%9.crl -PublishToServer -PublishDeltaToServer -Force
Add-CACRLDistributionPoint -Uri http://pki.bedrock.domain/pki/BEDROCK-ROOT%8%9.crl -AddToCertificateCDP -AddToFreshestCrl -Force
Get-CAAuthorityInformationAccess | where {$_.Uri -like '*ldap*' -or $_.Uri -like '*http*' -or $_.Uri -like '*file*'} | Remove-CAAuthorityInformationAccess -Force
Add-CAAuthorityInformationAccess -AddToCertificateAia http://pki.bedrock.domain/pki/BEDROCK-ROOT%3%4.crt -Force
certutil.exe –setreg CA\CRLPeriodUnits 20
certutil.exe –setreg CA\CRLPeriod “Years”
certutil.exe –setreg CA\CRLOverlapPeriodUnits 3
certutil.exe –setreg CA\CRLOverlapPeriod “Weeks”
certutil.exe –setreg CA\ValidityPeriodUnits 10

## IssueingCA
[Version]
Signature=”$Windows NT$”
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
URL=http://pki.adatum.com/pki/cps.html
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
	REM usage: fix_perms.bat <username>
	REM Recursively assign ownership to Administrators. Answer prompts with "Y".
	takeown /R /A /F %1 /D Y
	REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user
	cacls %1 /T /E /P "Administrators":F
	cacls %1 /T /E /P SYSTEM:F
	cacls %1 /T /E /P %1:F
	REM Set owner back to UserName
	subinacl.exe /noverbose /subdirectories %1\. /setowner=%1
	Deaktivieren
	Set-ADObject -Identity (Get-ADDomainController -Identity $env:ComputerName).NTDSSettingsObjectDN -Replace @{options='0'}

	Aktivieren
	Set-ADObject -Identity (Get-ADDomainController -Identity $env:ComputerName).NTDSSettingsObjectDN -Replace @{options='1'}

	wobei "$env:ComputerName" = aktueller DC.
	dcdiag /test:ridmanager /v

	danach runter scrollen zu:
	Starting test: RidManager

	* Available RID Pool for the Domain is 2100 to 1073741823
	* NE-DC1.adatum.com is the RID Master
	* DsBind with RID Master was successful
	* rIDAllocationPool is 1600 to 2099
	* rIDPreviousAllocationPool is 1600 to 2099
	[Version]
	Signature=”$Windows NT$”
	[PolicyStatementExtension]
	Policies=InternalPolicy
	[InternalPolicy]
	OID= 1.2.3.4.1455.67.89.5
	URL=http://pki.adatum.com/pki/cps.html
	[Certsrv_Server]
	RenewalKeyLength=4096
	RenewalValidityPeriod=Years
	# On RootCA
	Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
	Install-AdcsCertificationAuthority -CAType StandaloneRootCA -CACommonName "Bedrock Root Certificate Authority" -KeyLength 4096 -HashAlgorithm SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -ValidityPeriod Years -ValidityPeriodUnits 20 -Force

	# On SubCA
	Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
	Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "Bedrock Enterprise Certificate Authority" -KeyLength 4096 -HashAlgorithm SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -Force
	$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
	Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\BEDROCK-ROOT%8%9.crl -PublishToServer -PublishDeltaToServer -Force
	Add-CACRLDistributionPoint -Uri http://pki.bedrock.domain/pki/BEDROCK-ROOT%8%9.crl -AddToCertificateCDP -AddToFreshestCrl -Force
	Get-CAAuthorityInformationAccess \| where {$_.Uri -like 'ldap' -or $_.Uri -like 'http' -or $_.Uri -like 'file'} \| Remove-CAAuthorityInformationAccess -Force
	Add-CAAuthorityInformationAccess -AddToCertificateAia http://pki.bedrock.domain/pki/BEDROCK-ROOT%3%4.crt -Force
	certutil.exe –setreg CA\CRLPeriodUnits 20
	certutil.exe –setreg CA\CRLPeriod “Years”
	certutil.exe –setreg CA\CRLOverlapPeriodUnits 3
	certutil.exe –setreg CA\CRLOverlapPeriod “Weeks”
	certutil.exe –setreg CA\ValidityPeriodUnits 10