Tag: PowerShell

Last updated by at .

Windows Users with PowerShell

Manage Local Windows User with PowerShell

Awhile ago Microsoft added a new PowerShell module to manage local Windows user accounts. This post should quickly show you how easily you can for example use PowerShell to create a new Windows User account, remove a Windows user account or modify windows users and groups with PowerShell.

List Windows User accounts with PowerShell

The most simple one is obviously to list Windows users or groups, using the PowerShell Get- commands.

List all local Windows Users:

List all local Windows Groups:

Create new Windows User account using PowerShell

There are three different account types you can add to Windows 10:

The following part describes how you can add them to your Windows system using PowerShell

To create a new Windows User account you can simply use the following command:

If you want to see that password you can also use this method, to create a new Windows User:

Create a new Windows User account connected to a Microsoft Account using PowerShell

With Windows 10 you have the opportunity to login using Microsoft Accounts, for example with outlook.com or hotmail.com email aliases. For that you can use the folloing command to create a new Windows User connected to a Microsoft Account. In this case you will not need to configure a password for the account, since this is connected to the Microsoft Account.

You can also add Azure Active Directory (Azure AD) accounts if your business is for example using Office 365. The following command adds an Azure AD account to the local Windows Users:

Remove Windows User account using PowerShell

You can also simply remove user accounts from Windows using PowerShell. The following command will delete the account:

Change password of a Windows User account using PowerShell

To change the password of a local Windows User account, you can use the Set-LocalUser cmdlet. This also has some other options as well, but one of the most common ones is to reset the password.

Rename a Windows User account using PowerShell

To rename a Windows User account with PowerShell, you can use the following command:

Add Windows User account to group using PowerShell

This command for example adds users to the Windows Administrator group:

I hope this gives you a quick overview how you can manage local Windows User accounts using PowerShell.



Inked Azure Security Center Just in time VM access_LI

Azure – Just in Time VM access

If you run virtual machines with public IP address connected to the internet, attackers immediately try to run attacks against it. Brute force attacks commonly target management ports, like RDP or SSH, to gain access to a VM. If the attacker is successful, he can take control over the VM and access other resources in the environment. To address that issue it is highly recommended to reduce the ports open, especially for the management ports. However, sometimes you will need to open to ports for some of the virtual machines for management tasks. Microsoft Azure has a simple way to address this issue, called Just in time virtual machine (VM) access. Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

How does Azure Just in Time VM Access work

In the Azure Security Center you can enable just in time VM access, this will create a Network Security Rule (NSG) to lock down inbound traffic to the Azure VM. During the initial JIT VM access configuration, you will be configuring the ports specified, which will be managed by Azure Security Center, these ports will be locked down by the Azure Security Center using an NSGs.

Configure Azure just in time VM access

Inked Configure Just in time VM access_LI

Azure JIT VM access is configured in the Azure Security Center. To configure and enable JIT on a virtual machine open up the Azure Security Center and click on Just in time VM access.

Here you will find three states, Configured, Recommended and No recommendation.

  • Configured – VMs that have been configured to support just in time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
  • Recommended – VMs that can support just in time VM access but have not been configured to. We recommend that you enable just in time VM access control for these VMs. See Configuring a just in time access policy.
  • No recommendation – Reasons that can cause a VM not to be recommended are:
    • Missing NSG – The just in time solution requires an NSG to be in place.
    • Classic VM – Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just in time solution.
    • Other – A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn’t have an NSG in place.

To configure you click on Recommended and select the Virtual Machine, for which you want to enable JIT.

Click on Enable JIT on VMs and configure the ports which should be managed by Just in time VM Access. Just in time VM access will recommend some default ports like RDP, SSH and PowerShell Remoting. You can also add other ports to the virtual machine if you want or need to.

Requesting Just in time VM Access for Azure Virtual Machine

Request Just in time VM access

On the Configured section, you can select the VM you want to request access to and click on Request access. You can now select the ports you want to be open for a specific time and a specific IP address. This will open up the ports and after 2-3 minutes you will be able to access the virtual machine.

To send such a request, the user which requests access to the Virtual Machine needs to have write access to the virtual machines in the Azure Role-Based Access Control (RBAC).

Auditing Azure just in time VM access activity

Of course all the request get logged and can be reviewed in the Activity Log.

Licensing of Azure just in time VM access

Azure just in time VM access is licensed over Azure Security Center and needs the Standard Tier to be enabled for the specific virtual machine.

I hope this gives you an idea how you can leverage Just in time VM access in Azure for your workloads.



OpenSSH Server on Windows Server

Install OpenSSH Server on Windows Server

Back in 2017 Microsoft made OpenSSH available on Windows 10. Shorty after OpenSSH was also available for Windows Server, version 1709. This blog post should give you a simple step by step guy how you install OpenSSH Server on Windows Server. OpenSSH is available for Windows Server, version 1709 and higher. If you are running Windows Server 2016, and you want to stay in the long-term servicing branch, you will need to wait for the next Windows Server LTSC build.

Install OpenSSH Server on Windows Server

If you are running a Windows Server 1709 or higher, you can simply use PowerShell to install the OpenSSH Client and Server.

OpenSSH on Windows Server

You can use the following PowerShell commands to install the OpenSSH Server on Windows Server.

After the installation you can find the OpenSSH Server files and some more configuration options under “C:\Windows\System32\OpenSSH”

Next you need to configure the OpenSSH Server (sshd)

To enable authentication into an SSH server on Windows, you first have to generate host keys and repair the ACL on the host keys.

Configure OpenSSH Server on Windows

To configure the OpenSSH Server on Windows Server, just run the following PowerShell commands:

Now you should be able to access your Windows Server using an SSH client.

