diff --git a/admin-t1-restricted/README.md b/admin-t1-restricted/README.md index 06e4a60..98b2dd2 100644 --- a/admin-t1-restricted/README.md +++ b/admin-t1-restricted/README.md @@ -35,11 +35,11 @@ Lab - This lab contains: -* A Win2016 domain "windomain.local" with: +* A Win2019 domain "windomain.local" with: * User `Pik Achu `, Tier 1 Administrator, password `Bonjour1!` * Domain Administrator, password `vagrant` -* A Win2016 DC -* A Win2016 server `SRV`, considered in the Tier-1, with *RestrictedAdmin* enabled +* A Win2019 DC +* A Win2019 server `SRV`, considered in the Tier-1, with *RestrictedAdmin* enabled * A Win10 client `Client`, considered as the administration station for Tier-1 Setup @@ -118,7 +118,8 @@ SID : S-1-5-21-1901789854-418502547-2738234678-1105 Now, let's sign-out and enable the AuthenticationPolicy: ``` -$ vagrant powershell -c "c:\\vagrant\\enable-authpolicy.ps1" dc +$ vagrant upload enable-authpolicy.ps1 c:\\ dc +$ vagrant powershell -c "c:\\enable-authpolicy.ps1" dc ``` This script adds a new AuthenticationPolicy, for the account `pikachu`, allowing him to only authenticate from `Client`. diff --git a/admin-t1-restricted/Vagrantfile b/admin-t1-restricted/Vagrantfile index 834ea50..fa185fb 100644 --- a/admin-t1-restricted/Vagrantfile +++ b/admin-t1-restricted/Vagrantfile @@ -1,201 +1,37 @@ +################################################################## +# Load base lab + +load File.expand_path('../../base/Vagrantfile', __FILE__) + +# Overwrite base variables + CONFIG = { - :dc => {:memory => 3072, :cpus => 2, :name => "dc",}, - :srv => {:memory => 2048, :cpus => 2, :name => "srv"}, - :client => {:memory => 2048, :cpus => 1, :name => "client"} + :dns => "8.8.8.8", + :dc => {:memory => 3072, :cpus => 2, :name => "dc", :domain => "windomain.local", :ip => "192.168.38.102" }, + :srv => {:memory => 2048, :cpus => 2, :name => "srv", :domain => "windomain.local", :ip => "192.168.38.103"}, + :client => {:memory => 2048, :cpus => 1, :name => "client", :domain => "windomain.local", :ip => "192.168.38.100"}, } +################################################################## -Vagrant.configure("2") do |config| - unless Vagrant.has_plugin?("vagrant-reload") - raise 'vagrant-reload plugin is not installed!' - end +BASE_SCRIPTS = "../base/scripts" +SYNC_FOLDER="./resources/" - config.vm.define "dc" do |cfg| - cfg.vm.box = "peru/windows-server-2016-standard-x64-eval" - cfg.vm.hostname = CONFIG[:dc][:name] - cfg.vm.boot_timeout = 600 - cfg.winrm.transport = :plaintext - cfg.vm.communicator = "winrm" - cfg.winrm.basic_auth_only = true - - cfg.winrm.timeout = 300 - cfg.winrm.retry_limit = 20 - cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1", dns: "8.8.8.8" - - # Added DNS here because libvirt fails to properly configure the windows client otherwise... :( - cfg.vm.provision "shell", path: "resources/scripts/fix-second-network.ps1", preserve_order: true, privileged: true, args: "-ip 192.168.38.102 -dns 8.8.8.8 -gateway 192.168.38.1" +Vagrant.configure("2") do |config| - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false - cfg.vm.provision "reload" - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", path: "resources/scripts/configure-ou.ps1", preserve_order: true, privileged: false + config.vm.define "dc" do |cfg| cfg.vm.provision "shell", path: "resources/scripts/configure-claims-gpo.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", path: "resources/scripts/configure-disable-windows-defender-gpo.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", path: "resources/scripts/add_user.ps1", preserve_order: true, privileged: false + cfg.vm.provision "shell", path: "resources/scripts/configure-disable-windows-defender-gpo.ps1", + :args => "-Domain #{CONFIG[:dc][:domain]}", preserve_order: true, privileged: false + cfg.vm.provision "shell", path: "resources/scripts/add_user.ps1", :args => "-Domain #{CONFIG[:dc][:domain]}", preserve_order: true, privileged: false cfg.vm.provision "reload" - cfg.vm.provider "libvirt" do |libvirt, override| - libvirt.cpus = CONFIG[:dc][:cpus] - libvirt.memory = CONFIG[:dc][:memory] - # Relax constraints on timers - libvirt.hyperv_feature :name => 'relaxed', :state => 'on' - # Enable virtual APIC - libvirt.hyperv_feature :name => 'vapic', :state => 'on' - - # sync_folder is not by default on all providers - # Furthermore, it could not be the default provider : - # https://github.com/Cimpress-MCP/vagrant-winrm-syncedfolders/issues/11 - - # We'll need vagrant-winrm-syncedfolders plugin - - override.vm.synced_folder 'resources/', '/vagrant', type: 'winrm' - end - - - cfg.vm.provider "vmware_desktop" do |v, override| - override.vm.box = "detectionlab/win2016" - v.vmx["displayname"] = CONFIG[:dc][:name] - v.memory = CONFIG[:dc][:memory] - v.cpus = CONFIG[:dc][:cpus] - v.gui = true - v.enable_vmrun_ip_lookup = false - end - - cfg.vm.provider "virtualbox" do |vb, override| - vb.gui = true - vb.name = CONFIG[:dc][:name] - vb.default_nic_type = "82545EM" - vb.customize ["modifyvm", :id, "--memory", CONFIG[:dc][:memory] ] - vb.customize ["modifyvm", :id, "--cpus", CONFIG[:dc][:cpus] ] - vb.customize ["modifyvm", :id, "--vram", "32"] - vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] - vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] - vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] - - override.vm.synced_folder './', '/vagrant', type: 'virtualbox' - end - end config.vm.define "srv" do |cfg| - cfg.vm.box = "peru/windows-server-2016-standard-x64-eval" - cfg.vm.hostname = CONFIG[:srv][:name] - cfg.vm.boot_timeout = 600 - cfg.vm.communicator = "winrm" - cfg.winrm.basic_auth_only = true - cfg.winrm.timeout = 300 - cfg.winrm.retry_limit = 20 - cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102" - - cfg.vm.provision "shell", path: "resources/scripts/fix-second-network.ps1", preserve_order: true, privileged: true, args: "-ip 192.168.38.103 -dns 8.8.8.8 -gateway 192.168.38.1" - - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", preserve_order: true, privileged: false - cfg.vm.provision "reload" - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false cfg.vm.provision "shell", path: "resources/scripts/get-mimikatz.ps1", preserve_order: true, privileged: false cfg.vm.provision "shell", path: "resources/scripts/local_groups.ps1", preserve_order: true, privileged: false cfg.vm.provision "shell", path: "resources/scripts/enable-restricted-admin.ps1", preserve_order: true, privileged: false - - cfg.vm.provider "libvirt" do |libvirt, override| - libvirt.cpus = CONFIG[:srv][:cpus] - libvirt.memory = CONFIG[:srv][:memory] - # Relax constraints on timers - libvirt.hyperv_feature :name => 'relaxed', :state => 'on' - # Enable virtual APIC - libvirt.hyperv_feature :name => 'vapic', :state => 'on' - - # sync_folder is not by default on all providers - # Furthermore, WinRM could not be the default provider : - # https://github.com/Cimpress-MCP/vagrant-winrm-syncedfolders/issues/11 - - # We'll need