PowerShell for Windows 10, Hyper-V & Windows Server

June 9, 2025June 10, 2025

Manually installing Ubuntu 24.04.x on WSL on Windows 11 without using the Microsoft Store

#Installing Ubuntu 24.04.x on WSL on Windows 11

#These two items are the minimum install:

dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart

dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart

dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart

dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart

#If you want bridged networking then you also have to install Hyper-V so you can create a bridged virtual switch.

dism.exe /online /enable-feature /all /featurename:Microsoft-Hyper-V

1	dism.exe /online /enable-feature /all /featurename:Microsoft-Hyper-V

#Reboot

Update WSL:

wsl --update

1	wsl --update

#Other wsl.exe options include:

#Specify the Linux distribution to install. You can find available distributions by running wsl --list --online.
--distribution
#Install the Linux distribution but do not launch it automatically.
--no-launch

#Install from an online source rather than using the Microsoft Store.
--web-download

#When WSL is not installed options include:

#Installs WSL using the Windows component instead of using the Microsoft Store. (WSL updates will be received via Windows updates, rather than pushed out as-available via the store).
--inbox

#Enables WSL 1 during the install of the Microsoft Store version of WSL by also enabling the "Windows Subsystem for Linux" optional component.
--enable-wsl1

#Do not install a distribution when installing WSL.
--no-distribution

#Specify the Linux distribution to install. You can find available distributions by running wsl --list --online.

--distribution

#Install the Linux distribution but do not launch it automatically.

--no-launch

#Install from an online source rather than using the Microsoft Store.

--web-download

#When WSL is not installed options include:

#Installs WSL using the Windows component instead of using the Microsoft Store. (WSL updates will be received via Windows updates, rather than pushed out as-available via the store).

--inbox

#Enables WSL 1 during the install of the Microsoft Store version of WSL by also enabling the "Windows Subsystem for Linux" optional component.

--enable-wsl1

#Do not install a distribution when installing WSL.

--no-distribution

#Installing WSL with a Custom Tarball

When the Microsoft Store is disabled, you can manually install WSL by downloading a custom tarball. In my case, I have downloaded ubuntu-noble-wsl-amd64-wsl.rootfs.tar.gz from the Ubuntu Cloud WSL Image page. This tarball contains the root filesystem for Ubuntu, which you can use to manually set up WSL without needing the Store.

#Download the WSL image you need from the link below:

https://cloud-images.ubuntu.com/wsl #Look for Noble folders

#Then run the command below from and elevated command prompt:

wsl --import Ubuntu24 Z:\WSL\Ubuntu24.04 c:\users\username\download\ubuntu-noble-wsl-amd64-wsl.rootfs.tar.gz --version 2

1	wsl --import Ubuntu24 Z:\WSL\Ubuntu24.04 c:\users\username\download\ubuntu-noble-wsl-amd64-wsl.rootfs.tar.gz --version 2

A few things to note:

- - To use WSL without the Microsoft Store, for me, Developer Mode needed to be enabled on my Windows system. This had to be done through Microsoft Intune by duplicating and assigning a policy that allows Developer Mode. Please be sure that installing WSL is approved by your IT department before installing if you are on a computer that you use for work purposes.
  - You will initially be logged in as root and this is not meant to be your primary user, at all. Many things only run as root and many more will not run as root. You do not want to leave this, as is, even in a non-production environment.

#This is the version that is current for me now but there are updates so keep reading.

Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.6.87.1-microsoft-standard-WSL2 x86_64)

1	Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.6.87.1-microsoft-standard-WSL2 x86_64)

#Set WSL distribution’s virtual disk is set to be sparse:

#This will allow the virtual disk to automatically shrink when files are removed from the distribution

wsl --manage Ubuntu24 --set-sparse true

1	wsl --manage Ubuntu24 --set-sparse true

#Another way to manually set a WSL installation to sparse

#Add sparseVhd=true to the [wsl2] section of your .wslconfig file. The .wslconfig file doesn’t already exist most likely. It is located in windows in your home directory usually located at c:\users\username\.wslconfig

#It is not common for a windows file name to begin with a . but that is not a typo. . is the identifier for hidden files in Linux.

#Now manually imported Linux distributions do not automatically read .wslconfig files so you also need to download wsldl.exe and set that up to launch with as described later on in this post.

#To use the `wsldl.exe` launcher with your imported WSL distribution and enable it to utilize the `.wslconfig` file, follow these steps:

#Steps to Configure `wsldl.exe`

Download wsldl.exe: Ensure you have the latest version of wsldl.exe from the official wsldl repository .
Prepare Your Directory:
- Create a folder where you want to store your distribution.
- Place the downloaded wsldl.exe in this folder and rename it to the desired name for your distribution (e.g., MyDistro.exe) .
Add Your Root Filesystem:
- Place your exported root filesystem tar file (e.g., rootfs.tar.gz) in the same directory as wsldl.exe. Ensure that the tar file is named correctly as rootfs.tar.gz .
Run the Launcher:
- Right-click on the renamed wsldl.exe (e.g., MyDistro.exe) and select “Run as administrator.” This step is crucial for proper registration and functionality .
Configure .wslconfig:
- Create or edit a .wslconfig file in your Windows user directory (usually located at C:\Users\<YourUsername>\.wslconfig). This file allows you to set various WSL configurations, such as memory limits and processor settings.
- Example content for .wslconfig:
  
  text
  
  [wsl2] memory=4GB processors=2
Launch Your Distribution:
- After running the launcher, you can access your distribution via the command line using its name (e.g., MyDistro). This will allow it to recognize and utilize settings specified in .wslconfig .

#Your imported WSL distribution should now work with the wsldl.exe launcher and respect the configurations set in your.wslconfig file.

#Change the default user for a distribution using wsldl.exe

Ubuntu24.exe config --default-user username

1	Ubuntu24.exe config --default-user username

#Change the default user username for your distribution log-in. The user has to already exist inside the distribution in order to become the default user.

#For example: Ubuntu config --default-user johndoe would change the default user for the WSL instance called “Ubuntu” to the “johndoe” user.

#Note:

#If you are having trouble figuring out the name of your distribution, use the command wsl -l.

#Warning:

#This command will not work for imported distributions, because these distributions do not have an executable launcher. You can instead change the default user for imported distributions using the /etc/wsl.conf file. See the Automount options in the Advanced Settings Configuration doc.

