This is a script to do a basic Windows configuration all through PowerShell
The script will do the following:
1. Give the computer an IP address, DNS server and gateway
2. Give the computer a name
3. Disable scanning of mapped drives for Windows defender
4. Set the connection profile to private
5. Open all firewall ports to the local LAN
6. Enable SMB connections from remote computers
7. Create a scheduled task to start the AppLocker service
8. Create some users and add them to groups
9. Set the user’s passwords to never expire and prevent change password on login
10. Install a list of applications using Chocolatey (see here for more detail)
11. Enable SMB v1
$IPAddress = Read-Host -prompt "Enter IP Address"
$ComputerName = Read-Host -prompt "Computer Name"
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1
$PName = Get-NetConnectionProfile | select Name -ExpandProperty Name
Set-NetConnectionProfile -Name $PName -NetworkCategory Private
New-NetIPAddress –IPAddress $IPAddress -DefaultGateway “192.168.0.1” -PrefixLength 24 -InterfaceIndex (Get-NetAdapter).InterfaceIndex -addressfamily ipv4
Set-DnsClientServerAddress -InterfaceAlias (Get-NetAdapter).InterfaceAlias -ServerAddresses 192.168.0.1
Start-Sleep -Seconds 15
New-NetFirewallRule -DisplayName 'All Local Traffic' -Profile @('Domain', 'Private') -Direction inbound -Action Allow -Protocol TCP -LocalPort ('0-65535') -RemotePort ('0-65535')
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "FilterAdministratorToken" -PropertyType "dword" -Value '00000000'
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -PropertyType "dword" -Value '00000001'
Start-Sleep -Seconds 60
$Trigger= New-ScheduledTaskTrigger –AtStartup
$User= "NT AUTHORITY\SYSTEM"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\System\Start_AppLocker.ps1"
Register-ScheduledTask -TaskName "Start AppLocker" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force
Start-Sleep -Seconds 10
$password = ConvertTo-SecureString "MyPassword" -AsPlainText -Force
$usergroup = "Users"
$admingroup = "Administrators"
$remotegroup = "Remote Desktop Users"
$users = @(
"User"
"Admin"
"Plexsvc"
)
foreach ($user in $users) {
New-LocalUser -Name "$user" -Password $Password
Add-LocalGroupMember -Group "$usergroup" -Member "$user"
Add-LocalGroupMember -Group "$remotegroup" -Member "$user"
Set-LocalUser -Name "$user" -PasswordNeverExpires $true
$expUser = [ADSI]"WinNT://localhost/$user,user"
$expUser.passwordExpired = 0
$expUser.setinfo()
If ($user -eq 'Admin' ) {
Add-LocalGroupMember -Group "$admingroup" -Member "$user"
}
}
cd c:\temp
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
choco feature enable -n allowGlobalConfirmation
choco install .\packages.config –y
cup all
Enable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol" -All
Rename-Computer -NewName $ComputerName -Restart -force
