2015. január 9., péntek

How to remote control your domain Windows 7 computers via remote powershell and remote registry from a Windows 2012 domain controller

From briantist.com

If you are lucky enough to have no machines in your environment below Windows 7 / 2008 R2 (where do you work?!) then this is the only one you need. All of the settings we are using will be in Computer Configuration so if you want to disable User Configuration as I have go ahead.
  1. Create your GPO, name it what you want, place it where you want, etc.
  2. Edit your policy.

Enabling WinRM

  1. Browse to:
    Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
    1. Open the “Allow Remote Server management through WinRM” policy setting (Server 2008 R2 and later).
    2. Open the “Allow automatic configuration of listeners” policy setting (Server 2008 and earlier).
  2. Set the Policy to Enabled.
  3. Set the IPv4 and IPv6 filters to * unless you need something specific there (check out the help on the right).

Setting the Firewall Rules

You can use the new Firewall with Advanced Features policy to configure the rule instead, but this will only work on Vista and above. Additionally, you should configure this from a Windows 7 / 2008 R2 machine because of a difference in the pre-defined rule.

  1. Browse to:
    Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall… > Inbound Rules
  2. Right click and choose “New Rule…”
  3. Choose the “Windows Remote Management” pre-defined rule.
  4. When you click next you should see the two rules that will be added.
  5. Click next, choose to Allow the connection, and then Finish.

Service Configuration

At this point we have enough in place to get this working, but I like to do a few more things to ensure that the WinRM service is configured to start automatically and to restart on failure.
  1. Browse to:
    Policies > Windows Settings > Security Settings > System Services
  2. Find the “Windows Remote Management (WS-Management)” service.
  3. Define the policy and give it a startup mode of Automatic.
  4. Browse to:
    Preferences > Control Panel Settings > Services
  5. Create a new Service preference item with the following parameters:
    1. General Tab
      1. Startup: No Change (the policy we set above will take precedence over this anyway)
      2. Service name: WinRM
      3. Service action (optional): Start service
    2. Recovery Tab
      1. First, Second, and Subsequent Failures: Restart the Service
 Whole article is here

Set powershell execution policy

Go to Computer configuration / Policies / Administrative templates: Policy definitons (ADMX files) / Windows components / Windows Powershell. Set "Turn on script execution" to "Allow all scripts". This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." !

Remote registry access enable

1. On a domain controller, Start > administrative tools > Group Policy Editor > Either edit an existing policy or create a new one (Remember its a computer policy you need to link it to something with computers in it, if you link it to a users OU nothing will happen).
2. Navigate to, Local Computer Policy > Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
3. In the right hand pane locate "Remote Registry".
4. Define the policy, and set the startup type to automatic.
Article is from petenetlive.

Nincsenek megjegyzések:

Megjegyzés küldése