OpenSSH Server on Windows Server

Remember if you run your server in Microsoft Azure, you might also need to configure the Network Security Group to allow SSH Remoting on port 22.



Experts Live Netherlands 2018 Thomas Maurer

Speaking at Experts Live Netherlands 2018 in Ede

After speaking at Experts Live Netherlands in the past, I am happy to announce that I will be speaking at the Experts Live Netherlands 2018 Conference. Experts Live Netherlands 2018 will take place at 19 June 2018 in Ede. I have great professional and personal memories from the latest Experts Live Netherlands conference and it is always a huge honor to speak at a such a great event. I am also happy to be back in the Netherlands for a couple of days.

Experts Live

In my session, I will present about the latest Windows Server innovation in the Windows Server SAC releases as well as the next Windows Server 2019.

My Name is Server, Windows Server

In Fall 2017 Microsoft has updated Windows Server to the next Semi-Annual Channel release with new features and improvements and Microsoft will now release new SAC and LTSC releases. Join this session for the best of Windows Server, learn how the new Servicing Model of Windows Server works and what does it mean to use SAC or LTSC releases, and what new improvement and features Microsoft offers in the latest releases such as 1709, 1803 and Windows Server 2019. You’ll get an overview about the new, exciting improvements that are in Windows Server and how they’ll improve your day-to-day job.   In this presentation Thomas Maurer (Microsoft MVP) will guide you through the highly anticipated innovations in Windows Server 2019 and the Semi-Annual Channel including: · Windows Server Containers · Hyper-V features · Nano Server · Storage · Networking · Security · Windows Server Containers And more!

I really hope to see you there!

 



Windows 10 RSAT Feature on Demand

Windows 10 RSAT Feature on Demand

Microsoft just released a new Windows 10 Insider build (Build 17682), with a lot of improvements. However, a great new feature for IT Pros is that RSAT (Remote Server Administration Tools for Windows 10) is now a feature on demand. You can now go to Windows Settings, Optional Features and select add features, where you then will see the different Remote Server Administration Tools for Windows 10.

This means IT Pros do not need to manually download the RSAT tools to upgrade. This will safe most of us a lot of time.

What is RSAT

Remote Server Administration Tools for Windows 10 lets IT administrators manage Windows Server from a remote computer running the full release version of Windows 10.

How to Install RSAT

Install Windows 10 RSAT using PowerShell

As mentioned you can use the Windows 10 Settings and add the feature using the UI, but you are also available using PowerShell.

This feature is currently only available in the Windows 10 Insider builds and is likely to be rolled out to everyone with Windows 10 1809 later this year.



Azure Stack Azure Cloud Shell

Connect to Azure Stack from Azure Cloud Shell

A little while ago Microsoft announced the Azure Cloud Shell. The Azure Cloud Shell is a perfect tool to manage your Azure resources using the Azure CLI or Azure PowerShell. Wouldn’t it be great to also manage your resources running on Azure Stack? Thanks to the consistency between Microsoft Azure and Microsoft Azure Stack, you can use the same tools to manage your hybrid cloud.

First of all login to your Azure Cloud Shell on shell.azure.com or in the Azure Portal.

Azure Cloud Shell

After the login you have to register Azure Stack as a new cloud by running the following command:

Azure Stack Cloud List Azure CLI

Now you can list the new Azure Stack cloud by using:

To switch to the Azure Stack Cloud use the following command:

If you are doing this the first time and you use another account you can use az login to login.

One thing you should do is to switch the profile version to an Azure Stack compatible version

Azure Cloud Shell Azure Stack

Now you can start using the Azure CLI in the Azure Cloud Shell to manage your Azure Stack. First of all yes this works also if you just use the Azure CLI. In the case of the Azure Cloud Shell the Azure Stack needs to be accessible from the internet. If your Azure Stack is not accessible from the internet, you can just use the Azure CLI directly from your management machine.

Azure Stack Cloud Shell Visual Studio Code

Fun Fact, since you an also run the Azure Cloud Shell directly in Visual Studio Code, you can also just open up the shell session and start working from Visual Studio Code.

 

 

 



Ubuntu on Windows Server using WSL

Install Windows Subsystem for Linux on Windows Server

In 2017 Microsoft made it possible to run different Linux distribution on Windows 10, using a feature called the “Windows Subsystem for Linux“. With the latest official Semi-Annual Channel Windows Server release called Windows Server, version 1709 Microsoft also allowed to run the Windows Subsystem for Linux (WSL) on Windows Server. With the next release of Windows Server called Windows Server, version 1803, Microsoft will also add some improvements to the Windows Subsystem on Linux, which also apply to Windows 10 as well as Windows Server. This blog post shows you how you can do this.

First you have a Windows Server, version 1709 running. After that enable the Microsoft Windows Subsystem for Linux feature, running the following command (This will need a reboot)

You can download the appx packages for you favorite Linux distribution, this can be today:

  • Ubuntu
  • OpenSUSE
  • Suse Linux Enterprise Server

If you are running on Windows Server Core (which is highly likely), you can use the following command to download the Linux distributions.

You can then unpack the file:

Now you can open that folder and run the installer for example ubuntu.exe. The first time this will do the setup where you also define the UNIX username and password as well as the root password.

WSL on Windows Server

After that you can run updates for your distro and you can start using Linux.

If you want to know more about the WSL, check out the Microsoft Documentation: Windows Subsystem for Linux Documentation and have a look at my WSL post in for Windows 10: Crazy times – You can now run Linux on Windows 10 from the Windows Store