I’m loving the way Microsoft is currently pushing PowerShell as THE go-to tool required to manage all your solutions.
I’m at a loss however at why they aren’t providing out of the box solutions so that you can manage all of your workstations/servers through PowerShell.
Sure, you can head over to every machine and configure PowerShell using
However I can understand that people have better things to do with their time [I sure do!]
This sounds like the ideal task for Group Policy Management, a central way to push configurations to all of your Computer Objects within Active Directory.
Using this solution you can ensure that all the required clients will get the configuration that you want them to have, without ever having to leave the comfort of your desk 🙂
In order to configure this correctly you will need to set the following configuration items within your GPO:
- Enable the Windows Remote Management [WinRM] Service and set startup mode to Automatic
- Enable the Windows Firewall to allow for WSMAN traffic [TCP 5985]
- Configure the WinRM service for listeners
Now personally I’ve added the following 2 steps to my “template” GPO in order to make my life a bit easier:
- Configure the WinRM to automatically Restart the service on failure and start immediately [I hate having to wait for restarts]
- Set the Script Execution Policy to RemoteSigned
Of course you can also do those things once you’ve gained access to all the machines, but this is a fire-and-forget thing and would be ideal if it’s automatically configured on each and every machine joined to the domain.
Now that we know WHAT we want, the question becomes “How do we configure this?”
Since this is a blog primarily aimed at learning PowerShell, this will be the preferred way to create these policies.
This is currently supported from Windows 2008 R2 Server and up.
Unfortunately, currently you can only modify a GPO’s settings through the GUI.
All other management tasks can be done through PowerShell, so we’ll do as much as we can through PowerShell.
- Load the Group Policy module in your PowerShell session ```powershell
Import-Module -Name GroupPolicy
1
2
3
4
|
2. Create a new GPO ```powershell
New-GPO -Name 'Settings - [C] - Enable-PSRemoting' -Comment 'This GPO enables and configures PowerShell remoting and all requirements on Computer Objects'
|
- Link your GPO to the required Organizational Unit [OU] ```powershell
New-GPLink -Name ‘Settings - [C] - Enable-PSRemoting’ -Target ‘OU=Computers,OU=Company,DC=Contoso,DC=COM’
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
Once this is done, you can skip to step #4 in **Using the GUI**.
## Using the GUI
If you have a Windows 2008 Server or aren't too comfortable with PowerShell yet, you can also use the GUI to create and set new Group Policy Objects.
This part of the guide will assume you know how to manage GPO's and will only include the bare minimum information.
1. Open the Group Policy Management console [gpmc.msc]
2. Create a new Group Policy Object named **Settings - [C] - Enable-PSRemoting**
3. Link the GPO to the correct OU, containing your computer objects.
4. Now we're on the same steps as with the PowerShell commands, we need to Edit our GPO:
1. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services -> Windows Remote Management (WS-Management)
<a href="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112932.png" target="_blank"><img class="alignnone wp-image-63 size-medium" src="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112932-300x113.png" alt="2015-08-03_112932" width="300" height="113" srcset="https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112932-300x113.png 300w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112932-1024x384.png 1024w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112932.png 1101w" sizes="(max-width: 300px) 100vw, 300px" /></a>
2. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules -> New Rule
<a href="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_113213.png" target="_blank"><img class="alignnone wp-image-64 size-medium" src="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_113213-300x117.png" alt="2015-08-03_113213" width="300" height="117" srcset="https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_113213-300x117.png 300w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_113213-1024x400.png 1024w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_113213.png 1143w" sizes="(max-width: 300px) 100vw, 300px" /></a>
3. Computer Configuration -> Policies -> Administrative Templates: Policy Definitions (ADMX) -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> Trusted Hosts
<a href="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_113621.png" target="_blank"><img class="alignnone wp-image-65 size-medium" src="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_113621-300x150.png" alt="2015-08-03_113621" width="300" height="150" srcset="https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_113621-300x150.png 300w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_113621-1024x513.png 1024w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_113621.png 1219w" sizes="(max-width: 300px) 100vw, 300px" /></a>
4. Computer Configuration -> Policies -> Administrative Templates: Policy Definitions (ADMX) -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> Allow remote server management through WinRM
<a href="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112934.png" target="_blank"><img class="alignnone wp-image-292 size-medium" src="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112934-300x174.png" alt="2015-08-03_112934" width="300" height="174" srcset="https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112934-300x174.png 300w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112934-768x446.png 768w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112934-1024x595.png 1024w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_112934.png 1114w" sizes="(max-width: 300px) 100vw, 300px" /></a>
5. Computer Configuration -> Policies -> Administrative Templates: Policy Definitions (ADMX) -> Windows Components -> Windows PowerShell -> Turn on Script Execution
<a href="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_115516.png" target="_blank"><img class="alignnone wp-image-67 size-medium" src="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_115516-300x144.png" alt="2015-08-03_115516" width="300" height="144" srcset="https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_115516-300x144.png 300w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_115516-1024x491.png 1024w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_115516.png 1074w" sizes="(max-width: 300px) 100vw, 300px" /></a>
6. Computer Configuration -> Preferences -> Control Panel Settings -> Services -> New -> Service
<a href="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_120117.png" target="_blank"><img class="alignnone wp-image-68 size-medium" src="http://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_120117-300x156.png" alt="2015-08-03_120117" width="300" height="156" srcset="https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_120117-300x156.png 300w, https://powershellpr0mpt.com/wp-content/uploads/2015/08/2015-08-03_120117.png 988w" sizes="(max-width: 300px) 100vw, 300px" /></a>
It's as simple as that!
Wait for the GPO to propagate out to the machines and you should have access to the remote machines!
If like me you have multiple customers and would prefer to make 1 template GPO which you can Export/Import into various environments, be sure to change the TrustedHosts from your domain name to something like \* or more secure: your subnet [192.168.1.\*].
Happy Scripting! 🙂
|