vagrant-winrm-syncedfolders plugin - - override.vm.synced_folder 'resources/', '/vagrant', type: 'winrm' - end - - cfg.vm.provider "vmware_desktop" do |v, override| - override.vm.box = "detectionlab/win2016" - v.vmx["displayname"] = CONFIG[:srv][:name] - v.memory = CONFIG[:srv][:memory] - v.cpus = CONFIG[:srv][:cpus] - v.gui = true - v.enable_vmrun_ip_lookup = false - end - - cfg.vm.provider "virtualbox" do |vb, override| - vb.gui = true - vb.name = CONFIG[:srv][:name] - vb.default_nic_type = "82545EM" - vb.customize ["modifyvm", :id, "--memory", CONFIG[:srv][:memory]] - vb.customize ["modifyvm", :id, "--cpus", CONFIG[:srv][:cpus]] - vb.customize ["modifyvm", :id, "--vram", "32"] - vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] - vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] - vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] - - override.vm.synced_folder './', '/vagrant', type: 'virtualbox' - end - end - config.vm.define "client" do |cfg| - cfg.vm.box = "peru/windows-10-enterprise-x64-eval" - cfg.vm.hostname = CONFIG[:client][:name] - cfg.vm.boot_timeout = 1200 - cfg.vm.communicator = "winrm" - cfg.winrm.basic_auth_only = true - cfg.winrm.timeout = 1200 - cfg.winrm.retry_limit = 20 - cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102" - - cfg.vm.provision "shell", path: "resources/scripts/fix-second-network.ps1", preserve_order: true, privileged: true, args: "-ip 192.168.38.104 -dns 8.8.8.8 -gateway 192.168.38.1" - cfg.vm.provision "shell", path: "resources/scripts/MakeWindows10GreatAgain.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", preserve_order: true, privileged: false - cfg.vm.provision "reload" - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false - - cfg.vm.provider "libvirt" do |libvirt, override| - libvirt.cpus = CONFIG[:client][:cpus] - libvirt.memory = CONFIG[:client][:memory] - # Relax constraints on timers - libvirt.hyperv_feature :name => 'relaxed', :state => 'on' - # Enable virtual APIC - libvirt.hyperv_feature :name => 'vapic', :state => 'on' - - # sync_folder is not by default on all providers - # Furthermore, it could not be the default provider : - # https://github.com/Cimpress-MCP/vagrant-winrm-syncedfolders/issues/11 - - # We'll need vagrant-winrm-syncedfolders plugin - - override.vm.synced_folder 'resources/', '/vagrant', type: 'winrm' - end - - cfg.vm.provider "vmware_desktop" do |v, override| - override.vm.box = "detectionlab/win10" - v.vmx["displayname"] = CONFIG[:client][:name] - v.vmx["gui.fullscreenatpoweron"] = "FALSE" - v.vmx["gui.viewModeAtPowerOn"] = "windowed" - v.memory = CONFIG[:client][:memory] - v.cpus = CONFIG[:client][:cpus] - v.gui = true - v.enable_vmrun_ip_lookup = false - end - - cfg.vm.provider "virtualbox" do |vb, override| - vb.gui = true - vb.name = CONFIG[:client][:name] - vb.default_nic_type = "82545EM" - vb.customize ["modifyvm", :id, "--memory", CONFIG[:client][:memory]] - vb.customize ["modifyvm", :id, "--cpus", CONFIG[:client][:cpus]] - vb.customize ["modifyvm", :id, "--vram", "32"] - vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] - vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] - vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] - - override.vm.synced_folder './', '/vagrant', type: 'virtualbox' - end - end end diff --git a/admin-t1-restricted/enable-authpolicy.ps1 b/admin-t1-restricted/enable-authpolicy.ps1 index 3570b8e..5228d3a 100644 --- a/admin-t1-restricted/enable-authpolicy.ps1 +++ b/admin-t1-restricted/enable-authpolicy.ps1 @@ -1,5 +1,4 @@ $password = ConvertTo-SecureString "vagrant" -AsPlainText -Force - $Cred = New-Object System.Management.Automation.PSCredential ("Administrator", $password) $computer = Get-ADComputer -Identity client diff --git a/admin-t1-restricted/resources/scripts/add_user.ps1 b/admin-t1-restricted/resources/scripts/add_user.ps1 index e17b102..839ee41 100644 --- a/admin-t1-restricted/resources/scripts/add_user.ps1 +++ b/admin-t1-restricted/resources/scripts/add_user.ps1 @@ -1,8 +1,12 @@ +Param ( + [string]$Domain +) + Import-Module ActiveDirectory New-ADGroup -Name "Servers Administrators" -SamAccountName ServersAdministrators -GroupCategory Security -GroupScope Global -DisplayName "Servers Administrators" -Path "CN=Users,DC=windomain,DC=local" -Description "Members of this group are administrators of servers" -New-ADUser -Name "pikachu" -GivenName "Pik" -Surname "Achu" -SamAccountName "pikachu" -UserPrincipalName "pikachu@windomain.local" -AccountPassword (ConvertTo-SecureString -AsPlainText "Bonjour1!" -Force) -Enabled $true +New-ADUser -Name "pikachu" -GivenName "Pik" -Surname "Achu" -SamAccountName "pikachu" -UserPrincipalName "pikachu@$Domain" -AccountPassword (ConvertTo-SecureString -AsPlainText "Bonjour1!" -Force) -Enabled $true Get-ADGroup -Identity "ServersAdministrators" | Add-ADGroupMember -Members "pikachu" Get-ADGroup -Identity "Remote Desktop Users" | Add-ADGroupMember -Members "ServersAdministrators" diff --git a/admin-t1-restricted/resources/scripts/configure-disable-windows-defender-gpo.ps1 b/admin-t1-restricted/resources/scripts/configure-disable-windows-defender-gpo.ps1 index 0a4e062..d5b3912 100644 --- a/admin-t1-restricted/resources/scripts/configure-disable-windows-defender-gpo.ps1 +++ b/admin-t1-restricted/resources/scripts/configure-disable-windows-defender-gpo.ps1 @@ -1,8 +1,15 @@ # Purpose: Install the GPO that disables Windows Defender + +Param ( + [string]$Domain +) + +$dc1,$dc2=$Domain.split('.') + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to disable Windows Defender..." Import-GPO -BackupGpoName 'Disable Windows Defender' -Path "c:\vagrant\resources\GPO\disable_windows_defender" -TargetName 'Disable Windows Defender' -CreateIfNeeded -$OU = "ou=Servers,dc=windomain,dc=local" +$OU = "ou=Servers,dc=$dc1,dc=$dc2" $gPLinks = $null $gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions $GPO = Get-GPO -Name 'Disable Windows Defender' diff --git a/admin-t1-restricted/resources/scripts/configure-ou.ps1 b/admin-t1-restricted/resources/scripts/configure-ou.ps1 deleted file mode 100644 index effbd38..0000000 --- a/admin-t1-restricted/resources/scripts/configure-ou.ps1 +++ /dev/null @@ -1,33 +0,0 @@ -# Purpose: Sets up the Server and Workstations OUs - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Checking AD services status..." -$svcs = "adws","dns","kdc","netlogon" -Get-Service -name $svcs -ComputerName localhost | Select Machinename,Name,Status - -# Hardcoding DC hostname in hosts file -Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.102 dc.windomain.local" - -# Force DNS resolution of the domain -ping /n 1 dc.windomain.local -ping /n 1 windomain.local - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server and Workstation OUs..." -# Create the Servers OU if it doesn't exist -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU" -try { - Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null - Write-Host "Servers OU already exists. Moving On." -} -catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { - New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" -} - -# Create the Workstations OU if it doesn't exist -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU" -try { - Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null - Write-Host "Workstations OU already exists. Moving On." -} -catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { - New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" -} diff --git a/admin-t1-restricted/resources/scripts/create-domain.ps1 b/admin-t1-restricted/resources/scripts/create-domain.ps1 deleted file mode 100644 index 0cef2c3..0000000 --- a/admin-t1-restricted/resources/scripts/create-domain.ps1 +++ /dev/null @@ -1,84 +0,0 @@ -# Purpose: Creates the "windomain.local" domain -# Source: https://github.com/StefanScherer/adfs2 -param ([String] $ip) - -$subnet = $ip -replace "\.