How to Install and Configure SNMP on Windows Server 2019 Using PowerShell

Introduction

Simple Network Management Protocol (SNMP) is widely used for monitoring servers, network devices, and infrastructure components. In Windows Server 2019, SNMP is available as a Windows feature and can be fully installed and configured using PowerShell, making it ideal for automation and audit-compliant deployments. We widely use it remotely monitor servers historical performance unclouding DUDE, LIBRENMS and other tools.

This article explains how to install SNMP, configure the community string, and allow access from any host using PowerShell only.

---

Prerequisites

Before proceeding, ensure:

• You are logged in as a Local Administrator

• PowerShell is running as Administrator

• Windows Server version is 2019

---

Step 1: Install SNMP Service Using PowerShell

Run the following command to install the SNMP service along with management tools:

Install-WindowsFeature SNMP-Service -IncludeManagementTools


To verify installation:

Get-WindowsFeature SNMP-Service


The installation state should display as Installed.

---

Step 2: Configure SNMP Community String

SNMP community strings are stored in the Windows registry.
In this example, we configure a READ-ONLY community string named public.

New-ItemProperty `
-Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities" `
-Name "public" `
-PropertyType DWORD `
-Value 4 `
-Force


Community Permission Values

• 4 → Read-Only

• 8 → Read-Write

• 1 → None

---

Step 3: Allow SNMP Access from Any Host

By default, Windows restricts SNMP access to specific managers. To allow SNMP queries from any host, remove existing restrictions. (for testing , but later ensure you enter your management / monitoring ip so that it should be restricted.)

Remove current permitted managers (if any):

Remove-Item `
-Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers" `
-Recurse `
-Force `
-ErrorAction SilentlyContinue


Recreate an empty key:

New-Item `
-Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP\Parameters" `
-Name "PermittedManagers" `
-Force


An empty PermittedManagers key means SNMP access is allowed from all hosts.

---

Step 4: Restart SNMP Service

Apply changes by restarting the SNMP service:

Restart-Service SNMP


Verify service status:

Get-Service SNMP


---

Step 5 (Optional): Configure Windows Firewall

If SNMP polling does not work, ensure UDP port 161 is allowed:

New-NetFirewallRule `
-DisplayName "Allow SNMP UDP 161" `
-Direction Inbound `
-Protocol UDP `
-LocalPort 161 `
-Action Allow


---

Testing SNMP Connectivity

From your monitoring or management server, test SNMP access:

snmpwalk -v2c -c public <server-ip>


A successful response confirms that SNMP is working correctly.

---

Security Considerations

Allowing SNMP access from any host is not recommended for production environments unless additional controls are in place. Consider:

• Restricting SNMP access using firewall rules

• Using strong, non-default community strings

• Migrating to SNMPv3 where encryption and authentication are required

---

Conclusion

Using PowerShell to install and configure SNMP on Windows Server 2019 provides a fast, repeatable, and audit-friendly approach. This method is especially useful for system administrators managing large environments or following strict SOPs.

How to Allow Support Users to Rename Domain Computers (Without Domain Admin Rights)

Renaming domain-joined computers is a routine IT support task — but granting Domain Admin rights just for this purpose is a security anti-pattern.

This guide explains the correct and Microsoft-supported way to allow IT support engineers to rename computers using PowerShell, without elevating them to Domain Admins, while maintaining proper security boundaries and auditability.

---

Common Misconception

“IT support engineers are already local admins on PCs, so they should be able to rename domain computers.”

❌ Incorrect

• Being a local administrator only allows changes on the local system.
• Renaming a domain-joined computer also modifies the computer object in Active Directory, which requires AD-level permissions.

---

Correct Approach (Best Practice)

✔ Delegate limited Active Directory permissions

Instead of broad admin access, we delegate only what is required:

• Rename computer objects
• Update DNS hostname
• Update Service Principal Names (SPNs)

Nothing more.

---

High-Level Design

Component	Purpose
AD Security Group	Controls who can rename computers
OU-level Delegation	Limits scope to specific computers
PowerShell Rename-Computer	Supported rename mechanism
Local Admin Rights	Required on the target PC

---

Step 1: Create a Dedicated AD Security Group

Example group name:

• IT-Support-ComputerRename

Add your IT Support User accounts to this group.

Tip: Do not assign permissions directly to users — always use a group.

---

Step 2: Delegate Computer Rename Permissions in Active Directory

1. Open Active Directory Users and Computers
2. Right-click the OU containing computer accounts
3. Select Delegate Control
4. Add the group:
   IT-Support-ComputerRename

5. Choose Create a custom task to delegate
6. Select:
   • ☑ Only the following objects in the folder
   • ☑ Computer objects
7. Permissions:
   • ☑ Read
   • ☑ Write
8. Select the following permissions:
   • ☑ Validated write to DNS host name
   • ☑ Validated write to service principal name
   • ☑ Write account restrictions

Finish the wizard.

✅ Delegation is now limited, secure, and auditable.

