domain controller from DSC

Configuration DomainController {
    param
    (
        [Parameter(Mandatory = $true)][PSCredential]$SafeModeCredentials,
        [Parameter(Mandatory = $true)][PSCredential]$VMCredentials,
        [Parameter(Mandatory = $true)][PSCredential]$DomainAdministratorCredentials,
        [Parameter(Mandatory = $true)][string]$AdministratorAccount,
       
        [Parameter(Mandatory = $true)][string]$FirstDomainControllerName,
        #[Parameter(Mandatory = $true)][string]$SecondDomainControllerIPAddress,
        #[Parameter(Mandatory = $true)][string]$GatewayAddress,
        #[Parameter(Mandatory = $true)][string]$SubnetMask,
        [Parameter(Mandatory = $true)][string]$DomainName,
        [Parameter(Mandatory = $true)][string]$DomainDnsName
    )
    Import-Module PSDesiredStateConfiguration
    Import-Module xActiveDirectory
    Import-Module xNetworking

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName xActiveDirectory
    Import-DscResource -ModuleName xNetworking

   
    Node $FirstDomainControllerName {

       

        File ADFiles {
            DestinationPath = 'C:\NTDS'
            Type = 'Directory'
            Ensure = 'Present'
        }

        WindowsFeature DNS {
            Ensure = "Present"
            Name = "DNS"
        }



        xDnsServerAddress DnsServerAddress {
            Address= '127.0.0.1'
            InterfaceAlias = 'Ethernet'
            AddressFamily  = 'IPv4'
            DependsOn = "[WindowsFeature]DNS"
        }
        WindowsFeature AD-Domain-Services {
            Ensure = "Present"
            Name = "AD-Domain-Services"
            DependsOn = "[File]ADFiles"
        }

        # These RSAT features are optional, but you may want
        #  the admin tools installed locally.
        #WindowsFeature RSAT-DNS-Server {
         #   Ensure = "Present"
         #   Name = "RSAT-DNS-Server"
         #   DependsOn = "[WindowsFeature]DNS"
        #}

        #WindowsFeature RSAT-AD-Tools {
        #    Name = 'RSAT-AD-Tools'
        #    Ensure = 'Present'
        #    DependsOn = "[WindowsFeature]AD-Domain-Services"
        #}

        WindowsFeature RSAT-ADDS {
            Ensure = "Present"
            Name = "RSAT-ADDS"
            DependsOn = "[WindowsFeature]AD-Domain-Services"
        }

        #WindowsFeature RSAT-ADDS-Tools {
        #    Name = 'RSAT-ADDS-Tools'
         #   Ensure = 'Present'
         #   DependsOn = "[WindowsFeature]RSAT-ADDS"
        #}

        #WindowsFeature RSAT-AD-AdminCenter {
        #    Name = 'RSAT-AD-AdminCenter'
        #    Ensure = 'Present'
        #    DependsOn = "[WindowsFeature]AD-Domain-Services"
        #}

        # Here’s where we create the domain.
        # No slash at end of folder paths.
        xADDomain PrimaryDC {
            DomainName = $DomainDnsName
            DomainNetbiosName = $DomainName
            DomainAdministratorCredential = $DomainAdministratorCredentials
            SafemodeAdministratorPassword = $SafeModeCredentials
            #DatabasePath = "C:\NTDS"
            LogPath = "C:\NTDS"
            DependsOn = "[WindowsFeature]AD-Domain-Services"
        }

        # Here’s where we create the alternate administrator account,
        #  and add it to the appropriate groups.
        xADUser AlternateAdminUser {
            DomainName = $DomainDnsName
            UserName = $AdministratorAccount
            Password = $DomainAdministratorCredentials # Uses just the password
            DisplayName = $AdministratorAccount
            PasswordAuthentication = 'Negotiate'
            DomainAdministratorCredential = $DomainAdministratorCredentials
            Ensure = 'Present'
            DependsOn = "[xADDomain]PrimaryDC"
        }

        xADGroup AddAdminToDomainAdminsGroup {
            GroupName = "Domain Admins"
            GroupScope = 'Global'
            Category = 'Security'
            MembersToInclude = @($AdministratorAccount, "Administrator")
            Ensure = 'Present'
            Credential = $DomainAdministratorCredentials
            DependsOn = "[xADUser]AlternateAdminUser"
        }

        xADGroup AddAdminToEnterpriseAdminsGroup {
            GroupName = "Enterprise Admins"
            GroupScope = 'Universal'
            Category = 'Security'
            MembersToInclude = @($AdministratorAccount, "Administrator")
            Ensure = 'Present'
            Credential = $DomainAdministratorCredentials
            DependsOn = "[xADUser]AlternateAdminUser"
        }
    }
}



#</code block>

#Compiling and running the configuration
#Now that the configuration exists, we need to compile it using the specific values we need. After that, we’ll push the configuration to the nodes.

#<code block>

$password = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force
$password_local = ConvertTo-SecureString 'vagrant' -AsPlainText -Force

$FirstDomainControllerName = 'dc1'

$DomainName = ‘contoso.com’

$DomainDnsName = ‘contoso.com’


# We’ll disable the Administrator account; this is the name of the account that will become the new administrator.

$AdministratorAccount = 'ADifferentUsernameThanAdministrator'


#$VMCredentials = Get-Credential -Message "Enter the local administrator credentials." -UserName "vagrant"
$VMCredentials = New-Object System.Management.Automation.PSCredential ('.\vagrant', $password_local)

# This is where we’ll type in the password of the new administrator account.

#$DomainAdministratorCredentials = Get-Credential -Message "Enter the domain administrator credentials." -UserName ($DomainName + ‘\’ + $AdministratorAccount)
$DomainAdministratorCredentials = New-Object System.Management.Automation.PSCredential ($($DomainName + ‘\’ + $AdministratorAccount), $password)

# This is used just to type in the safe mode password; the username isn’t used.

#$SafeModeCredentials = Get-Credential -Message "Enter the new domain's Safe Mode administrator password." -UserName '(Password Only)'
$SafeModeCredentials = New-Object System.Management.Automation.PSCredential ('(Password Only)', $password)

$cd = @{
    AllNodes = @(   
        @{ 
            NodeName = $FirstDomainControllerName
            PsDscAllowPlainTextPassword = $true
        }
    )
}

DomainController -ConfigurationData $cd -SafeModeCredentials $SafeModeCredentials -VMCredentials $VMCredentials -DomainAdministratorCredentials $DomainAdministratorCredentials -FirstDomainControllerName $FirstDomainControllerName -DomainName $DomainName -DomainDnsName $DomainDnsName -AdministratorAccount 'ADifferentUsernameThanAdministrator'



Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force

$VMSession1 = New-CimSession -Credential $VMCredentials -ComputerName $FirstDomainControllerName -Verbose


Start-DscConfiguration -Path DomainController -CimSession $VMSession1 -Verbose -Wait -Force


you might need to install modules on dc1 first:

Invoke-Command dc1  -Credential $VMCredentials {
Install-Module  xActiveDirectory -force -Confirm:$false
Install-Module  xNetworking -force -Confirm:$false

}

Analyze what rights are required for application

1. Procmon.
2. Secpol.msc.
3. Standard User Analyzer: https://docs.microsoft.com/en-us/windows/win32/win7appqual/standard-user-analyzer--sua--tool-and-standard-user-analyzer-wizard--sua-wizard-
4. LUA Buglight (choco install luabuglight)

Main difference between normal user and admin are:
access to registry (procmon)
access to file system (procmon)
privileges (tokenmon for WinXP and Win2003)

Manual way of finding priviliges, in Secpol.msc add to everyline where Administrators are alrady there, add a test user:

Who is consuming your battery

Check current timer interval:


PS C:\tools> .\Clockres.exe

ClockRes v2.0 - View the system clock resolution
Copyright (C) 2009 Mark Russinovich
SysInternals - www.sysinternals.com

Maximum timer interval: 15.625 ms
Minimum timer interval: 0.500 ms
Current timer interval: 0.997 ms

Who is set this value:

start-process "powercfg" -ArgumentList "/energy /duration 5 /output c:\en.html" -Verb runas

Platform Timer Resolution:Outstanding Timer Request

A program or service has requested a timer resolution smaller than the platform maximum timer resolution.

Requested Period	10000
Requesting Process ID	13356
Requesting Process Path	\Device\HarddiskVolume6\Program Files (x86)\Google\Chrome\Application\chrome.exe

basic DSC config

1. Prepare config for your machine:

1. Who is logged on

#requires -version 4.0

#use ConfigurationData

Configuration MyConfig3 {

    Param()

    Import-DscResource -module xSMBShare

    Import-DscResource -ModuleName ComputerManagementDsc

    Node $allNodes.nodename {

    #region Folders

    

    File Company {

        Ensure = "Present"

        DestinationPath = "c:\Company"

        Type = "Directory"

    }

    TimeZone Company {

        TimeZone = "Central Europe Standard Time"

        IsSingleInstance = "Yes"

    }

    

    xSMBShare Company {

        DependsOn = "[File]Company"

        Name = "Company$"

        Path = "C:\Company"

        Ensure = "Present"

        FolderEnumerationMode = "AccessBased"

    }

    #endregion

    } #close configuration

}

2. Load configuration to memory

. .\Config-MyConfig3.ps1

Get-Command -CommandType Configuration

myconfig3 -ConfigurationData .\myconfig2data.psd1 -OutputPath C:\DSC\MyConfig2

#one MOF per server

psedit c:\dsc\myconfig2\WIN-3UTHK7V1J58.mof

3.Deploy and verify

$paramHash = @{

    ComputerName = "WIN-3UTHK7V1J58"

    Path         = "C:\dsc\MyConfig2"

    Wait         = $True

    verbose      = $True

}

   

Start-DscConfiguration @paramHash

   

$paramHash = @{

    Path         = "C:\dsc\MyConfig2"

    ComputerName = "chi-core01"

    OutVariable  = "j"

}

   

Start-DscConfiguration @paramHash

   

#receive-job results when it completes

wait-job $j

   

#receive-job XX -verbose -keep

$j | receive-job -keep -verbose

   

#view result

Get-DscConfiguration -CimSession chi-fp02

   

4.