\d+$", "" - -$domain= "windomain.local" - -if ((gwmi win32_computersystem).partofdomain -eq $false) { - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing RSAT tools" - Import-Module ServerManager - Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating domain controller..." - # Disable password complexity policy - secedit /export /cfg C:\secpol.cfg - (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg - secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY - rm -force C:\secpol.cfg -confirm:$false - - # Set administrator password - $computerName = $env:COMPUTERNAME - $adminPassword = "vagrant" - $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" - $adminUser.SetPassword($adminPassword) - - $PlainPassword = "vagrant" # "P@ssw0rd" - $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force - - # Windows Server 2016 R2 - Install-WindowsFeature AD-domain-services - Import-Module ADDSDeployment - Install-ADDSForest ` - -SafeModeAdministratorPassword $SecurePassword ` - -CreateDnsDelegation:$false ` - -DatabasePath "C:\Windows\NTDS" ` - -DomainMode "7" ` - -DomainName $domain ` - -DomainNetbiosName "WINDOMAIN" ` - -ForestMode "7" ` - -InstallDns:$true ` - -LogPath "C:\Windows\NTDS" ` - -NoRebootOnCompletion:$true ` - -SysvolPath "C:\Windows\SYSVOL" ` - -Force:$true - - $newDNSServers = "127.0.0.1", "8.8.8.8", "4.4.4.4" - $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -And ($_.IPAddress).StartsWith($subnet) } - if ($adapters) { - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting DNS" - $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} - } - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC" - c:\windows\system32\tzutil.exe /s "UTC" - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Excluding NAT interface from DNS" - $nics=Get-WmiObject "Win32_NetworkAdapterConfiguration where IPEnabled='TRUE'" |? { $_.IPAddress[0] -ilike "172.25.*" } - $dnslistenip=$nics.IPAddress - $dnslistenip - dnscmd /ResetListenAddresses $dnslistenip - - $nics=Get-WmiObject "Win32_NetworkAdapterConfiguration where IPEnabled='TRUE'" |? { $_.IPAddress[0] -ilike "10.*" } - foreach($nic in $nics) - { - $nic.DomainDNSRegistrationEnabled = $false - $nic.SetDynamicDNSRegistration($false) |Out-Null - } - - - #Get-DnsServerResourceRecord -ZoneName $domain -type 1 -Name "@" |Select-Object HostName,RecordType -ExpandProperty RecordData |Where-Object {$_.IPv4Address -ilike "10.*"}|Remove-DnsServerResourceRecord - $RRs= Get-DnsServerResourceRecord -ZoneName $domain -type 1 -Name "@" - - foreach($RR in $RRs) - { - if ( (Select-Object -InputObject $RR HostName,RecordType -ExpandProperty RecordData).IPv4Address -ilike "10.*") - { - Remove-DnsServerResourceRecord -ZoneName $domain -RRType A -Name "@" -RecordData $RR.RecordData.IPv4Address -Confirm - } - - } - Restart-Service DNS - -} diff --git a/admin-t1-restricted/resources/scripts/fix-second-network.ps1 b/admin-t1-restricted/resources/scripts/fix-second-network.ps1 deleted file mode 100755 index d38f7fe..0000000 --- a/admin-t1-restricted/resources/scripts/fix-second-network.ps1 +++ /dev/null @@ -1,53 +0,0 @@ -# Source: https://github.com/StefanScherer/adfs2 -param ([String] $ip, [String] $dns, [String] $gateway) - -if ( (Get-NetAdapter | Select-Object -First 1 | Select-Object -ExpandProperty InterfaceDescription).Contains('Red Hat VirtIO')) { - Write-Host "Setting Network Configuration for LibVirt interface" - $subnet = $ip -replace "\.\d+$", "" - $name = (Get-NetIPAddress -AddressFamily IPv4 ` - | Where-Object -FilterScript { ($_.IPAddress).StartsWith("$subnet") } ` - ).InterfaceAlias - if ($name) { - Write-Host "Set IP address to $ip of interface $name" - & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$gateway" - if ($dns) { - Write-Host "Set DNS server address to $dns of interface $name" - & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1 - } - } else { - Write-Error "Could not find a interface with subnet $subnet.xx" - } - - exit 0 -} - -if (! (Test-Path 'C:\Program Files\VMware\VMware Tools') ) { - Write-Host "Nothing to do for other providers than VMware." - exit 0 -} - - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date))" -Write-Host "Setting IP address and DNS information for the Ethernet1 interface" -Write-Host "If this step times out, it's because vagrant is connecting to the VM on the wrong interface" -Write-Host "See https://github.com/clong/DetectionLab/issues/114 for more information" - -$subnet = $ip -replace "\.\d+$", "" -$name = (Get-NetIPAddress -AddressFamily IPv4 ` - | Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } ` - ).InterfaceAlias -if (!$name) { - $name = (Get-NetIPAddress -AddressFamily IPv4 ` - | Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } ` - ).InterfaceAlias -} -if ($name) { - Write-Host "Set IP address to $ip of interface $name" - & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1" - if ($dns) { - Write-Host "Set DNS server address to $dns of interface $name" - & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1 - } -} else { - Write-Error "Could not find a interface with subnet $subnet.xx" -} diff --git a/admin-t1-restricted/resources/scripts/join-domain.ps1 b/admin-t1-restricted/resources/scripts/join-domain.ps1 deleted file mode 100755 index b7dab96..0000000 --- a/admin-t1-restricted/resources/scripts/join-domain.ps1 +++ /dev/null @@ -1,36 +0,0 @@ -# Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1". -# Source: https://github.com/StefanScherer/adfs2 - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Joining the domain..." - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the domain..." -$newDNSServers = "192.168.38.102" -$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."