#Update and configure Ubuntu 24.04.x LTS on Windows 11 WSL

#Run update for the first time to initialize apt

sudo apt update

1	sudo apt update

#Install the necessary packages that allow apt to use packages over HTTPS:

sudo apt install apt-transport-https ca-certificates curl software-properties-common

1	sudo apt install apt-transport-https ca-certificates curl software-properties-common

#Suppressing Pro updates in Ubuntu 24.04.x LTS

sudo mv /etc/apt/apt.conf.d/20apt-esm-hook.conf /etc/apt/apt.conf.d/20apt-esm-hook.conf.bak

1	sudo mv /etc/apt/apt.conf.d/20apt-esm-hook.conf /etc/apt/apt.conf.d/20apt-esm-hook.conf.bak

#Next, also comment out ALL the lines by using arrow keys to navigate, and adding # for each line. When done, press Ctrl+S to save and Ctrl+X to exit.

sudo nano /var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-apps.sources

1	sudo nano /var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-apps.sources

#Add a new primary user

adduser primaryuser

1	adduser primaryuser

#Enter a new password and provide any user information you wish to then add the new user to sudousers.

usermod -aG sudo primaryuser

1	usermod -aG sudo primaryuser

#Edit the /etc/wsl.conf file:
#Open the /etc/wsl.conf file in a text editor. You might need to create this file if it doesn’t exist:

nano /etc/wsl.conf

1	nano /etc/wsl.conf

#Add the Configuration for the Default User:
#Add the following lines to the file to set the default user:

[user]
default=primaryuser

1 2	[user] default=primaryuser

#Enable bridged networking instead of NAT

#Create a new bridged virtual switch called WSL

New-VMSwitch -Name "WSL" -NetAdapterName "Ethernet" -AllowManagementOS $true

1	New-VMSwitch -Name "WSL" -NetAdapterName "Ethernet" -AllowManagementOS $true

#List configured virtual switches

Get-VMSwitch

1	Get-VMSwitch

#Nexts steps to enable bridged networking and to disable IPv6 in WSL2

#Edit the .wslconfig File:

#Create or edit the .wslconfig file located in your user directory (typically C:\Users\<YourUsername>\.wslconfig).

#These settings tell WSL2 to disable IPv6 at the kernel level and to use the virtual switch called WSL. If you want IPv6 spport then simply omit that line from your .wslconfig

#Add the following lines to the file:

[wsl2]
   kernelCommandLine=ipv6.disable=1
   networkingMode = bridged
   vmSwitch = WSL

[wsl2]

kernelCommandLine=ipv6.disable=1

networkingMode = bridged

vmSwitch = WSL

#After saving the changes, you need to shut down WSL for the changes to take effect. You can do this by running the following command in PowerShell or Command Prompt:

wsl --shutdown

1	wsl --shutdown

#Enable syncookies, disable responses for pings to the broadcast, enable ip spoof protection, disable ICMP redirects and disable source routing. You can do so by adding the following lines to /etc/sysctl.conf

net.ipv4.icmp_echo_ignore_broadcasts = 1

1	net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.conf.all.rp_filter = 1

1	net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.all.accept_redirects = 0

1	net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.accept_source_route = 0

1	net.ipv4.conf.all.accept_source_route = 0

#If you are using NAT rather than bridged networking

#You do not need to do this if you are using bridged mode and DHCP is automatically obtained from your primary DHCP server.

- WSL NAT mode gives your Linux environment a private IP and makes all traffic appear to come from your host’s IP. This hides your WSL instance from direct access from the Internet, providing a layer of protection.
- WSL bridged mode lets your Linux environment get its own IP on the network, like a separate computer. This means your WSL session is directly reachable from the Internet or other devices on the network, so it’s more important to secure it properly.

#This means NAT hides WSL behind your host’s IP, while bridged mode makes WSL act like its own device on the network.

#Set permanent DNS to an external DNS provider for NAT

#To prevent the /etc/resolv.conf file from being automatically generated and overwritten by WSL via /etc/wsl.conf

sudo nano /etc/wsl.conf

1	sudo nano /etc/wsl.conf

#Add:

[network]
  generateResolvConf = false

1 2	[network] generateResolvConf = false

#The /etc/resolv.conf file is often a symlink to another file that gets automatically generated. To prevent it from being overwritten, you should remove the symlink and create a regular file:

#List contents of /etc/resolv.conf

cat /etc/resolv.conf

1	cat /etc/resolv.conf

#Default Settings in an automatically created resolv.conf

nameserver 127.0.0.53
options edns0 trust-ad
search .

nameserver 127.0.0.53

options edns0 trust-ad

search .

#Get DNS Status

resolvectl status

1	resolvectl status

#Remove the existing symlink:

sudo rm /etc/resolv.conf

1 2	sudo rm /etc/resolv.conf

#Create a new /etc/resolv.conf file:

sudo touch /etc/resolv.conf

1 2	sudo touch /etc/resolv.conf

#Edit the new file to add your preferred DNS servers. For example:

echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf

1	echo "nameserver 1.1.1.1" \| sudo tee /etc/resolv.conf

#Add additional DNS servers (note tee -a (for append))

echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.conf

1	echo "nameserver 8.8.8.8" \| sudo tee -a /etc/resolv.conf

#Install and configure zsh shell

#Install zsh (git is needed for the theme I use)

sudo apt install zsh git

1	sudo apt install zsh git

#Configure zsh as your default shell.

chsh -s $(which zsh)

1	chsh -s $(which zsh)

#Run zsh

zsh

zsh

#Press 2 to create a default config file if prompted

#Configure zsh for root user. You do not need to do this step if you don’t use sudo -i like I do. Operating like that is not recommended but often I am in a non-production environment when I do so exit. This will not work if you were not prompted to create a default .zshrc file. You can run this later if you need to after installing oh.my.zsh.

sudo -i #sudo interactive mode
{password]
chsh -s $(which zsh) root #sets zsh as default shell for root
cp /home/username/.zshrc /root/.zshrc #copy config from a normal user
source ~/.zshrc #to load new config
exit #when ready

sudo -i #sudo interactive mode

{password]

chsh -s $(which zsh) root #sets zsh as default shell for root

cp /home/username/.zshrc /root/.zshrc #copy config from a normal user

source ~/.zshrc #to load new config

exit #when ready

#Install oh.my.zsh

sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

1	sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

#I use the Powerlevel10k theme. You can download it from here. This is a per use install and should be installed on a non-root user 1st then sudo -i if you want that too.

git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/themes/powerlevel10k

1	git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/themes/powerlevel10k

#Edit .zshrc configuration file

nano ~/.zshrc

1	nano ~/.zshrc

#Change to:

ZSH_THEME="powerlevel10k/powerlevel10k"

1	ZSH_THEME="powerlevel10k/powerlevel10k"

#Source ~/.zshrc to change to powerlevel10k ohmyzsh theme.

source ~/.zshrc

1	source ~/.zshrc

#Answer questions about your screen for customized terminal font support

#Output:

#Output:
New config: ~/.p10k.zsh.
Backup of ~/.zshrc: /tmp/.zshrc.DcpifTQyna.

See ~/.zshrc changes:

diff /tmp/.zshrc.DcpifTQyna ~/.zshrc

File feature requests and bug reports at
https://github.com/romkatv/powerlevel10k/issues

#Output:

New config: ~/.p10k.zsh.

Backup of ~/.zshrc: /tmp/.zshrc.DcpifTQyna.

