1

I'm looking for a way to push out commands to all workstations. The scenario is as follows:

I often go to environments that I am not familiar with to audit the network. Part of that is a network scan, but to use our specific tools we need to configure a couple of things on every workstation (enable wmi access, enable file and printer sharing, etc.). We have a batch file we can run on every computer, but this solution does not scale well as you can imagine. I've included the commands we run below.

Ideally, there would be a way to push out the batch file to run one time on all computers connected to the domain. Alternatively, we could create a new batch file that creates GPO that does the same things, but this is something that I have not done before.

Any help is really appreciated!

rem Allow the device to be pingable through Windows Firewall
netsh firewall set icmpsetting type=ALL mode=enable
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
netsh advfirewall firewall add rule name="ICMP Allow incoming V6 echo request" protocol=icmpv6:8,any dir=in action=allow

rem Turn on File and Printer Sharing
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes

rem Allow WMI access through Windows Firewall
netsh firewall set service type=remoteadmin mode=enable
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

rem Add user account
net user [REDACTED] /add
net localgroup Administrators [REDACTED] /add

Rem Set WMI Permissions
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

ECHO End of script
PAUSE
Juan BrickTech
  • 11
  • 1

2 Answers2

0

Firewall settings and local users and groups can be directly crontrolled by GPOs, you don't need to run a batch file in order to set them.

Relevant settings:

enter image description here

enter image description here

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Hi and thank you for your reply. I am aware of setting GPO's to do this, but for what we are after this is not an adequate method. What we really want is to push out the commands included to all domain computers one command a single time. Even if someone could provide a script to create those GPOs that might be better. – Juan BrickTech Mar 24 '21 at 17:28
  • Please note that if Windows Firewall is blocking communications, you won't be able to use *any* tool to reach domain computers; in this case, you *will* need a GPO to configure Windows Firewall and allow you remote access. – Massimo Mar 26 '21 at 18:03
  • You will need to use a GPO to enable some traffic in Windows Firewall anyway; you might as well do all your Windows Firewall configuration from there. – Massimo Mar 26 '21 at 18:33
0

Additional answer to address your comment.

GPOs don't provide any way to execute something immediately; the next best thing is a startup script, but that would only be executed at the next reboot of the machines.

If you really need to immediately execute a command on all domain computers, you can use PowerShell Remoting to run your command against all computer objects returned from an Active Directory query, like this:

$Computers = Get-ADComputer -Filter {Enabled -eq $True} -searchbase "OU=myou,DC=domain,DC=tld"

foreach ($Computer in $Computers) {

    Invoke-Command -ComputerName $_.Name -ScriptBlock {
    
        # Your script here
    }
}

Of course, you can add additional filters to your LDAP search and/or change the search base; it would be also wise to test if the computers are actually running and reachable, otherwise you will have to wait for Invoke-Command to timeout on each unreachable computer.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Hi and thank you for taking the time to reply. I'm not super familiar with powershell, so excuse any questions that seem elementary. Is there a way to enable PS remoting remotely? Would I know if the script failed on any computer? Does it run simultaneously on domain computers or one at a time? Thank you in advance! – Juan BrickTech Mar 26 '21 at 15:52
  • The script as shown is a simple foreach loop, it gets a list of computers from AD and then runs the command against each of them; please note that PowerShell runs *on your computer*, only the script block is executed on the remote computer; all of the output will be shown on your console. – Massimo Mar 26 '21 at 17:52
  • This example is sequential; there are ways to do this in parallel, but they are a lot more complex. – Massimo Mar 26 '21 at 17:53
  • PowerShell Remoting is based on WinRM, which is normally enabled by default on server systems but not on client ones; it can be enabled by Group Policy, there are lots of tutorials around. – Massimo Mar 26 '21 at 18:19