} -$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..." -$hostname = $(hostname) -$user = "windomain.local\vagrant" -$pass = ConvertTo-SecureString "vagrant" -AsPlainText -Force -$DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass - -# Place the computer in the correct OU based on hostname -If ($hostname -eq "srv") { - Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Servers,dc=windomain,dc=local" -PassThru -} ElseIf ($hostname -eq "win10") { - Write-Host "Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug - Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local" -} Else { - Add-Computer -DomainName "windomain.local" -credential $DomainCred -PassThru -} - -Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 -Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant" -Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant" - -# Stop Windows Update -Write-Host "Disabling Windows Updates and Windows Module Services" -Set-Service wuauserv -StartupType Disabled -Stop-Service wuauserv -Set-Service TrustedInstaller -StartupType Disabled -Stop-Service TrustedInstaller diff --git a/admin-t1-restricted/resources/scripts/provision.ps1 b/admin-t1-restricted/resources/scripts/provision.ps1 deleted file mode 100644 index d6ba17e..0000000 --- a/admin-t1-restricted/resources/scripts/provision.ps1 +++ /dev/null @@ -1,41 +0,0 @@ -# Purpose: Sets timezone to UTC, sets hostname, creates/joins domain. -# Source: https://github.com/StefanScherer/adfs2 - -$box = Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -Name "ComputerName" -$box = $box.ComputerName.ToString().ToLower() - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC..." -c:\windows\system32\tzutil.exe /s "UTC" - -# Ping DetectionLab server for usage statistics -# curl -userAgent "DetectionLab-$box" "https://detectionlab.network/$box" -UseBasicParsing | out-null - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disable IPv6 on all network adaptpers..." -Get-NetAdapterBinding -ComponentID ms_tcpip6 | ForEach-Object {Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6} -Get-NetAdapterBinding -ComponentID ms_tcpip6 -# https://support.microsoft.com/en-gb/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users -reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 255 /f - -if ($env:COMPUTERNAME -imatch 'vagrant') { - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hostname is still the original one, skip provisioning for reboot..." - - Write-Host -fore red 'Hint: vagrant reload' $box '--provision' - -} elseif ((gwmi win32_computersystem).partofdomain -eq $false) { - - Write-Host -fore red "$('[{0:HH:mm}]' -f (Get-Date)) Current domain is set to 'workgroup'. Time to join the domain!" - - if ($env:COMPUTERNAME -imatch 'dc') { - . c:\vagrant\resources\scripts\create-domain.ps1 192.168.38.102 - } else { - . c:\vagrant\resources\scripts\join-domain.ps1 - } - Write-Host -fore red 'Hint: vagrant reload' $box '--provision' - -} else { - - Write-Host -fore green "$('[{0:HH:mm}]' -f (Get-Date)) I am domain joined!" - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Provisioning after joining domain..." -} diff --git a/base/README.md b/base/README.md index b4b3121..dff6d1a 100644 --- a/base/README.md +++ b/base/README.md @@ -2,8 +2,8 @@ Base lab = This lab contains: -* DC: Windows 2016 server, DC of a domain "windomain.local" -* SRV: Windows 2016 server, joined to the domain +* DC: Windows 2019 server, DC of a domain "windomain.local" +* SRV: Windows 2019 server, joined to the domain * Client: Windows 10 client, joined to the domain This lab does not need an Internet connection (once the box have been retrieved). diff --git a/base/Vagrantfile b/base/Vagrantfile index 36ebd20..3463c8b 100644 --- a/base/Vagrantfile +++ b/base/Vagrantfile @@ -1,9 +1,19 @@ + +# When base lab is included, variables should be overwritten +################################################################## CONFIG = { - :dc => {:memory => 3072, :cpus => 2, :name => "dc",}, - :srv => {:memory => 2048, :cpus => 2, :name => "srv"}, - :client => {:memory => 2048, :cpus => 1, :name => "client"} + :dns => "8.8.8.8", + :dc => {:memory => 3072, :cpus => 2, :name => "dc", :domain => "windomain.local", :ip => "192.168.38.102" }, + :srv => {:memory => 2048, :cpus => 2, :name => "srv", :domain => "windomain.local", :ip => "192.168.38.103"}, + :client => {:memory => 2048, :cpus => 1, :name => "client", :domain => "windomain.local", :ip => "192.168.38.100"}, } +# Directory were base script are located +BASE_SCRIPTS = "scripts" +# Sync Directory directory (mainly for GPO) +SYNC_FOLDER = "scripts" +################################################################## + Vagrant.configure("2") do |config| unless Vagrant.has_plugin?("vagrant-reload") @@ -11,7 +21,7 @@ Vagrant.configure("2") do |config| end config.vm.define "dc" do |cfg| - cfg.vm.box = "peru/windows-server-2016-standard-x64-eval" + cfg.vm.box = "peru/windows-server-2019-standard-x64-eval" cfg.vm.hostname = CONFIG[:dc][:name] cfg.vm.boot_timeout = 600 cfg.winrm.transport = :plaintext @@ -20,16 +30,20 @@ Vagrant.configure("2") do |config| cfg.winrm.timeout = 300 cfg.winrm.retry_limit = 20 - cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1", dns: "8.8.8.8" - - # Added DNS here because libvirt fails to properly configure the windows client otherwise... :( - cfg.vm.provision "shell", path: "resources/scripts/fix-second-network.ps1", preserve_order: true, privileged: true, args: "-ip 192.168.38.102 -dns 8.8.8.8 -gateway 192.168.38.1" - - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false + cfg.vm.network :private_network, + ip: CONFIG[:dc][:ip], + dns: CONFIG[:dns] + + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/fix-network.ps1", :args => "-Ip #{CONFIG[:dc][:ip]}", preserve_order: true, privileged: false + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/install-rsat.ps1", preserve_order: true, privileged: false + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/create-forest.ps1", + :args => "-Ip #{CONFIG[:dc][:ip]} -Name #{CONFIG[:dc][:domain]}", + preserve_order: true, privileged: false + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/update-dns.ps1", :args => "-Ip #{CONFIG[:dc][:ip]}", preserve_order: true, privileged: false cfg.vm.provision "reload" - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", path: "resources/scripts/configure-ou.