See ~/.zshrc changes:

diff /tmp/.zshrc.DcpifTQyna ~/.zshrc

File feature requests and bug reports at

https://github.com/romkatv/powerlevel10k/issues

#Create Mount Points in WSL

#Create directories in WSL where you want to mount the CD-ROM drives:

#Check This PC in Windows 11 if you are unsure which drive letter your optical drives uses.

#If your CD/DVD is at D:\ in Windows

sudo mkdir -p /mnt/d

1	sudo mkdir -p /mnt/d

#If your CD/DVD is at E:\ in Windows

sudo mkdir -p /mnt/e

1	sudo mkdir -p /mnt/e

#Mount the CD-ROM Drives Using drvfs

#If your CD/DVD is at D:\ in Windows

sudo mount -t drvfs D: /mnt/d

1	sudo mount -t drvfs D: /mnt/d

#If your CD/DVD is at E:\ in Windows

sudo mount -t drvfs E: /mnt/e

1	sudo mount -t drvfs E: /mnt/e

#Part 2 is on it’s way. (Next Steps to configuring Ubuntu 24.04.x LTS in Windows 11 WSL)

November 16, 2024January 19, 2025

Delete Opera Splash Screen and Other Opera Annoyware

#Delete Opera Splash Screen and Other Opera Annoyware

#Let’s just start with why they are forcing a Splash Screen in the first place… who knows but I am thinking they are stuck in a different decade. I just delete all the automatic crap. The Opera Browser remains working for me without the files removed by my code. I even setup a MagicWord in Brayden SlickRun to do this for me by simply typing dop.

#Just the code:

# Define the installation path
$InstallPath = "C:\Program Files\Opera"

# Define the names of the files you want to delete
$FilesToDelete = @('opera_gx_splash.exe', 'opera_crashreporter.exe', 'opera_autoupdate.exe', 'installer_helper_64.exe', 'notification_helper.exe')

# Search for and delete the files in all subdirectories
foreach ($File in $FilesToDelete) {
   Get-ChildItem -Path $InstallPath -Recurse -Filter $File -Verbose | Remove-Item -Verbose -ErrorAction SilentlyContinue
}

# Define the installation path

$InstallPath = "C:\Program Files\Opera"

# Define the names of the files you want to delete

$FilesToDelete = @('opera_gx_splash.exe', 'opera_crashreporter.exe', 'opera_autoupdate.exe', 'installer_helper_64.exe', 'notification_helper.exe')

# Search for and delete the files in all subdirectories

foreach ($File in $FilesToDelete) {

Get-ChildItem -Path $InstallPath -Recurse -Filter $File -Verbose | Remove-Item -Verbose -ErrorAction SilentlyContinue

}

#Longer Story

#I use Chocolatey to update my system, when I decide, so all these browsers forcing updates every other day is just extra annoying for me. Opera doesn’t provide an option to do manual updates. Removing the opera_autoupdate.exe file seems to work well.

#Patch testing and phased implementations are a thing of the past. The cloud and any applications that deal with the cloud are basically beta software that can hardly be trusted for anything important or secure. Anyone that has to update several times a week hasn’t done a good job in the first place. Trying to keep up with the cloud is a daunting task for programmers but I do not need forced updates and “features” like a splash screen also forced upon me after almost daily updates. I would understand if there were just an option, that worked, to disable all that. I use a 3rd party updater. It has issues when Opera updates itself and I just don’t need forced screen delays when I load software. It is just dumb. Firefox just updated on me while I was using it in Linux with a Canonical install using apt. They had a hidden background update option enabled and it installed then killed all my private windows.

#Also I don’t want my browser running in the background every time I login or Edge, which I never use. Why would I want that? It doesn’t do anything for me when they do that. I can only imagine it benefits them somehow to take up some of my resources when I am using Firefox or Chrome instead.

#I use Opera for real work. It is not a toy for me. It does some things better than other more popular browsers but they have always focused more on monetizing it more than just being the best which is why I never recommend it to anyone.

November 16, 2024January 19, 2025

Use PowerShell to Make All Files in a Folder to Lowercase Instead of Uppercase

#Use PowerShell to Convert All Files in a Folder to Lowercase Instead of Uppercase

#Here’s a PowerShell script to convert all filenames in a folder to lowercase:

#Just the code

Get-ChildItem -Path "C:\test" -Recurse | ForEach-Object {
    $newName = $_.Name.ToLower() # or .ToUpper() for uppercase
    if ($_.Name -cne $newName) {
        Rename-Item -LiteralPath $_.FullName -NewName $newName -Force
    }
}

Get-ChildItem -Path "C:\test" -Recurse | ForEach-Object {

$newName = $_.Name.ToLower() # or .ToUpper() for uppercase

if ($_.Name -cne $newName) {

Rename-Item -LiteralPath $_.FullName -NewName $newName -Force

}

#Longer Story

#When attempting to convert filenames to lowercase from a CD-ROM using PowerRename, I encountered challenges primarily due to file system limitations, specifically with ExFAT partitions. The led me to develop a PowerShell script that effectively renames files and discovered that the script only works when files were first copied to an NTFS partition.

#ExFAT Limitation

#ExFAT (Extended File Allocation Table) is a file system designed for flash drives and external hard drives. While it offers advantages like large file size support and cross-platform compatibility, it has some limitations when it comes to file operations:

Case Sensitivity: ExFAT is case-preserving but case-insensitive. This means it maintains the case of filenames as they were created, but doesn’t distinguish between uppercase and lowercase when accessing files.
Rename Operations: Some tools and scripts may have difficulty renaming files on exFAT partitions due to how the file system handles these operations
Permissions: ExFAT doesn’t support the same level of file permissions as NTFS, which can affect certain operations

#PowerRename and ExFAT

#PowerRename, a PowerToy utility, may show that it’s working on ExFAT but fails to actually rename the files.

#NTFS Compatibility

NTFS (New Technology File System) is more robust and supports a wider range of file operations.

March 30, 2022January 19, 2025

Install Microsoft OpenSSH.Server package from PowerShell and set SSHD service to Automatic

#Install Microsoft OpenSSH.Server package from PowerShell and set SSHD service to Automatic

#Just the code:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Get-Service -Name sshd|Set-Service -StartupType 'Automatic'
Get-Service -Name sshd|Start-Service

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Get-Service -Name sshd|Set-Service -StartupType 'Automatic'

Get-Service -Name sshd|Start-Service

#The long story…

#Add OpenSSH Server capability to Windows 10 and Windows Server 2019

#OpenSSH Server needs to be installed via Remote Desktop Protocol (RDP) or from a local PowerShell session to allow incoming SSH connections and tunnels.

#OpenSSH Client is now included with Microsoft Windows 10 and Microsoft Windows Servers. This package only needs to be installed on the remote side of a tunnel. OpenSSH Client is required on the computer initiating the connections or tunnels and is installed by default in the latest version of Windows 10, Windows Server 2019 and Windows Server 2022.

#Add-WindowsCapability does not work for the OpenSSH.Server package via Enter-PSSession for some reason.

