Dmitry’s PowerBlog: PowerShell and beyond

I’ve recently blogged about retrieving AD security with PowerShell, as you can probably guess for every Get-* there is a Set-* and AD cmdlets 1.1 provide you an easy way to change the permissions set on any AD object.

Add-QADPermission and Remove-QADPermission are your biggest friends here.

Well, obviously and the power of the PowerShell pipeline. My favorite example is copying permissions from one object to another with that simple oneliner:

Get-QADPermission “Dmitry Sotnikov” | Add-QADPermission “Evil Tween”

This simple line is incredibly powerful. It takes all permissions directly set on the first objects and adds them onto the second one. Of course you could put where in the middle to do some filtering if you need.

Of course you can explicitly grant specific rights on specific objects. Suppose you want to give Administrator full control over an OU and everything in it. Easy:

Add-QADPermission ‘OU=Demo,DC=mydomain,DC=local‘ -Account Administrator -Rights ‘GenericAll‘

You can use the -Deny parameter to deny access, -PropertySet to work with property sets and -ApplyTo to select whether you want to give rights only to this object or its children or any possible combination. So for example you could do:

Add-QADPermission dirObjectIdentity -Deny -Account trusteeIdentity -Rights ‘WriteProperty‘ -PropertySet (‘General-Information‘,‘Web-Information‘) -Property ‘samAccountName‘ -ApplyTo ThisObjectOnly

You can also pipe any AD object into these cmdlets (similar to reading the objects) for bulk operations:

Get-QADUser -City Orlando -SecurityMask Dacl | Add-QADPermission -Account ‘Dmitry Sotnikov‘ -Rights ‘ReadProperty‘

And, as you can easily guess Remove-QADPermission can delete any ACE in much the same way. For example, let’s remove all the Deny ACEs from a particular object:

Get-QADPermission objectIdentity -Deny | Remove-QADPermission

You can find more information and examples in the user’s guide and by typing get-help for any of these cmdlets.

Download the cmdlets and give us your feedback at the AD PowerShell discussion forums.

Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, Security, cmdlets, one-liner, oneliner
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Did you know that you can use PowerShell to monitor your website and send you alarms when something goes wrong? We had availability issues with our community site and I was quite surprised that the 20-line (!) PowerShell script did the job!

Basically, all I had to do was use the Net.WebClient object and its DownloadString method to query the page (with some proxy handling code I got from Alexey Chuikov), and trap any exception which it generates when something goes wrong. The trap is using our internal relay server to send me and everyone who is involved in the site administration the email.

Here’s the code:

##########################################################
# Test-Site - script to test web site availability
# and notify in case of any issues
# (c) Dmitry Sotnikov
# http://dmitrysotnikov.wordpress.com
##########################################################

function Test-Site {
    param($URL)
    trap{
        “Failed. Details: $($_.Exception)“
        $emailFrom = “my.email@address.com“
        # Use commas for multiple addresses
        $emailTo = “my.email@address.com,another.admin@address.com“
        $subject = “PowerGUI.org down“
        $body = “PowerGUI web site is down. Details: $($_.Exception)“
        $smtpServer = “smtp.server.to.use.for.relay“
        $smtp = new-object Net.Mail.SmtpClient($smtpServer)
        $smtp.Send($emailFrom, $emailTo, $subject, $body)
        exit 1
    }
    $webclient = New-Object Net.WebClient
    # The next 5 lines are required if your network has a proxy server
    $webclient.Credentials = [System.Net.CredentialCache]::DefaultCredentials
    if($webclient.Proxy -ne $null)     {
        $webclient.Proxy.Credentials = `
                [System.Net.CredentialCache]::DefaultNetworkCredentials
    }
    # This is the main call
    $webclient.DownloadString($URL) | Out-Null
} 

Test-Site “http://powergui.org“

To test it you can obviously just put an invalid URL into the call.

Once I had the script running, I just set up a scheduled task in Windows Task Scheduler to run the script every 15 minutes:

One trick I learned from MoW and used in the task, was using the -command parameter (rather than just supplying the script) and including the exit $LASTEXITCODE into the command, so the exit code from the PowerShell script gets registered as the scheduled task result.

So here’s the command-line I have scheduled:

c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -command ". c:\scripts\test-site.ps1; exit $LASTEXITCODE"

Works flawlessly! And can save you tons of money on a monitoring solution. Talk about ROI from learning PowerShell!

Tags: .NET, Examples, Exchange, Internet, OpsMgr, PowerShell, Reporting, email, server management
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

As I mentioned yesterday, thanks to the community efforts PowerGUI is now available in 7 different languages and the list keeps growing.

If your language is among the ones available for download:

1. Simply download and install PowerGUI,
2. Download the localization pack,
3. Extract the locale folder to the PowerGUI installation folder:

If your Windows language is that same language you have installed, just restarting PowerGUI will do the trick - it will change the UI language automatically.

If your Windows language is different (e.g. Windows UI is English, but you want Danish PowerGUI), you will need a couple of extra steps:

1. Go to the PowerGUI profile folder:
   C:\Users\username\AppData\Local\Quest Software\PowerGUI - on Windows Vista and 2008.
   C:\Documents and Settings\username\Local Settings\Application Data\Quest Software\PowerGUI - on Windows XP and 2003.
2. Open the quest.powergui.xml file in Notepad, and change en-US to the name of your locale (which is the same as the localization folder name):

That’s it! Now you will have PowerGUI speak your mother tongue!

Tags: KB, Knowledge Base, Localization, PowerGUI, PowerShell
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Thanks to Kevin Steffer, PowerGUI is now also available in Danish!