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", path: "resources/scripts/configure-rdp-user-gpo.ps1", privileged: false + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/configure-ou.ps1", + :args => "-Ip #{CONFIG[:dc][:ip]} -DcName #{CONFIG[:dc][:name]} -Domain #{CONFIG[:dc][:domain]} ", + preserve_order: true, privileged: false cfg.vm.provider "libvirt" do |libvirt, override| libvirt.cpus = CONFIG[:dc][:cpus] @@ -45,7 +59,7 @@ Vagrant.configure("2") do |config| # We'll need vagrant-winrm-syncedfolders plugin - override.vm.synced_folder 'resources/', '/vagrant', type: 'winrm' + override.vm.synced_folder "#{SYNC_FOLDER}/", '/vagrant', type: 'winrm' end cfg.vm.provider "vmware_desktop" do |v, override| @@ -68,27 +82,29 @@ Vagrant.configure("2") do |config| vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] - override.vm.synced_folder './', '/vagrant', type: 'virtualbox' + override.vm.synced_folder "#{SYNC_FOLDER}", '/vagrant', type: 'virtualbox' end end config.vm.define "srv" do |cfg| - cfg.vm.box = "peru/windows-server-2016-standard-x64-eval" + cfg.vm.box = "peru/windows-server-2019-standard-x64-eval" cfg.vm.hostname = CONFIG[:srv][:name] cfg.vm.boot_timeout = 600 cfg.vm.communicator = "winrm" cfg.winrm.basic_auth_only = true cfg.winrm.timeout = 300 cfg.winrm.retry_limit = 20 - cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102" - - cfg.vm.provision "shell", path: "resources/scripts/fix-second-network.ps1", preserve_order: true, privileged: true, args: "-ip 192.168.38.103 -dns 8.8.8.8 -gateway 192.168.38.1" - - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", preserve_order: true, privileged: false + cfg.vm.network :private_network, + ip: CONFIG[:srv][:ip], + dns: CONFIG[:dns] + + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/fix-network.ps1", :args => "-Ip #{CONFIG[:srv][:ip]}", preserve_order: true, privileged: false + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/join-domain.ps1", + :args => "-Domain #{CONFIG[:srv][:domain]} -Dns #{CONFIG[:dc][:ip]}", + preserve_order: true, privileged: false + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/configure-rdp-smb.ps1", privileged: false cfg.vm.provision "reload" - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false cfg.vm.provider "libvirt" do |libvirt, override| libvirt.cpus = CONFIG[:srv][:cpus] @@ -104,7 +120,7 @@ Vagrant.configure("2") do |config| # We'll need vagrant-winrm-syncedfolders plugin - override.vm.synced_folder 'resources/', '/vagrant', type: 'winrm' + override.vm.synced_folder "#{SYNC_FOLDER}/", '/vagrant', type: 'winrm' end cfg.vm.provider "vmware_desktop" do |v, override| @@ -127,7 +143,7 @@ Vagrant.configure("2") do |config| vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] - override.vm.synced_folder './', '/vagrant', type: 'virtualbox' + override.vm.synced_folder "#{SYNC_FOLDER}/", '/vagrant', type: 'virtualbox' end end @@ -135,19 +151,16 @@ Vagrant.configure("2") do |config| config.vm.define "client" do |cfg| cfg.vm.box = "peru/windows-10-enterprise-x64-eval" cfg.vm.hostname = CONFIG[:client][:name] - cfg.vm.boot_timeout = 1200 - cfg.vm.communicator = "winrm" - cfg.winrm.basic_auth_only = true - cfg.winrm.timeout = 1200 - cfg.winrm.retry_limit = 20 - cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102" - - cfg.vm.provision "shell", path: "resources/scripts/fix-second-network.ps1", preserve_order: true, privileged: true, args: "-ip 192.168.38.104 -dns 8.8.8.8 -gateway 192.168.38.1" - cfg.vm.provision "shell", path: "resources/scripts/MakeWindows10GreatAgain.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false - cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", preserve_order: true, privileged: false + cfg.vm.network :private_network, + ip: CONFIG[:client][:ip], + dns: CONFIG[:dns] + + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/MakeWindows10GreatAgain.ps1", preserve_order: true, privileged: false + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/fix-network.ps1", :args => "-Ip #{CONFIG[:client][:ip]}", preserve_order: true, privileged: false + cfg.vm.provision "shell", path: "#{BASE_SCRIPTS}/join-domain.ps1", + :args => "-Domain #{CONFIG[:client][:domain]} -Dns #{CONFIG[:dc][:ip]}", + preserve_order: true, privileged: false cfg.vm.provision "reload" - cfg.vm.provision "shell", path: "resources/scripts/provision.ps1", preserve_order: true, privileged: false cfg.vm.provider "libvirt" do |libvirt, override| libvirt.cpus = CONFIG[:client][:cpus] @@ -163,7 +176,7 @@ Vagrant.configure("2") do |config| # We'll need vagrant-winrm-syncedfolders plugin - override.vm.synced_folder 'resources/', '/vagrant', type: 'winrm' + override.vm.synced_folder "#{SYNC_FOLDER}/", '/vagrant', type: 'winrm' end cfg.vm.provider "vmware_desktop" do |v, override| @@ -188,7 +201,7 @@ Vagrant.configure("2") do |config| vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] - override.vm.synced_folder './', '/vagrant', type: 'virtualbox' + override.vm.synced_folder "#{SYNC_FOLDER}/", '/vagrant', type: 'virtualbox' end end end diff --git a/base/resources/GPO/rdp_users/manifest.xml b/base/resources/GPO/rdp_users/manifest.xml deleted file mode 100644 index fd766e0..0000000 --- a/base/resources/GPO/rdp_users/manifest.xml +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml b/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml deleted file mode 100644 index ab953e5..0000000 --- a/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml +++ /dev/null @@ -1,20 +0,0 @@ - - 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf b/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf deleted file mode 100644 index ef38d8a..0000000 Binary files a/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf and /dev/null differ diff --git a/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml b/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml deleted file mode 100644 index 88e7503..0000000 --- a/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml +++ /dev/null @@ -1 +0,0 @@ - diff --git a/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/gpreport.xml b/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/gpreport.xml deleted file mode 100644 index 58ca288..0000000 Binary files a/base/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/gpreport.xml and /dev/null differ diff --git a/base/resources/scripts/MakeWindows10GreatAgain.ps1 b/base/resources/scripts/MakeWindows10GreatAgain.ps1 deleted file mode 100644 index 06c9ea3..0000000 --- a/base/resources/scripts/MakeWindows10GreatAgain.ps1 +++ /dev/null @@ -1,30 +0,0 @@ -# Import the registry keys -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Making Windows 10 Great again" -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing registry keys..." -regedit /s a:\MakeWindows10GreatAgain.reg - -# Remove OneDrive from the System -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing OneDrive..." -$onedrive = Get-Process onedrive -ErrorAction SilentlyContinue -if ($onedrive) { - taskkill /f /im OneDrive.exe -} -c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall - -# Fix in 1903 -#Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing Microsoft Store and Edge shortcuts from the taskbar..." -#$appname = "Microsoft Edge" -#((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} -#$appname = "Microsoft Store" -#((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} -#$appname = "Mail" -#((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling automatic screen turnoff in order to prevent screen locking..." -powercfg -change -monitor-timeout-ac 0 -powercfg -change -standby-timeout-ac 0 -powercfg -change -hibernate-timeout-ac 0 - -# Remove the Edge shortcut from the Desktop -$lnkPath = "c:\Users\vagrant\Desktop\Microsoft Edge.lnk" -if (Test-Path $lnkPath) { Remove-Item $lnkPath } diff --git a/base/resources/scripts/MakeWindows10GreatAgain.reg b/base/resources/scripts/MakeWindows10GreatAgain.reg deleted file mode 100644 index e8ed2d4..0000000 --- a/base/resources/scripts/MakeWindows10GreatAgain.reg +++ /dev/null @@ -1,49 +0,0 @@ -Windows Registry Editor Version 5.00 - -# Disable Cortana (Windows search still remains) -[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search] -"AllowCortana"=dword:00000000 - -# Disable Notification Center -[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer] -"DisableNotificationCenter"=dword:00000001 - -# Don't reboot when users are logged in for Windows updates -[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] -"NoAutoRebootWithLoggedOnUsers"=dword:00000001 - -# Disable Microsoft.com accounts -[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] -"NoConnectedUser"=dword:00000003 - -# Show all file extensions -[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] -"HideFileExt"=dword:00000000 - -# Set explorer to open to "This PC" for new windows -[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] -"LaunchTo"=dword:00000001 - -# Show hidden files (not including OS files) -[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] -"Hidden"=dword:00000001 - -# Show "This PC" on Desktop -# Created by: Shawn Brink -# http://www.tenforums.com -[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel] -"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000 - -[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel] -"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000 - -[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu] -"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000 - -# Enable Developer Mode (prerequisite for Linux subsystem) -[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock] -"AllowDevelopmentWithoutDevLicense"=dword:00000001 - -# Disable Microsoft People icon from taskbar -[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People] -"PeopleBand"=dword:00000000 diff --git a/base/resources/scripts/configure-rdp-user-gpo.ps1 b/base/resources/scripts/configure-rdp-user-gpo.ps1 deleted file mode 100644 index bb28168..0000000 --- a/base/resources/scripts/configure-rdp-user-gpo.ps1 +++ /dev/null @@ -1,29 +0,0 @@ -# Purpose: Install the GPO that allows windomain\vagrant to RDP -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to allow windomain/vagrant to RDP..." -Import-GPO -BackupGpoName 'Allow Domain Users RDP' -Path "c:\vagrant\resources\GPO\rdp_users" -TargetName 'Allow Domain Users RDP' -CreateIfNeeded - -$OU = "ou=Workstations,dc=windomain,dc=local" -$gPLinks = $null -$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions -$GPO = Get-GPO -Name 'Allow Domain Users RDP' -If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) -{ - New-GPLink -Name 'Allow Domain Users RDP' -Target $OU -Enforced yes -} -else -{ - Write-Host "Allow Domain Users RDP GPO was already linked at $OU. Moving On." -} -$OU = "ou=Servers,dc=windomain,dc=local" -$gPLinks = $null -$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions -$GPO = Get-GPO -Name 'Allow Domain Users RDP' -If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) -{ - New-GPLink -Name 'Allow Domain Users RDP' -Target $OU -Enforced yes -} -else -{ - Write-Host "Allow Domain Users RDP GPO was already linked at $OU. Moving On." -} -gpupdate /force diff --git a/base/resources/scripts/create-domain.ps1 b/base/resources/scripts/create-domain.ps1 deleted file mode 100644 index 0cef2c3..0000000 --- a/base/resources/scripts/create-domain.ps1 +++ /dev/null @@ -1,84 +0,0 @@ -# Purpose: Creates the "windomain.local" domain -# Source: https://github.com/StefanScherer/adfs2 -param ([String] $ip) - -$subnet = $ip -replace "\.\d+$", "" - -$domain= "windomain.local" - -if ((gwmi win32_computersystem).partofdomain -eq $false) { - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing RSAT tools" - Import-Module ServerManager - Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating domain controller..." - # Disable password complexity policy - secedit /export /cfg C:\secpol.cfg - (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg - secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY - rm -force C:\secpol.cfg -confirm:$false - - # Set administrator password - $computerName = $env:COMPUTERNAME - $adminPassword = "vagrant" - $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" - $adminUser.SetPassword($adminPassword) - - $PlainPassword = "vagrant" # "P@ssw0rd" - $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force - - # Windows Server 2016 R2 - Install-WindowsFeature AD-domain-services - Import-Module ADDSDeployment - Install-ADDSForest ` - -SafeModeAdministratorPassword $SecurePassword ` - -CreateDnsDelegation:$false ` - -DatabasePath "C:\Windows\NTDS" ` - -DomainMode "7" ` - -DomainName $domain ` - -DomainNetbiosName "WINDOMAIN" ` - -ForestMode "7" ` - -InstallDns:$true ` - -LogPath "C:\Windows\NTDS" ` - -NoRebootOnCompletion:$true ` - -SysvolPath "C:\Windows\SYSVOL" ` - -Force:$true - - $newDNSServers = "127.0.0.1", "8.8.8.8", "4.4.4.4" - $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -And ($_.IPAddress).StartsWith($subnet) } - if ($adapters) { - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting DNS" - $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} - } - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC" - c:\windows\system32\tzutil.exe /s "UTC" - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Excluding NAT interface from DNS" - $nics=Get-WmiObject "Win32_NetworkAdapterConfiguration where IPEnabled='TRUE'" |? { $_.IPAddress[0] -ilike "172.25.*" } - $dnslistenip=$nics.IPAddress - $dnslistenip - dnscmd /ResetListenAddresses $dnslistenip - - $nics=Get-WmiObject "Win32_NetworkAdapterConfiguration where IPEnabled='TRUE'" |? { $_.IPAddress[0] -ilike "10.*" } - foreach($nic in $nics) - { - $nic.DomainDNSRegistrationEnabled = $false - $nic.SetDynamicDNSRegistration($false) |Out-Null - } - - - #Get-DnsServerResourceRecord -ZoneName $domain -type 1 -Name "@" |Select-Object HostName,RecordType -ExpandProperty RecordData |Where-Object {$_.IPv4Address -ilike "10.*"}|Remove-DnsServerResourceRecord - $RRs= Get-DnsServerResourceRecord -ZoneName $domain -type 1 -Name "@" - - foreach($RR in $RRs) - { - if ( (Select-Object -InputObject $RR HostName,RecordType -ExpandProperty RecordData).IPv4Address -ilike "10.*") - { - Remove-DnsServerResourceRecord -ZoneName $domain -RRType A -Name "@" -RecordData $RR.RecordData.IPv4Address -Confirm - } - - } - Restart-Service DNS - -} diff --git a/base/resources/scripts/fix-second-network.ps1 b/base/resources/scripts/fix-second-network.ps1 deleted file mode 100755 index d38f7fe..0000000 --- a/base/resources/scripts/fix-second-network.ps1 +++ /dev/null @@ -1,53 +0,0 @@ -# Source: https://github.com/StefanScherer/adfs2 -param ([String] $ip, [String] $dns, [String] $gateway) - -if ( (Get-NetAdapter | Select-Object -First 1 | Select-Object -ExpandProperty InterfaceDescription).Contains('Red Hat VirtIO')) { - Write-Host "Setting Network Configuration for LibVirt interface" - $subnet = $ip -replace "\.