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

1	Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

#Set the SSHD service to Automatic

Get-Service -Name sshd|Set-Service -StartupType 'Automatic'

1	Get-Service -Name sshd\|Set-Service -StartupType 'Automatic'

#Start the SSHD service

Get-Service -Name sshd|Start-Service

1	Get-Service -Name sshd\|Start-Service

#Use this command to verify that OpenSSH Client is installed

(Get-WindowsCapability -Online|? Name -like 'OpenSSH.Client*').State

1	(Get-WindowsCapability -Online\|? Name -like 'OpenSSH.Client*').State

#Verify the incoming Windows Firewall rules for OpenSSH Server were properly created

Get-NetFirewallRule<span class="hljs-parameter"> -Name</span> <span class="hljs-string">"OpenSSH-Server-In-TCP"</span>

1	Get-NetFirewallRule<span class="hljs-parameter"> -Name</span> <span class="hljs-string">"OpenSSH-Server-In-TCP"</span>

March 30, 2022January 20, 2025

Use PowerShell to create an SSH tunnel for a Remote Desktop Connection (RDP) to another computer with OpenSSH-Server installed

#Use PowerShell to create an SSH tunnel for a Remote Desktop Connection (RDP) to another computer with OpenSSH-Server installed

#Just the code:

Start-Process ssh -ArgumentList "-N -L 127.0.0.3:13389:10.4.0.12:3389 10.4.0.12 -l sshuser" -Verb open
(Read-Host 'Press Enter to continue...')|Out-Null
&amp;mstsc /V:127.0.0.3:13389 /prompt

Start-Process ssh -ArgumentList "-N -L 127.0.0.3:13389:10.4.0.12:3389 10.4.0.12 -l sshuser" -Verb open

(Read-Host 'Press Enter to continue...')|Out-Null

&mstsc /V:127.0.0.3:13389 /prompt

#The Long Story…

#Remote Desktop Protocol (RDP) is great but it is not very secure. This is one way to make your RDP connections more secure using a Secure Shell (SSH) tunnel. This may work in Powershell 7 but isn’t the best way to do it.

#Install SSH Server on Windows 10 or Windows 2019

http://winrollup.com/install-microsoft-openssh-server-package-from-powershell-and-set-sshd-service-to-automatic

#Use PowerShell to open SSH in a cmd.exe window that will control the SSH tunnel.

Start-Process ssh -ArgumentList "-N -L 127.0.0.3:13389:10.4.0.12:3389 10.4.0.12 -l sshuser" -Verb open

1	Start-Process ssh -ArgumentList "-N -L 127.0.0.3:13389:10.4.0.12:3389 10.4.0.12 -l sshuser" -Verb open

#The commands will pause while you login to the SSH tunnel session. In this example 127.0.0.3:13889 is the tunnel entrance. 10.4.0.12:3389 is the tunnel destination and will most likely be different for you. In my case it is a Microsoft Windows Server 2019 server that I connect to from a Windows 10 Professional client.

#10.4.0.12 is the address of the SSH server and sshuser is an account on the destination machine. The account used doesn’t need additional rights beyond User rights on Windows 10 to create the tunnel but you will need additional rights to connect via RDP.

#Login to SSH tunnel

#Type in the password for sshuser

#The first time you connect to a new SSH host computer you must accept the SSH key that is presented. Type yes if prompted with a message similar to the text below.

The authenticity of host 'servername (10.04.00.02)' can't be established.
ECDSA key fingerprint is SHA256:(&lt;a large string&gt;).
Are you sure you want to continue connecting (yes/no)?

The authenticity of host 'servername (10.04.00.02)' can't be established.

ECDSA key fingerprint is SHA256:(<a large string>).

Are you sure you want to continue connecting (yes/no)?

ssh tunnel login screen

#Leave this window open. Minimize if you need to but it needs to stay running for the tunnel traffic to use.

#This will end with a window that looks like it hangs after you login. It is not hung. That window is where the tunnel runs through. Do not close it. Minimize the window and go back to your script. Press Enter to continue…

SSH tunnel active after a successful login win10 server2019

#Go back to the PowerShell window and press Enter to launch mstsc.exe and make a Remote Desktop Connection using the new SSH tunnel.

(Read-Host 'Press Enter to continue...')|Out-Null

1	(Read-Host 'Press Enter to continue...')\|Out-Null

setup ssh tunnel rdp powershell win10 server2019

#Launch mstsc.exe with the new loopback IP and made up port number

#Use the & call operator to force PowerShell to treat the string as a command to be executed and run mstsc.exe which is the Windows command to launch the Remote Desktop Services client also know as Microsoft Terminal Services client (mstsc).

&amp;mstsc /V:127.0.0.3:13389 /prompt]

1	&mstsc /V:127.0.0.3:13389 /prompt]

rdp ssh tunnel active win10 powershell

#I used code and knowledge from the page linked below to create this but the code I use is modified to combine techniques and concepts shown there when using PowerShell.

#This site has information on using Putty and Linux to create SSH tunnel connections as well.

https://www.saotn.org/tunnel-rdp-through-ssh/

February 20, 2022January 20, 2025

Setup a New Microsoft Windows Server 2019 Core Installation to Accept Incoming PowerShell Connections in a Workgroup

#Setup a New Microsoft Windows Server 2019 Core Installation to Accept Incoming PowerShell Remoting connections in a Workgroup

#You will not need to do this if you perform your PowerShell tasks directly from a domain connected computer. You need this if you have virtual machines or headless devices… or just plain lazy. Also not everyone has a domain controller and sometimes even a Hyper-V host computer will remain in a workgroup since it might host the domain controller and it is off topic… I work in PowerShell ISE for the most part and connect to where ever I need to.

#This is the first steps after a fresh clean install of Microsoft Windows Server 2019 Core to allow PowerShell Remoting and WSMan.

#Press Ctrl-Alt-Delete to begin configuring Microsoft Windows Server 2019 Core

#Press Enter to select OK to change password

#Set password for .\administrator

#This initial password is for the local administrator account .\administrator is also a way to access this account. It is not part of active directory and therefore doesn’t fall under the Active Directory password policy. Do not make it something easy to guess. The standard policy require 8 characters minimum with upper and lower case letters, numbers and symbols. I suggest you follow that as this password will be passed to your initial domain administrator account, where it will fail to work, so it is just best to avoid issues.

#This is cmd.exe start screen for Microsoft Windows Server 2019 Core. Type sconfig to bring up the cheater menu.

#Type powershell and press enter to start a PowerShell session directly in Microsoft Windows Server 2019 Core cmd.exe prompt.

#Type Enable-PSRemoting -Force to enable PowerShell Remoting. You can use -SkipNetworkProfileCheck to allow management requests on a network Microsoft Windows has categorized as Public such as Hotspots and new unrecognized networks.