---

Step 3: Ensure Local Administrator Rights

IT support engineers must also be:

• Members of the Local Administrators group on the target computer
  (via GPO, Intune, or manual assignment)

This is required to execute the rename locally.

---

Step 4: PowerShell Command for Support Users

IT support engineers can now rename computers without supplying domain credentials, using their own login:

Rename-Computer -ComputerName "OLD-PC-NAME" -NewName "NEW-PC-NAME" -Force -Restart


Requirements

• Run PowerShell as Administrator
• Computer must be online and reachable
• Rename triggers an automatic reboot

---

Is -DomainCredential Required?

No, as long as:

• The support user is logged in with their support ID
• The support ID is in the delegated AD group
• PowerShell is run as Administrator

The command uses the current security context.

---

What This Design Prevents

Risk	Mitigation
Over-privileged support accounts	No Domain Admin rights
Credential leakage	No hardcoded credentials
OU-wide damage	Delegation limited to computers
SPN / DNS corruption	Validated writes only

---

Auditing & Logging

Computer rename events are logged in Domain Controller Security Logs:

• Event ID 4742 – Computer account was changed

This makes the activity fully traceable for audits.

---

Recommended Naming Controls

For production environments:

• Enforce naming standards via SOP
• Restrict delegation to specific OUs only
• Require ticket/reference number before rename
• Log changes in CMDB or asset inventory

---

Summary

✔ Local admin rights alone are not enough
✔ Delegated AD permissions are the correct solution
✔ IT support engineers can safely rename computers
✔ No Domain Admin exposure
✔ Fully auditable and compliant

---

Final Note

This approach aligns with least privilege, enterprise security, and Microsoft best practices — making it suitable for regulated and audit-driven environments.

Regards
Syed Jahanzaib

How to Temporarily Suspend Users in FreeRADIUS 3.2.x (Production-Grade ISP Design)

• Author: Syed Jahanzaib ~A Humble Human being! nothing else 
• Platform: aacable.wordpress.com
• Category: Corporate Offices / DHCP-DNS Engineering
• Audience: Systems Administrators, IT Support, NOC Teams, Network Architects

---

 Disclaimer & Note on Writing Style

Every network environment is unique. A solution that works effectively in one infrastructure may require modification in another. Readers are strongly encouraged to understand the underlying concepts and adapt the guidance according to their own architecture, operational policies, and risk tolerance.

Blind copy-paste implementation without proper validation, testing, and change management is never recommended — especially in production environments. Always ensure proper backups and risk assessment before applying any configuration.

The content shared here is based on hands-on experience from real-world deployments, ISP environments, lab testing, and continuous learning. While I strive for technical accuracy, no technical implementation is entirely free from the possibility of error. Constructive discussion and alternative approaches are always welcome.

Due to professional commitments, it is not always feasible to publish highly detailed or multi-part write-ups. The technical logic and implementation details are written based on my own practical experience. AI tools such as ChatGPT are used only to refine grammar, structure, and presentation — not to generate the core technical concepts.

This blog is not intended for client acquisition or follower growth. It exists solely to share practical knowledge and real-world experience with the community.

Thank you for your understanding and continued support.

Freeradius 3.2.x with Mikrotik – Part-1 # Time to upgrade

Regard's
Syed Jahanzaib~ [February 2026]

---

Objective

We want to temporarily suspend any user in FreeRADIUS with:

• A clear rejection message
• Control from a user management portal
• Clean separation of business logic and AAA mechanics

Scenario: In a FreeRADIUS-based billing (3.2.7) / AAA setup, temporarily disabling (suspending) a user should never be done by deleting the account. Instead, suspension must be handled at the authorization layer, with proper database state, auditability, and meaningful rejection messages.

Below is a real-world, ISP-grade design used in production billing and AAA systems.

---

What ISPs Usually Implement (Real World)

Feature	Implemented
Temporary Disable	✅ Account status flag
Auto Resume (not added)	✅ Suspend-until datetime (not added)
Instant Kick	✅ CoA / Disconnect
Audit Trail	✅ Database status change

---

Recommended Approach #1 (Best Practice)

• Account Status Flag in Database

This is how real ISPs and billing platforms implement suspension.

---

1. Create a Proper users Table (Business Logic)

This design:

• Keeps business state in a users table
• Keeps RADIUS mechanics in radcheck / radreply
• Makes suspension logic simple, reliable, and scalable

No hacks. No ambiguity.

CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(64) NOT NULL UNIQUE,
password VARCHAR(255) NOT NULL,
account_status ENUM('active','suspended') DEFAULT 'active',
expiration DATETIME NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

Column Meaning

Column	Purpose
username	Login identity
password	Plain or hashed (your choice)
account_status	Active / Suspended
expiration	Billing expiry
created_at	Audit trail

---

2. Link users → FreeRADIUS (AUTHORIZE Phase)

Edit the FreeRADIUS default site:

nano /etc/freeradius/sites-enabled/default

authorize {
filter_username
## Load account_status from USERS table
update control {
&Tmp-String-0 := "%{sql:SELECT account_status FROM users WHERE username='%{User-Name}'}"
}
## Reject user if account_status = suspended
if (&control:Tmp-String-0 == "suspended") {
update reply {
Reply-Message := "Account suspended. Please contact ISP support."
}
reject
}
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql
expiration
logintime
pap
}

---

3. FreeRADIUS authorize {} – Account Suspension Check

Why This Is Correct

• ✔ Uses the control list (correct place for decisions)
• ✔ SQL expansion evaluated at runtime
• ✔ reject cleanly stops authentication
• ✔ Custom Reply-Message sent to NAS
• ✔ Fully compatible with FreeRADIUS 3.x (including 3.2.x)

---

4. post-auth {} – Custom Reject Messaging

Use Post-Auth-Type REJECT only for messaging, not logic.

post-auth {
Post-Auth-Type REJECT {
## Suspended account message
if (&control:Tmp-String-0 && &control:Tmp-String-0 == "suspended") {
update reply {
Reply-Message := "Account suspended. Please contact ISP support."
}
}
else {
## Default reject message
update reply {
Reply-Message := "Invalid username or password."
}
}
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}

---

5. Example Data (End-to-End)

INSERT INTO users (username, password, account_status, expiration) VALUES ('zaib', 'zaib', 'suspended', '2029-01-13 11:00:00');

---

Result: Testing with radclient

Ensure that you reload FREERADIUS config after making any changes to config files (we are not talking about record insertion in sql, but we are referring to FreeRADIUS configuration files.)

echo "User-Name=zaib,User-Password=zaib" | radclient -x localhost:1812 auth secretxxx

Output

Received Access-Reject Reply-Message = "Account suspended. Please contact ISP support."

Findings

• ✔ User exists
• ✔ Password exists
• ✔ Status = suspended → rejected
• ✔ Message delivered correctly

---

🧠 Why This Design Is Correct

Aspect	Old Way	New Way
Account status	radcheck hacks	users table
Expiration	Mixed with AAA	Business logic
SQL ambiguity	High	Zero
Scalability	Poor	Excellent
Web panel	Hard	Easy

This is exactly how ISP billing systems work in production.

---

⚠️ Important Security Note

For better security:

• Store hashed passwords in users
• Sync only Cleartext-Password to radcheck
• Or enforce PAP / CHAP correctly

---

6. Disconnect Active Session (CoA / MikroTik Example)

Note: Suspending a user does not disconnect an already active session.

echo "User-Name=zaib" | radclient -x 127.0.0.1 disconnect testing123

Notes

• 127.0.0.1 → FreeRADIUS server
• disconnect → CoA port (usually 3799)
• testing123 → NAS secret
• -x → debug output

Requirement: NAS must support RFC 5176 CoA / Disconnect-Request

---

Alternative Method #2: Reject Attribute (Simple but Limited)

Insert a reject rule directly into radcheck.

Disable User

INSERT INTO radcheck (username, attribute, op, value) VALUES ('zaib', 'Auth-Type', ':=', 'Reject');

Enable User Again

DELETE FROM radcheck WHERE username = 'zaib' AND attribute = 'Auth-Type';

Notes

• Forces rejection at RADIUS level
• No FreeRADIUS restart required
• Works with FreeRADIUS 3.x
• Less flexible than a status flag
• Not ideal for billing portals

✅ Is your temporary disable (suspend) implementation correct?

Short answer:
👉 YES. Your approach is correct, clean, and production-acceptable.

Let’s validate it calmly and close this properly.

---

✅ What you implemented (and what works)

1️⃣ Business flag in users table

account_status = active | suspended


✔ Correct place
✔ Not mixed with radcheck
✔ Easy for billing / admin panel
✔ Audit-friendly

This is exactly how it should be done.

2️⃣ Suspension enforced in authorize {}

✅ This is perfect for suspension.

Why this is good:

• Suspension is enforced before authentication
• No password check happens
• No ambiguity
• Works for PAP / CHAP / MSCHAP / EAP
• Deterministic behavior

This is textbook FreeRADIUS policy design.

3️⃣ Post-Auth fallback message

In post-auth you have (simplified):

✅ This is also OK.

Why keep it?

• Covers edge cases
• Ensures a message is always present
• Safe if future logic changes
• Does not interfere with normal auth

---

Final Verdict

✅ Final Verdict (Clear & Honest)

✔ Your temporary disable logic is correct
✔ Using account_status in users table is the right design
✔ Enforcing suspend in authorize is best practice
✔ Having suspend message in both authorize and post-auth is acceptable
✔ This setup is production-safe

You achieved your main objective successfully

👍 Recommended final stance

Keep your current suspend logic exactly as it is.
Don’t over-optimize it.

If later you want:

• auto-unsuspend
• suspend-until date
• disconnect active sessions
• billing integration

Those can all be layered on top of what you already built.

SJZ