\d+$", "" - $name = (Get-NetIPAddress -AddressFamily IPv4 ` - | Where-Object -FilterScript { ($_.IPAddress).StartsWith("$subnet") } ` - ).InterfaceAlias - if ($name) { - Write-Host "Set IP address to $ip of interface $name" - & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$gateway" - if ($dns) { - Write-Host "Set DNS server address to $dns of interface $name" - & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1 - } - } else { - Write-Error "Could not find a interface with subnet $subnet.xx" - } - - exit 0 -} - -if (! (Test-Path 'C:\Program Files\VMware\VMware Tools') ) { - Write-Host "Nothing to do for other providers than VMware." - exit 0 -} - - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date))" -Write-Host "Setting IP address and DNS information for the Ethernet1 interface" -Write-Host "If this step times out, it's because vagrant is connecting to the VM on the wrong interface" -Write-Host "See https://github.com/clong/DetectionLab/issues/114 for more information" - -$subnet = $ip -replace "\.\d+$", "" -$name = (Get-NetIPAddress -AddressFamily IPv4 ` - | Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } ` - ).InterfaceAlias -if (!$name) { - $name = (Get-NetIPAddress -AddressFamily IPv4 ` - | Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } ` - ).InterfaceAlias -} -if ($name) { - Write-Host "Set IP address to $ip of interface $name" - & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1" - if ($dns) { - Write-Host "Set DNS server address to $dns of interface $name" - & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1 - } -} else { - Write-Error "Could not find a interface with subnet $subnet.xx" -} diff --git a/base/resources/scripts/join-domain.ps1 b/base/resources/scripts/join-domain.ps1 deleted file mode 100755 index b7dab96..0000000 --- a/base/resources/scripts/join-domain.ps1 +++ /dev/null @@ -1,36 +0,0 @@ -# Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1". -# Source: https://github.com/StefanScherer/adfs2 - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Joining the domain..." - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the domain..." -$newDNSServers = "192.168.38.102" -$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."} -$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..." -$hostname = $(hostname) -$user = "windomain.local\vagrant" -$pass = ConvertTo-SecureString "vagrant" -AsPlainText -Force -$DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass - -# Place the computer in the correct OU based on hostname -If ($hostname -eq "srv") { - Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Servers,dc=windomain,dc=local" -PassThru -} ElseIf ($hostname -eq "win10") { - Write-Host "Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug - Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local" -} Else { - Add-Computer -DomainName "windomain.local" -credential $DomainCred -PassThru -} - -Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 -Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant" -Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant" - -# Stop Windows Update -Write-Host "Disabling Windows Updates and Windows Module Services" -Set-Service wuauserv -StartupType Disabled -Stop-Service wuauserv -Set-Service TrustedInstaller -StartupType Disabled -Stop-Service TrustedInstaller diff --git a/base/resources/scripts/provision.ps1 b/base/resources/scripts/provision.ps1 deleted file mode 100644 index d6ba17e..0000000 --- a/base/resources/scripts/provision.ps1 +++ /dev/null @@ -1,41 +0,0 @@ -# Purpose: Sets timezone to UTC, sets hostname, creates/joins domain. -# Source: https://github.com/StefanScherer/adfs2 - -$box = Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -Name "ComputerName" -$box = $box.ComputerName.ToString().ToLower() - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC..." -c:\windows\system32\tzutil.exe /s "UTC" - -# Ping DetectionLab server for usage statistics -# curl -userAgent "DetectionLab-$box" "https://detectionlab.network/$box" -UseBasicParsing | out-null - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disable IPv6 on all network adaptpers..." -Get-NetAdapterBinding -ComponentID ms_tcpip6 | ForEach-Object {Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6} -Get-NetAdapterBinding -ComponentID ms_tcpip6 -# https://support.microsoft.com/en-gb/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users -reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 255 /f - -if ($env:COMPUTERNAME -imatch 'vagrant') { - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hostname is still the original one, skip provisioning for reboot..." - - Write-Host -fore red 'Hint: vagrant reload' $box '--provision' - -} elseif ((gwmi win32_computersystem).partofdomain -eq $false) { - - Write-Host -fore red "$('[{0:HH:mm}]' -f (Get-Date)) Current domain is set to 'workgroup'. Time to join the domain!" - - if ($env:COMPUTERNAME -imatch 'dc') { - . c:\vagrant\resources\scripts\create-domain.ps1 192.168.38.102 - } else { - . c:\vagrant\resources\scripts\join-domain.ps1 - } - Write-Host -fore red 'Hint: vagrant reload' $box '--provision' - -} else { - - Write-Host -fore green "$('[{0:HH:mm}]' -f (Get-Date)) I am domain joined!" - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Provisioning after joining domain..." -} diff --git a/admin-t1-restricted/resources/scripts/MakeWindows10GreatAgain.ps1 b/base/scripts/MakeWindows10GreatAgain.ps1 similarity index 100% rename from admin-t1-restricted/resources/scripts/MakeWindows10GreatAgain.ps1 rename to base/scripts/MakeWindows10GreatAgain.ps1 diff --git a/admin-t1-restricted/resources/scripts/MakeWindows10GreatAgain.reg b/base/scripts/MakeWindows10GreatAgain.reg similarity index 100% rename from admin-t1-restricted/resources/scripts/MakeWindows10GreatAgain.reg rename to base/scripts/MakeWindows10GreatAgain.reg diff --git a/base/resources/scripts/configure-ou.ps1 b/base/scripts/configure-ou.ps1 similarity index 71% rename from base/resources/scripts/configure-ou.ps1 rename to base/scripts/configure-ou.ps1 index 10d6905..8906958 100644 --- a/base/resources/scripts/configure-ou.ps1 +++ b/base/scripts/configure-ou.ps1 @@ -1,35 +1,44 @@ # Purpose: Sets up the Server and Workstations OUs +Param ( + [string]$Ip, + [string]$Domain, + [string]$DcName +) + +$dc1,$dc2=$Domain.split('.') + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Checking AD services status..." $svcs = "adws","dns","kdc","netlogon" Get-Service -name $svcs -ComputerName localhost | Select Machinename,Name,Status # Hardcoding DC hostname in hosts file -Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.102 dc.windomain.local" +Add-Content "c:\windows\system32\drivers\etc\hosts" " $Ip $DcName" # Force DNS resolution of the domain -ping /n 1 dc.windomain.local -ping /n 1 windomain.local +ping /n 1 $DcName.