Enable-PSRemoting <span style="font-family: terminal, monaco, monospace;">-SkipNetworkProfileCheck </span>-Force

1	Enable-PSRemoting <span style="font-family: terminal, monaco, monospace;">-SkipNetworkProfileCheck </span>-Force

#This will show you what computers you “trust” to connect remotely via PowerShell Remote, no remote hosts are allowed by default.

Get-Item WSMan:\localhost\Client\TrustedHosts

1	Get-Item WSMan:\localhost\Client\TrustedHosts

#This creates a list of computers you “trust” so that you wish to make outgoing PowerShell Remote connections. It doesn’t need a value if you don’t plan to connect to other computers from this new server and/or just use a management PC.

#This is not a list of computers that are allowed to use Enter-PSSession to connect to the new server and most likely you need to run this command on a Windows 10 management PC instead. You would include either the IP address of the new server, the computer name of the new server or ‘*’ if you want to be able to connect to anywhere.

Get-Item WSMan:\localhost\Client\TrustedHosts|Set-Item -Value '10.4.0.2,BEAKER'

1	Get-Item WSMan:\localhost\Client\TrustedHosts\|Set-Item -Value '10.4.0.2,BEAKER'

#The code below will add entries to the TrustedHosts rather than overwrite them:

# Retrieve the current TrustedHosts value
$currentTrustedHosts = (Get-Item WSMan:\localhost\Client\TrustedHosts).Value

# Define the new entries you want to add
$newEntries = "KERMIT,10.10.10.20"

# Check if currentTrustedHosts is empty and append new entries
if ([string]::IsNullOrEmpty($currentTrustedHosts)) {
    $updatedTrustedHosts = $newEntries
} else {
    # Split the current entries into an array to avoid duplicates
    $currentEntries = $currentTrustedHosts -split ','
    
    # Add new entries while avoiding duplicates
    $newEntriesArray = $newEntries -split ','
    $allEntries = $currentEntries + $newEntriesArray | Select-Object -Unique
    
    # Join the entries back into a single string
    $updatedTrustedHosts = ($allEntries -join ',')
}

# Set the updated TrustedHosts value
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $updatedTrustedHosts -Force

# Optional: Output the updated TrustedHosts value for confirmation
Write-Host "Updated TrustedHosts: $updatedTrustedHosts"

# Retrieve the current TrustedHosts value

$currentTrustedHosts = (Get-Item WSMan:\localhost\Client\TrustedHosts).Value

# Define the new entries you want to add

$newEntries = "KERMIT,10.10.10.20"

# Check if currentTrustedHosts is empty and append new entries

if ([string]::IsNullOrEmpty($currentTrustedHosts)) {

$updatedTrustedHosts = $newEntries

} else {

# Split the current entries into an array to avoid duplicates

$currentEntries = $currentTrustedHosts -split ','

# Add new entries while avoiding duplicates

$newEntriesArray = $newEntries -split ','

$allEntries = $currentEntries + $newEntriesArray | Select-Object -Unique

# Join the entries back into a single string

$updatedTrustedHosts = ($allEntries -join ',')

}

# Set the updated TrustedHosts value

Set-Item WSMan:\localhost\Client\TrustedHosts -Value $updatedTrustedHosts -Force

# Optional: Output the updated TrustedHosts value for confirmation

Write-Host "Updated TrustedHosts: $updatedTrustedHosts"

#You can use either the server IP address or computer name if you need to perform this step. I choose to use both so I avoid any issues when connecting. You need to type y and press Enter to confirm. A value of ‘*’ allows the server to connect to any remote host.

#Now you can use Enter-PSSession to connect to your Microsoft Windows Sever 2019 Core install to configure it using PowerShell or RSAT tools.

#At this point you probably do not have Active Directory installed so you would use the command below to connect to the server. I use PowerShell ISE to open my list of common commands and just run them remotely from my desktop computer. After the -Cn is whatever IP address or computer name you added to WSMan:\localhost\Client\TrustedHosts

Enter-PSSession -Cn 10.4.0.2 -Credential administrator

1	Enter-PSSession -Cn 10.4.0.2 -Credential administrator

#If you are running Microsoft Windows 2019 Core on Hyper-V then you can connect the way shown above from anywhere. You could connect the way below, from the Hyper-V host, if that isn’t also a core installation. Be aware that connecting -VMName Vs. -ComputerName can cause some commands to behave differently or not at all.

Enter-PSSession -VMName Server2019 -Credential administrator

1	Enter-PSSession -VMName Server2019 -Credential administrator

February 7, 2022January 20, 2025

Installing and configuring PowerShell 7.2.1 on 64-bit Server 2019 and Windows 10

#Installing and configuring PowerShell 7.2.1 on 64-bit Server 2019 and Windows 10

#The installation commands shown here are for the latest stable release of PowerShell 7.

#To be honest I don’t recommend upgrading if you plan to keep using all your existing scripts and commands without issue. That most likely will not happen. PowerShell 7 doesn’t work well with Microsoft 365 and Microsoft Azure. The login command fails, for example. There might be a work around using the Microsoft Graph API but I haven’t managed to get that working. The differences between PowerShell 5 and PowerShell 7 are discussed here.

#I need to use the older Microsoft only releases of PowerShell for most of what I do. PowerShell 7 does work on many non-Windows platforms but do not expect to use PowerShell 7 to manage your hard drives in Linux. PowerShell 5.x and PowerShell 6.x only work on Microsoft Windows-based computers.

#It should also be mentioned that PowerShell 5 and PowerShell 7 run along side each other and is determined by which shell you choose to work in. Another problem is that PowerShell ISE is not designed to work with PowerShell 7 and not included.

From Microsoft:

#Is PowerShell ISE going away?

The PowerShell ISE is no longer in active feature development. As a shipping component of Windows, it continues to be officially supported for security and high-priority servicing fixes. … Users looking for replacement for the ISE should use Visual Studio Code with the PowerShell Extension.

PowerShell 7.2.1 can be downloaded for 64-bit Windows-based operating systems from the link below:

https://github.com/PowerShell/PowerShell/releases/download/v7.2.1/PowerShell-7.2.1-win-x64.msi

Get more information about the latest version of Microsoft PowerShell 7.2 LTS from the link below:

https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2

#Open firewall to allow PowerShell access to and from other computers on your network:

Set-NetConnectionProfile -NetworkCategory Private
Enable-PSRemoting

1 2	Set-NetConnectionProfile -NetworkCategory Private Enable-PSRemoting

September 16, 2017January 20, 2025

Install AD-Domain-Services And Configure A New Domain On Windows Server 2016

#Install AD-Domain-Services And Configure A New Domain On Windows Server 2016

#This is to install and configure a new Active Directory domain called domain.winrollup.int with a short name of domain. You will be disconnected from Microsoft PowerShell at the end of the procedure if you are connected via WinRM or PowerShell Direct. You’ll need to restart the server and login with domain\username credentials when you reconnect.

#Just the code:

Get-WindowsFeature -Name AD-Domain-Services|Install-WindowsFeature -Verbose|fl
Import-Module ADDSDeployment -PassThru|fl
Install-ADDSForest -DomainName domain.winrollup.int -DomainNetbiosName DOMAIN -DomainMode 7 -ForestMode 7 -InstallDNS -Verbose|fl

Get-WindowsFeature -Name AD-Domain-Services|Install-WindowsFeature -Verbose|fl

Import-Module ADDSDeployment -PassThru|fl

Install-ADDSForest -DomainName domain.winrollup.int -DomainNetbiosName DOMAIN -DomainMode 7 -ForestMode 7 -InstallDNS -Verbose|fl

#The Longer Story…

#This is just to install a single domain on Windows Server 2016 using PowerShell commands.

#Install AD-Domain-Services feature in Windows Server 2016 using PowerShell Direct

Get-WindowsFeature -Name AD-Domain-Services|Install-WindowsFeature -Verbose|fl

1	Get-WindowsFeature -Name AD-Domain-Services\|Install-WindowsFeature -Verbose\|fl

#Import the ADDSDeployment module that contains Install-ADDSForest

Import-Module -Name ADDSDeployment -PassThru|fl

1	Import-Module -Name ADDSDeployment -PassThru\|fl

#Create domain and forest

#-DomainMode 7 and -ForestMode 7 are for Server 2016 domain and forest mode. These settings should be modified if compatibility for previous Active Directory domain and forest mode support is needed. I do not see these settings on the Microsoft help page for Install-ADDSDeployment but if you use the GUI wizard method then Server 2016 mode is the default used there and this will be added when they update the Install-ADDSDeployment TechNet page past Server 2012 R2.

#The -DomainNetbiosName is different from a Netbios Computer Name and is what is used when logging in so domain\administrator is as valid as logging into domain.winrollup.int\administrator.

Install-ADDSForest -DomainName domain.winrollup.int -DomainNetbiosName DOMAIN -DomainMode 7 -ForestMode 7 -InstallDNS -Verbose -NoRebootOnCompletion|fl

1	Install-ADDSForest -DomainName domain.winrollup.int -DomainNetbiosName DOMAIN -DomainMode 7 -ForestMode 7 -InstallDNS -Verbose -NoRebootOnCompletion\|fl

#Full Output of Install-ADDSForest:

The target server will be configured as a domain controller. The server needs to be restarted manually when this
operation is complete.
Do you want to continue with this operation?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
VERBOSE: Active Directory Domain Services Setup
VERBOSE: Validating environment and parameters...
WARNING: Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography
algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
channel sessions.

For more information about this setting, see Knowledge Base article 942564
(http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it
 does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually
create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain
"domain.win10server2016.lan". Otherwise, no action is required.

VERBOSE: ----------------------------------------
VERBOSE: The following actions will be performed:
VERBOSE: Configure this server as the first Active Directory domain controller in a new forest.

The new domain name is "domain.win10server2016.lan". This is also the name of the new forest.

The NetBIOS name of the domain is "DOMAIN".

Forest Functional Level: Windows Server 2016

Domain Functional Level: Windows Server 2016

Site: Default-First-Site-Name

Additional Options:
  Read-only domain controller: "No"
  Global catalog: Yes
  DNS Server: Yes

Create DNS Delegation: No

Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL

The DNS Server service will be installed on this computer.
The DNS Server service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS server.

The password of the new domain Administrator will be the same as the password of the local Administrator of this
computer.
VERBOSE: ----------------------------------------
VERBOSE: Active Directory Domain Services Setup
VERBOSE: Validating environment and parameters...
WARNING: Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography
algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.

For more information about this setting, see Knowledge Base article 942564
(http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it
 does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually
create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain
"domain.win10server2016.lan". Otherwise, no action is required.

VERBOSE: ----------------------------------------
VERBOSE: The following actions will be performed:
VERBOSE: Configure this server as the first Active Directory domain controller in a new forest.

The new domain name is "domain.win10server2016.lan". This is also the name of the new forest.

The NetBIOS name of the domain is "DOMAIN".

Forest Functional Level: Windows Server 2016

Domain Functional Level: Windows Server 2016

Site: Default-First-Site-Name

Additional Options:
  Read-only domain controller: "No"
  Global catalog: Yes
  DNS Server: Yes

Create DNS Delegation: No

Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL

The DNS Server service will be installed on this computer.
The DNS Server service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS server.

The password of the new domain Administrator will be the same as the password of the local Administrator of this
computer.
VERBOSE: ----------------------------------------
VERBOSE: Press CTRL-C to: Cancel
VERBOSE: Active Directory Domain Services is now installed on this computer for the domain
"domain.win10server2016.lan".

This Active Directory domain controller is assigned to the site "Default-First-Site-Name". You can manage sites with
the Active Directory Sites and Services administrative tool.


Message        : You must restart this computer to complete the operation.

Context        : DCPromo.General.4
RebootRequired : True
Status         : Success

100

101

102

103

104

105

106

107

108

The target server will be configured as a domain controller. The server needs to be restarted manually when this

operation is complete.

Do you want to continue with this operation?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y

VERBOSE: Active Directory Domain Services Setup

VERBOSE: Validating environment and parameters...

WARNING: Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography

algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security

channel sessions.

For more information about this setting, see Knowledge Base article 942564

(http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it

does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually

create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain

"domain.win10server2016.lan". Otherwise, no action is required.

VERBOSE: ----------------------------------------

VERBOSE: The following actions will be performed:

VERBOSE: Configure this server as the first Active Directory domain controller in a new forest.

The new domain name is "domain.win10server2016.lan". This is also the name of the new forest.

The NetBIOS name of the domain is "DOMAIN".

Forest Functional Level: Windows Server 2016

Domain Functional Level: Windows Server 2016

Site: Default-First-Site-Name

Additional Options:

Read-only domain controller: "No"

Global catalog: Yes

DNS Server: Yes

Create DNS Delegation: No

Database folder: C:\Windows\NTDS

Log file folder: C:\Windows\NTDS

SYSVOL folder: C:\Windows\SYSVOL

The DNS Server service will be installed on this computer.

The DNS Server service will be configured on this computer.

This computer will be configured to use this DNS server as its preferred DNS server.

The password of the new domain Administrator will be the same as the password of the local Administrator of this

computer.

VERBOSE: ----------------------------------------

VERBOSE: Active Directory Domain Services Setup

VERBOSE: Validating environment and parameters...

WARNING: Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography

algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.

For more information about this setting, see Knowledge Base article 942564

(http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it

does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually

create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain

"domain.win10server2016.lan". Otherwise, no action is required.

VERBOSE: ----------------------------------------

VERBOSE: The following actions will be performed:

VERBOSE: Configure this server as the first Active Directory domain controller in a new forest.

The new domain name is "domain.win10server2016.lan". This is also the name of the new forest.

The NetBIOS name of the domain is "DOMAIN".

