Configuring PowerShell remoting through GPO


I’m loving the way Microsoft is currently pushing PowerShell as THE go-to tool required to manage all your solutions.

I’m¬†at a loss however at why they aren’t providing out of the box solutions so that you can manage all of your workstations/servers through PowerShell.
Sure, you can head over to every machine and configure PowerShell using

However I can understand that people have better things to do with their time [I sure do!]

This sounds like the ideal task for Group Policy Management, a central way to push configurations to all of your Computer Objects within Active Directory.
Using this solution you can ensure that all the required clients will get the configuration that you want them to have, without ever having to leave the comfort of your desk ūüôā

Required Group Policy Objects [GPO]

In order to configure this correctly you will need to set the following configuration items within your GPO:

  1. Enable the Windows Remote Management [WinRM] Service and set startup mode to Automatic
  2. Enable the Windows Firewall to allow for WSMAN traffic [TCP 5985]
  3. Configure the WinRM service for listeners

Now¬†personally I’ve added the following 2 steps to my “template” GPO in order to make my life a bit easier:

  • Configure¬†the WinRM to automatically Restart the service on failure and start immediately [I hate having to wait for restarts]
  • Set the Script Execution Policy to RemoteSigned

Of course you can also do those things once you’ve gained access to all the machines, but this is a fire-and-forget thing and would be ideal if it’s automatically configured on each and every machine joined to the domain.

 

What to configure

Now that we know WHAT we want, the question becomes “How do we configure this?”

Using PowerShell

Since this is a blog primarily aimed at learning PowerShell, this will be the preferred way to create these policies.
This is currently supported from Windows 2008 R2 Server and up.
Unfortunately, currently you can only modify a GPO’s settings through the GUI.

All other management tasks can be done through PowerShell, so we’ll do as much as we can through PowerShell.

  1. Load the Group Policy module in your PowerShell session
  2. Create a new GPO
  3. Link your GPO to the required Organizational Unit [OU]

Once this is done, you can skip to step #4 in Using the GUI.

Using the GUI

If ¬†you have a Windows 2008 Server or aren’t too comfortable with PowerShell yet, you can also use the GUI to create and set new Group Policy Objects.
This part of the guide will assume you know how to manage GPO’s and will only include the bare minimum information.

  1. Open the Group Policy Management console [gpmc.msc]
  2. Create a new Group Policy Object named Settings Р[C] РEnable-PSRemoting
  3. Link the GPO to the correct OU, containing your computer objects.
  4. Now we’re on the same steps as with the PowerShell commands, we need to Edit our GPO:
    1. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services -> Windows Remote Management (WS-Management)
      2015-08-03_112932
    2. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules -> New Rule
      2015-08-03_113213
    3. Computer Configuration -> Policies -> Administrative Templates: Policy Definitions (ADMX) -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> Trusted Hosts
      2015-08-03_113621
    4. Computer Configuration -> Policies -> Administrative Templates: Policy Definitions (ADMX) -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> Allow remote server management through WinRM
      2015-08-03_112934
    5. Computer Configuration -> Policies -> Administrative Templates: Policy Definitions (ADMX) -> Windows Components -> Windows PowerShell -> Turn on Script Execution
      2015-08-03_115516
    6. Computer Configuration -> Preferences -> Control Panel Settings -> Services -> New -> Service
      2015-08-03_120117

It’s as simple as that!

Wait for the GPO to propagate out to the machines and you should have access to the remote machines!

If like me you have multiple customers and would prefer to make 1 template GPO which you can Export/Import into various environments, be sure to change the TrustedHosts from your domain name to something like * or more secure: your subnet [192.168.1.*].

 

Happy Scripting! ūüôā

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Importing users from Active Directory into Office 365

Today I ran into an issue where I had to quickly import x amount of users into an empty trial tenant from
Office 365 in order for to prepare the future mail migration.

Because I’m trying to get everything running through PowerShell, I thought this would be a nice moment to
document everything for future use and for other people to see how it’s done [or give tips ūüėČ ]

Getting user information from Active Directory

First of all I had to get the current user information from Active Directory in a format that I can use in
Office 365.

So we start up PowerShell on the Windows 2008R2 Standard server and get all the details I need:

Now this would give me all the users in the entire domain, something I’m not quite looking for.

So in order to narrow it down, I’ll just query all the users in a specific OU using the SearchBase parameter:

This is better, however now I notice that in my case I have some subfolders with disabled/template users.
Again, I’d like to narrow it down to ONLY the users in the specific OU, no recursion.
For this I will need to further define my query using SearchScope:

This gives me all the results I would like to have, but maybe a bit too much detail for me to export.

In order to see what properties I’d like to export, I need to know what properties I would like to
import on the Office 365 side of things:

    • FirstName
    • LastName
    • DisplayName
    • UserPrincipalName
    • UsageLocation

I can’t get all of those properties from my current AD query, but those that I’m able to get,
I can provide in the format I would like them to be in.

The details I can get from AD are

    • FirstName = GivenName
    • LastName = SurName
    • DisplayName = Name
    • UserPrincipalName = EmailAddress

Using the property parameter we can get the users’ email address and using Select-Object we output the
information in the format we would like to have it:

Presto-chango!

I can now export this information to a csv file:

 

Creating Office 365 users based on exported Active
Directory data

Now that we’ve exported our required data, we can simply import this data into our Office 365 tenant
account.

Using the Connect-O365 function which I’ve created in the Connect to Office 365 using PowerShell post,
you can easily perform bulk operations like this:

Once connected, we will need to collect/set some default data required for our bulk user import:

Change the UsageLocation according to your requirements.

Now we’ve got all the information we need to create our new user accounts!

There we go, all the users are imported in your tenant!

Some tips in case you’re running into errors:

    • Be sure to have the email address domain configured in your Office 365 tenant as accepted
      domain!
    • Be sure to have all your AD information filled in!

You will get automatically assigned passwords for these created accounts and you’re good to go ūüôā

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Connect to Office 365 using PowerShell

In order to manage your Office 365 tenant(s) using PowerShell, there are some pre-requisites required.

      1. Ensure you are running Windows 8.1, Windows 8, or Windows 7.
      2. Make sure you have the .NET Framework 3.51 feature [enabled by default on Windows 8 and up]
      3. Make sure you have the latest updates. It is important to run this after you install .NET Framework 3.51, so you get updates for that in addition to updates for your operating system.
      4. Install the Microsoft Online Services Sign-In assistant. Even though the link provided should work, you should always look up the latest version [see next link].
      5. Install the Windows Azure Active Directory (Azure AD) module for the appropriate version of your operating system.

Once these requirements are installed, you can continue to connect to your tenant using the following function:

 

 

This will set up a connection with your Office 365 tenant and will also connect to the Exchange configuration so you can easily access mail configuration for your tenant.

Happy scripting!

 

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail