• Mike Rodrick

    @Waqkas-Ahmed ,

    If you need to create the VPN, use this...

    Add-VpnConnection -Name 'test' -ServerAddress '' -AuthenticationMethod Pap

    You will get a warning

    WARNING: The currently selected encryption level requires EAP or MS-CHAPv2 logon security methods. Data encryption will not occur for Pap o
    r Chap.

    It will still create the VPN, it's just reminding you that if you want to encrypt, you will have to use EAP or MS-CHAPv2

    posted in Microsoft read more
  • Mike Rodrick

    @Waqkas-Ahmed ,

    Here is what I have so far...

    # Get name of remote computer
    $hostname = Read-Host -Prompt "Enter Remote Hostname"
    # Get credentials for remote computer
    $cred = Get-Credential
    # Create a PSSession to the remote computer
    $s = New-PSSession -ComputerName $hostname -Credential $cred
    # Execute commands on remote computer
    Invoke-Command -Session $s -ScriptBlock {
        # Store path to registry key
        $basePath = "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\"
        # Check if property exists
        if (-not(Get-ItemProperty -Name 'AssumeUDPEncapsulationContextOnSendRule' -Path $basePath -ErrorAction SilentlyContinue)){
            # If it doesn't exist, create it and set the value to 00000002
            New-ItemProperty -Name AssumeUDPEncapsulationContextOnSendRule -PropertyType dword -Value 00000002 -Path $basePath
        } else {
            # If it does exist, set the value to 00000002
            Set-ItemProperty -Name AssumeUDPEncapsulationContextOnSendRule -Value 00000002 -Path $basePath
        # Set the VPN properties
        Set-VpnConnection -Name 'test' -AuthenticationMethod Pap -EncryptionLevel NoEncryption
    # Remove the PSSession when done
    Remove-PSSession $s

    This will prompt for the remote computer info and credentials, you can hard code this instead.

    It will check to see if the registry key exists and then create it, or update it to the appropriate value. Not sure if that's what you want it to do if the key already exists. If not, just remove the 'else' block

    It will update a VPN connection named 'test' to use PAP for authentication. We can add checks to see if the VPN connection exists, and create it if necessary. Let me know.

    You cannot choose 'require encryption' or 'maximum encryption' on a VPN connection that is using PAP for authentication. Only 'no encryption' or 'optional encryption' because PAP is plaintext, no support for encryption. You cannot send credentials in plaintext and then encrypt the data.

    posted in Microsoft read more
  • Mike Rodrick


    The link Adam posted to The Scripting Guy does a great job of explaining how to edit the registry on a remote computer using a PSSession, and add and define a new registry key. After you create your remote session, do something like this...

    Set-Location HKLM:\system\currentcontrolset\services
    New-Item -Name PolicyAgent
    New-ItemProperty -Name AssumeUDPEncapsulationContextOnSendRule -PropertyType dword -Value 00000002 -Path PolicyAgent

    The Set-VpnConnection cmdlet will let you modify existing VPN connections. You can use the -AuthenticationMethod to set it to PAP (Yikes, allow unencrypted password transmission ?!?) if you want to. Something like this...

    Set-VpnConnection -Name test -AuthenticationMethod Pap

    In the future would you mind posting what you have so far? This will give us a starting point and help figure out what part you are having trouble with.

    posted in Microsoft read more
  • Mike Rodrick


    Hey Waqkas,

    Try something like this...

    First, create your script to copy the files...

    Get-ChildItem -Path D:\VMShare\Scripts -Recurse | `
    ForEach-Object {Copy-Item -Path $_.FullName -Destination \\server01\Data}

    This script will copy all files from the local path D:\VMShare\Scripts to the shared folder \server01\data.

    Save that script to a local directory, like c:\Scripts

    Then create a new basic scheduled task using task scheduler

    1. Launch Task Scheduler
    2. Create Basic Task
    3. Give the task a name
    4. Set your schedule/recurrence
    5. For action, choose Start a program
    6. For program/script, type PowerShell
    7. For add arguments, put the full path and name of the script to run

    This will launch PowerShell and then run the script.

    Things to keep in mind:

    1. Verify execution policy will allow scripts to run
    2. Verify the account running the script has write permissions at the destination.

    posted in Microsoft read more
  • Mike Rodrick

    @Waqkas-Ahmed ,

    Are you trying to copy all files from the local drive, all files from a folder on the local drive, or only certain file types?

    posted in Microsoft read more
  • Mike Rodrick

    Hey Adam,

    I would agree.

    VM1 and VM2 should be able to connect. They are on the same VLAN and connected to the same Hyper-V switch, so the traffic never leaves server1.

    VM1 will not be able to connect to VM5. While they are on the same VLAN, they are connected to different virtual switches on separate servers. The traffic will be routed from server1 to server2 across the physical network. As you stated, if the physical switches are not configured with VLANs, the packets will be dropped.

    The rest of the VMs are either on a different VLAN, or not configured with a VLAN ID.


    posted in Microsoft read more
  • Mike Rodrick

    Hello @fabio-teles ,

    Look for MCSA Windows Server 2016 - 70-742 in the course library. There are 10 episodes on Implement Active Directory Certificate Services. We look at setting up a two-tier PKI, using an offline root CA and an Enterprise subordinate CA. I would definitely recommend against a single CA in a production environment.

    Hope this helps, if you have any more questions, let me know.

    Thanks for watching!

    posted in Microsoft read more
  • Mike Rodrick

    Hey @Adam-Tyler ,

    The correct answer would be D.

    Your process of elimination is spot on.

    A) The Set-DAClient cmdlet is used to configure Force tunneling, support for down-level clients, and support for remote computers only

    B) Set-DirectAccess is not a valid cmdlet.

    C) The security group named 'Windows Authorization Access Group' is used to grant access to the tokenGroupsGlobalAndUniversal attribute on User objects. You can see this attribute on the properties of a user account if you enable advanced view, go to the attribute editor tab, and change the filter to include constructed attributes. Enterprise domain controllers are members of this group.

    D) The 'Direct Access Client Settings' GPO is one of two GPOs created when you deploy DirectAccess, This policy sets the configuration for DirectAccess clients. Settings like firewall rules, NRPT settings, connection security settings, and more. It is linked to the domain, and then security filtering is used to determine who can apply the policy.

    So your logic is correct. To limit the DirectAccess trial to LAB\Test Computers, they would have used security filtering. The DirectAccess deployment wizard has a step where you chose 'one or more security groups that contain client computers that will be enabled for DirectAccess'. They would have removed the security group 'LAB\Domain Computers' (the default), and added the security group 'LAB\Test Computers'. Now that the trial is over, that needs to be changed. You can edit this setting in the Remote Access Management console, or you can edit the security filtering directly on the GPO in the Group Policy Management console.

    posted in Microsoft read more