Forest Functional Level: Windows Server 2016

Domain Functional Level: Windows Server 2016

Site: Default-First-Site-Name

Additional Options:

Read-only domain controller: "No"

Global catalog: Yes

DNS Server: Yes

Create DNS Delegation: No

Database folder: C:\Windows\NTDS

Log file folder: C:\Windows\NTDS

SYSVOL folder: C:\Windows\SYSVOL

The DNS Server service will be installed on this computer.

The DNS Server service will be configured on this computer.

This computer will be configured to use this DNS server as its preferred DNS server.

The password of the new domain Administrator will be the same as the password of the local Administrator of this

computer.

VERBOSE: ----------------------------------------

VERBOSE: Press CTRL-C to: Cancel

VERBOSE: Active Directory Domain Services is now installed on this computer for the domain

"domain.win10server2016.lan".

This Active Directory domain controller is assigned to the site "Default-First-Site-Name". You can manage sites with

the Active Directory Sites and Services administrative tool.

Message : You must restart this computer to complete the operation.

Context : DCPromo.General.4

RebootRequired : True

Status : Success

#Restart the server.

Restart-Computer

1	Restart-Computer

#Reconnect to PowerShell Direct using the `DOMAIN\administrator` account after reboot from `Install-ADDSForest` is complete.

Enter-PSSession -VMName Server2016 -Credential domain\administrator

1	Enter-PSSession -VMName Server2016 -Credential domain\administrator

June 1, 2017January 20, 2025

Manage Active Directory Users And Computers Using Windows 10 In PowerShell Direct Without CredSSP Or “Second-Hop” Issues

#Manage Active Directory Users And Computers Using Windows 10 in PowerShell Direct Without CredSSP Or “Second-Hop” Issues

#When connecting to a virtual machine using PowerShell Remoting, enabling CredSSP (Credential Security Support Provider) is essential to avoid “Second-Hop” or “Multi-Hop” issues when managing Active Directory objects. CredSSP is particularly necessary when connecting to physical machines, as PowerShell Direct only functions when connecting directly from the host computer to a virtual machine.

#PowerShell Direct does not encounter the “Second-Hop” problem when managing Windows Server 2016 from a Windows 10 virtual machine running Hyper-V. Since I have enabled the Hyper-V role on my Windows 10 Professional system and my physical machine is not part of a domain, the Windows 10 virtual machine must be joined to the Active Directory domain that I intend to manage. This setup avoids additional configuration changes related to workgroup settings.

Enter-PSSession -VMName Win10 -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Direct
New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test
Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $false #Unprotect OU=Test for intentional deletion
Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Remove-ADOrganizationalUnit -Verbose #Delete OU=Test

Enter-PSSession -VMName Win10 -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Direct

New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test

Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $false #Unprotect OU=Test for intentional deletion

Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Remove-ADOrganizationalUnit -Verbose #Delete OU=Test

#The Longer Story…

#Create a new Organizational Unit in PowerShell Remote using just the computer name

#Without CredSSP enabled this command fails in PowerShell Remote which is initiated by using-ComputerName with Enter-PSSession

Enter-PSSession -ComputerName KERMIT -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Remote
New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test

Enter-PSSession -ComputerName KERMIT -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Remote

New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test

#Create a new Organizational Unit in PowerShell Direct using just the virtual machine name

#Just using OU=Test as an example to show how this command doesn’t fail in PowerShell Direct using -VMName like it did in the previous example using -ComputerName.

Enter-PSSession -VMName Win10 -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Direct
New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test

1 2	Enter-PSSession -VMName Win10 -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Direct New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test

#Set `–ProtectedFromAccidentalDeletion` to `$false` on `OU=Test` so it can be deleted

#This needs to be done to allow the OU to be deleted.

Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $false #Unprotect OU=Test for intentional deletion

1	Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'\|Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $false #Unprotect OU=Test for intentional deletion

#Delete `OU=Test` from `-Server KERMIT`.

#KERMIT is the NetBIOS computer name of my domain controller and not the domain NetBIOS name. They are different things.

Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Remove-ADOrganizationalUnit -Verbose #Delete OU=Test

1	Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'\|Remove-ADOrganizationalUnit -Verbose #Delete OU=Test

June 1, 2017January 20, 2025

Join Windows 10 Professional To An Active Directory Domain Using PowerShell Direct

#Join Windows 10 Professional To An Active Directory Domain Using PowerShell Direct

#These are the commands to rename a Windows 10 client computer to `GONZO` and add that computer to a domain called `domain.winrollup.int`

Rename-Computer -NewName GONZO -Verbose -PassThru #Rename computer before joining domain. Requires restart
Restart-Computer
Add-Computer -DomainName domain.winrollup.int -Credential domain\administrator -Passthru -Verbose #Join Active Directory Domain and add to Computer container. Requires restart
Restart-Computer

Rename-Computer -NewName GONZO -Verbose -PassThru #Rename computer before joining domain. Requires restart

Restart-Computer

Add-Computer -DomainName domain.winrollup.int -Credential domain\administrator -Passthru -Verbose #Join Active Directory Domain and add to Computer container. Requires restart

Restart-Computer

#The Longer Story…

#Your computer may not need to be renamed so skip that if needed. Also the Add-Computer command sends your newly added computers to the Computers container by default unless you specify an -OUPath when running Add-Computer.

#Rename computer before joining your domain if your computer name doesn’t comply with server standards. Restart required.

Rename-Computer -NewName GONZO -Verbose -PassThru #Rename computer before joining domain. Requires restart
Restart-Computer

1 2	Rename-Computer -NewName GONZO -Verbose -PassThru #Rename computer before joining domain. Requires restart Restart-Computer

#Join a domain called `domain.winrollup.int`. Restart required.

#You need to change the -DomainName from domain.win1rollup.int to what you call your domain. Use -Restart at the end of the Add-Computer command to automatically restart.

Add-Computer -DomainName domain.winrollup.int -Credential domain\administrator -Passthru -Verbose #Join Active Directory Domain and add to Computer container. Requires restart
Restart-Computer

1 2	Add-Computer -DomainName domain.winrollup.int -Credential domain\administrator -Passthru -Verbose #Join Active Directory Domain and add to Computer container. Requires restart Restart-Computer

#A Bit More

#Specify a preconfigured Organizational Unit path when joining domain

#My domain is simple and this is not needed for me at this time. I don’t have multiple Organizational Units yet and I don’t need any Group Policies affecting this PC since I’m working with my Windows 10 management PC. I’m able to specify the -OUPath shown below, once I complete the step below to create an OU called ServerAdmins. This command adds the computer to OU=ServerAdmins.

#You are not able to specify another container besides the default Computers container, but there is a way to change the default container if you don’t specify an OU. I definitely don’t want my computers added to the default OU which is OU=Domain Controllers, so I don’t use this command switch unless I have created a new OU first. It has been suggested to create the OU and computer object prior to joining the domain, but I don’t need to do that at this point.

#The command below is used to specify an Organizational Unit when joining a domain, if needed.