$domain +ping /n 1 $domain + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server and Workstation OUs..." # Create the Servers OU if it doesn't exist Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU" try { - Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null + Get-ADOrganizationalUnit -Identity "OU=Servers,DC=$dc1,DC=$dc2" | Out-Null Write-Host "Servers OU already exists. Moving On." } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { - New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" + New-ADOrganizationalUnit -Name "Servers" -Server "$DcName.$domain" } # Create the Workstations OU if it doesn't exist Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU" try { - Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null + Get-ADOrganizationalUnit -Identity "OU=Workstations,DC=$dc1,DC=$dc2" | Out-Null Write-Host "Workstations OU already exists. Moving On." } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { - New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" + New-ADOrganizationalUnit -Name "Workstations" -Server "$DcName.$domain" } # Sysprep breaks auto-login. Let's restore it here: diff --git a/base/scripts/configure-rdp-smb.ps1 b/base/scripts/configure-rdp-smb.ps1 new file mode 100644 index 0000000..0adf53d --- /dev/null +++ b/base/scripts/configure-rdp-smb.ps1 @@ -0,0 +1,8 @@ + +$domain=(gwmi win32_computersystem).Domain +# Allow vagrant user from our domain to connect via RDP +Add-LocalGroupMember -Group "Remote Desktop Users" -Member "$domain\vagrant" + +# Allow SMB (disabled by default on 2019 server) +Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True -Profile Domain + diff --git a/base/scripts/create-forest.ps1 b/base/scripts/create-forest.ps1 new file mode 100644 index 0000000..d23c4e7 --- /dev/null +++ b/base/scripts/create-forest.ps1 @@ -0,0 +1,31 @@ +# Purpose: Creates the domain +# Source: https://github.com/StefanScherer/adfs2 + +Param ( + [string]$Ip, + [string]$Name +) + +$subnet=$Ip -replace "\.\d+$", "" + +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Forest $Name ..." + +if ((gwmi win32_computersystem).partofdomain -eq $false) { + $SecurePassword = "vagrant" | ConvertTo-SecureString -AsPlainText -Force + + # Windows Server 2016 R2 + Install-WindowsFeature AD-domain-services + Import-Module ADDSDeployment + Install-ADDSForest ` + -SafeModeAdministratorPassword $SecurePassword ` + -CreateDnsDelegation:$false ` + -DatabasePath "C:\Windows\NTDS" ` + -DomainMode "7" ` + -DomainName $Name ` + -ForestMode "7" ` + -InstallDns:$true ` + -LogPath "C:\Windows\NTDS" ` + -NoRebootOnCompletion:$true ` + -SysvolPath "C:\Windows\SYSVOL" ` + -Force:$true +} diff --git a/base/scripts/fix-network.ps1 b/base/scripts/fix-network.ps1 new file mode 100644 index 0000000..e38e83c --- /dev/null +++ b/base/scripts/fix-network.ps1 @@ -0,0 +1,21 @@ +# Purpose: Sets timezone to UTC, sets hostname, creates/joins domain. +# Source: https://github.com/StefanScherer/adfs2 + +Param ( + [string]$Ip +) + +$subnet = $Ip -replace "\.\d+$", "" + +# Change metric, default is private network +$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match $subnet} +$adapters | ForEach-Object {$_.IPConnectionMetric = 1 } + +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC..." +c:\windows\system32\tzutil.exe /s "UTC" + +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disable IPv6 on all network adaptpers..." +Get-NetAdapterBinding -ComponentID ms_tcpip6 | ForEach-Object {Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6} +Get-NetAdapterBinding -ComponentID ms_tcpip6 +# https://support.microsoft.com/en-gb/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 255 /f diff --git a/base/scripts/install-rsat.ps1 b/base/scripts/install-rsat.ps1 new file mode 100644 index 0000000..42a35da --- /dev/null +++ b/base/scripts/install-rsat.ps1 @@ -0,0 +1,21 @@ +if ((gwmi win32_computersystem).partofdomain -eq $false) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing RSAT tools" + Import-Module ServerManager + Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter + + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating domain controller..." + # Disable password complexity policy + secedit /export /cfg C:\secpol.cfg + (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg + secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY + rm -force C:\secpol.cfg -confirm:$false + + # Set administrator password + $computerName = $env:COMPUTERNAME + $adminPassword = "vagrant" + $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" + $adminUser.SetPassword($adminPassword) + + $PlainPassword = "vagrant" # "P@ssw0rd" + $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force +} \ No newline at end of file diff --git a/base/scripts/join-domain.ps1 b/base/scripts/join-domain.ps1 new file mode 100755 index 0000000..961ac09 --- /dev/null +++ b/base/scripts/join-domain.ps1 @@ -0,0 +1,46 @@ +# Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1". +# Source: https://github.com/StefanScherer/adfs2 + + +Param ( + [string]$Domain, + [string]$Dns +) + +if ((gwmi win32_computersystem).partofdomain -eq $false) { + $subnet = $dns -replace "\.\d+$", "" + + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Joining the domain $Domain ..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the domain ($Dns)..." + + $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match $subnet} + $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($Dns)} + + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..." + $hostname = $(hostname) + $user = "$Domain\vagrant" + $pass = ConvertTo-SecureString "vagrant" -AsPlainText -Force + $DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass + + $dc1, $dc2=$Domain.split('.') + # Place the computer in the correct OU based on hostname + If ($hostname -eq "srv") { + Add-Computer -DomainName $Domain -credential $DomainCred -OUPath "ou=Servers,dc=$dc1,dc=$dc2" -PassThru + } ElseIf ($hostname -eq "win10") { + Write-Host "Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug + Add-Computer -DomainName $Domain -credential $DomainCred -OUPath "ou=Workstations,dc=$dc1,dc=$dc2" + } Else { + Add-Computer -DomainName $Domain -credential $DomainCred -PassThru + } + + Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 + Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant" + Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant" + + # Stop Windows Update + Write-Host "Disabling Windows Updates and Windows Module Services" + Set-Service wuauserv -StartupType Disabled + Stop-Service wuauserv + Set-Service TrustedInstaller -StartupType Disabled + Stop-Service TrustedInstaller +} \ No newline at end of file diff --git a/base/scripts/update-dns.ps1 b/base/scripts/update-dns.ps1 new file mode 100644 index 0000000..f2d407b --- /dev/null +++ b/base/scripts/update-dns.ps1 @@ -0,0 +1,12 @@ +Param ( + [string]$Ip +) + +$subnet = $Ip -replace "\.\d+$", "" + +$newDNSServers = "127.0.0.1", $Ip +$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -And ($_.IPAddress).StartsWith($subnet) } +if ($adapters) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting DNS to $newDNSServers" + $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} +}