Add-Computer -DomainName 'domain.winrollup.int' -OUPath 'OU=Producers,DC=domain,DC=winrollup,DC=int' -Credential 'DOMAIN\administrator' -Passthru -Verbose
Restart-Computer

1 2	Add-Computer -DomainName 'domain.winrollup.int' -OUPath 'OU=Producers,DC=domain,DC=winrollup,DC=int' -Credential 'DOMAIN\administrator' -Passthru -Verbose Restart-Computer

#Create a new Organizational Unit on the server (Needs to be run on Windows Server 2019 with the Active Directory role installed and configured)

#If you preconfigure an alternative Organizational Unit on Windows Server 2019 then you can add your computers directly to that OU by specifying a -OUPath when running Add-Computer.

New-ADOrganizationalUnit -Name ServerAdmins -Description 'Administrator Rights' -DisplayName Producers -PassThru -Verbose

1	New-ADOrganizationalUnit -Name ServerAdmins -Description 'Administrator Rights' -DisplayName Producers -PassThru -Verbose

#Installing Ubuntu 24.04.x on WSL on Windows 11

#Reboot

Update WSL:

#Other wsl.exe options include:

#Installing WSL with a Custom Tarball

#This is the version that is current for me now but there are updates so keep reading.

#Set WSL distribution’s virtual disk is set to be sparse:

#This will allow the virtual disk to automatically shrink when files are removed from the distribution

#Another way to manually set a WSL installation to sparse

#To use the wsldl.exe launcher with your imported WSL distribution and enable it to utilize the .wslconfig file, follow these steps:

#Steps to Configure wsldl.exe

#Change the default user for a distribution using wsldl.exe

#Update and configure Ubuntu 24.04.x LTS on Windows 11 WSL

#Run update for the first time to initialize apt

#Install the necessary packages that allow apt to use packages over HTTPS:

#Add a new primary user

#Enable bridged networking instead of NAT

#Nexts steps to enable bridged networking and to disable IPv6 in WSL2

#These settings tell WSL2 to disable IPv6 at the kernel level and to use the virtual switch called WSL. If you want IPv6 spport then simply omit that line from your .wslconfig

#If you are using NAT rather than bridged networking

#You do not need to do this if you are using bridged mode and DHCP is automatically obtained from your primary DHCP server.

#Set permanent DNS to an external DNS provider for NAT

#Install oh.my.zsh

#Create Mount Points in WSL

#Part 2 is on it’s way. (Next Steps to configuring Ubuntu 24.04.x LTS in Windows 11 WSL)

#Delete Opera Splash Screen and Other Opera Annoyware

#Longer Story

#Use PowerShell to Convert All Files in a Folder to Lowercase Instead of Uppercase

#Just the code

#Longer Story

#ExFAT Limitation

#PowerRename and ExFAT

#NTFS Compatibility

#Install Microsoft OpenSSH.Server package from PowerShell and set SSHD service to Automatic

#Just the code:

#The long story…

#Add OpenSSH Server capability to Windows 10 and Windows Server 2019

#Set the SSHD service to Automatic

#Start the SSHD service

#Use this command to verify that OpenSSH Client is installed

#Verify the incoming Windows Firewall rules for OpenSSH Server were properly created

#Use PowerShell to create an SSH tunnel for a Remote Desktop Connection (RDP) to another computer with OpenSSH-Server installed

#Just the code:

#The Long Story…

#Install SSH Server on Windows 10 or Windows 2019

#Use PowerShell to open SSH in a cmd.exe window that will control the SSH tunnel.

#Login to SSH tunnel

#Leave this window open. Minimize if you need to but it needs to stay running for the tunnel traffic to use.

#Go back to the PowerShell window and press Enter to launch mstsc.exe and make a Remote Desktop Connection using the new SSH tunnel.

#Launch mstsc.exe with the new loopback IP and made up port number

#I used code and knowledge from the page linked below to create this but the code I use is modified to combine techniques and concepts shown there when using PowerShell.

#Setup a New Microsoft Windows Server 2019 Core Installation to Accept Incoming PowerShell Remoting connections in a Workgroup

#This is the first steps after a fresh clean install of Microsoft Windows Server 2019 Core to allow PowerShell Remoting and WSMan.

#Press Ctrl-Alt-Delete to begin configuring Microsoft Windows Server 2019 Core

#Press Enter to select OK to change password

#Set password for .\administrator

#This is cmd.exe start screen for Microsoft Windows Server 2019 Core. Type sconfig to bring up the cheater menu.

#Type powershell and press enter to start a PowerShell session directly in Microsoft Windows Server 2019 Core cmd.exe prompt.

#Type Enable-PSRemoting -Force to enable PowerShell Remoting. You can use -SkipNetworkProfileCheck to allow management requests on a network Microsoft Windows has categorized as Public such as Hotspots and new unrecognized networks.

#This will show you what computers you “trust” to connect remotely via PowerShell Remote, no remote hosts are allowed by default.

#This creates a list of computers you “trust” so that you wish to make outgoing PowerShell Remote connections. It doesn’t need a value if you don’t plan to connect to other computers from this new server and/or just use a management PC.

#The code below will add entries to the TrustedHosts rather than overwrite them:

#You can use either the server IP address or computer name if you need to perform this step. I choose to use both so I avoid any issues when connecting. You need to type y and press Enter to confirm. A value of ‘*’ allows the server to connect to any remote host.

#Now you can use Enter-PSSession to connect to your Microsoft Windows Sever 2019 Core install to configure it using PowerShell or RSAT tools.

#Installing and configuring PowerShell 7.2.1 on 64-bit Server 2019 and Windows 10

From Microsoft:

#Is PowerShell ISE going away?

Get more information about the latest version of Microsoft PowerShell 7.2 LTS from the link below:

#Open firewall to allow PowerShell access to and from other computers on your network:

#Install AD-Domain-Services And Configure A New Domain On Windows Server 2016

#Just the code:

#The Longer Story…

#Install AD-Domain-Services feature in Windows Server 2016 using PowerShell Direct

#Import the ADDSDeployment module that contains Install-ADDSForest

#Create domain and forest

#Full Output of Install-ADDSForest:

#Restart the server.

#Reconnect to PowerShell Direct using the DOMAIN\administrator account after reboot from Install-ADDSForest is complete.

#Manage Active Directory Users And Computers Using Windows 10 in PowerShell Direct Without CredSSP Or “Second-Hop” Issues

#The Longer Story…

#To use the `wsldl.exe` launcher with your imported WSL distribution and enable it to utilize the `.wslconfig` file, follow these steps:

#Steps to Configure `wsldl.exe`

#Reconnect to PowerShell Direct using the `DOMAIN\administrator` account after reboot from `Install-ADDSForest` is complete.

#Set `–ProtectedFromAccidentalDeletion` to `$false` on `OU=Test` so it can be deleted

#Delete `OU=Test` from `-Server KERMIT`.

#These are the commands to rename a Windows 10 client computer to `GONZO` and add that computer to a domain called `domain.winrollup.int`

#Join a domain called `domain.winrollup.int`. Restart required.