As far as I remember despite fantastic command of English, prince Hamlet was not really using PowerShell a lot. I hope that now that we have PowerGUI in Danish this last obstacle which some of his fellow citizens had is gone!

PowerGUI is now available in 7 languages - all of which can be found on the downloads page.

Tags: Localization, PowerGUI, PowerShell
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

I spent last week playing around with IIS 7 PowerShell provider (and cmdlets) and feel like it’s time to share my experience and provide feedback to the IIS team.

Overall my experience was pretty bad. I found the provider and cmdlets not really making administration any easier, being hard to understand and use, error prone and sometimes even dangerous. The PowerShell provider is currently Technology Preview 1, so I hope my feedback is timely and things can still be changed.

In a nutshell, similar to SQL, IIS 7 PowerShell provider has the provider: exposing sites and application pools - and 16 cmdlets.

I am not sure what is the value of the provider because the structure of the namespace is actually not dynamic (like for example AD or file system) but fixed to this hierarchy:

    IIS:\
          Sites
                Site Collection
                       Applications and Virtual Directories
          AppPools
                 WorkerProcesses

In my opinion, in that case, provider has no real value, because cd iis:\\sites is not any easier than get-site. Actually it is worse, because get-site could have additional parameters for filtering like for example get-site -running -author Dmitry.

Working with object properties is even more painful. Just getting them is a weird process of traversing an unknown XML structure. For example, let’s say you would like to know which ports are your site listening, or various connection limits, or log file information - these are all hidden as elements of child collections inside the objects.

You cannot use: get-site | format-table Name, Port, *limit*.

Instead you have to use something like:
$site = get-item SiteName
$site.bindings.Collection[0].bindingInformation
$site.limits.maxBandwidth
$site.limits.maxConnections
$site.limits.connectionTimeout

Getting this into a table for multiple sites is sure possible using the ability of format-table to accept custom columns with expression - but that’s not the syntax I find myself comfortable to use.

However, that is nothing compared to trying to change any settings. For my demo I wanted to change all my sites with int* prefix currently listening to port 80 to use 8080 instead. Well, first of all I had to just use dir int* because adding filtering by bindings would have made my code too hard to follow for the demo, but then I had to do something like:

dir int* | Set-ItemProperty -Name bindings -Value @{protocol="http"; bindingInformation="8080"}

Not only typing this is a pain (why not have: Set-Binding -Protocol Http -Port 8080 ?) the code actually damaged my lab because it turned out that the sites also had custom URLs they were using and these got deleted, so the sites got assigned to localsystem and were stopped due to a conflict.

Because most of the properties are organized that way - as various property hash tables and hierarchical structures - changing anything is a pain.

And these are basic scenarios. Even creating a site requires you to use this awful hash-table syntax:

PS IIS:\Sites> New-Item iis:\Sites\TestSite -bindings @{protocol="http";bindingInformation=":80:TestSite"} -physicalPath c:\test

Changing any configuration properties again requires you to use some weird filter path specifying how to get to that property. Can someone really type this?

PS IIS:\Sites\DemoSite\DemoApp> Set-WebConfigurationProperty -filter /system.webServer/security/authentication/windowsAuthentication -name enabled -value true

Bulk operation require using XPaths and are completely beyond my comprehension:

PS IIS:\Sites\DemoSite\DemoApp> set-webconfiguration "/system.webServer/handlers/add[@path='*.aspx']/@path” -value “*.mspx”

I am not a web admin - so there is a chance that I am just wrong in my assumptions, and all the examples above are absolutely intuitive for any web guy. However, I find them all magnitudes more complex than Exchange or AD cmdlets, and I have a suspicion that for some reason the IIS team simply decided not to spend time looking at these examples or documenting the use case and designing for them, but instead simply looked for the easiest way to expose their xml config files via PowerShell.

To me the goal of PowerShell is making IT automation easy. And to me this does not look easy at all. In fact I think all these @{} scared a lot of folks watching my demo at the ReMIX last Friday.

In the documentation, Thomas Deml is saying that the reason for this hash-table approach is that IIS configuration is flexible and fully extensible. I am not sure this is an excuse. AD is also extensible and its objects can have any elements you add when extending the schema. However, there are ways to handle that. For example for AD cmdlets, we are exposing all frequently used and standard elements as properties and cmdlet parameters and have additional parameters such as -ObjectAttributes for those extended ones.

I really hope that it is not too late to redesign the IIS snapin with real use cases in mind and make it more Exchange/AD/DPM-like. Thomas does mention a couple of times that they “are thinking about wrapping some typical tasks like creating sites with additional functions or scripts in a later Tech Preview.” however, I am afraid that just adding a few scripts will not solve the issue - scripts are second-class citizens compared to cmdlets and just adding a few of them will not solve the overall complexity problem.

Guys, please re-use the expertise from other teams. Talk to Vivek Sharma or Evan Dodds, talk to the PowerShell team, or PowerShell community folks (like QAD cmdlets guys). Many people have been on similar tasks before and will be happy to share their experience.

On the positive side, Thomas has actually done a fantastic job documenting the current state of the provider in his series of step-by-step tutorials at iis.net - I highly recommend these walkthoughs if you want to get started.

The current status of the snapin is Technical Preview, so hopefully this all is out to collect our feedback and I hope others chime in and give the IIS team good feedback from their side. IIS 7 is overall a great step forward compared to IIS 6. The team is clearly listening to community feedback so let us be vocal here as well.

Tags: IIS, PowerShell
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

We have just shipped PowerGUI 1.5.0 - which is a very important upgrade for us with a lot of new and exciting features.

Right now I am overexcited to provide a detailed what’s new list so I will just give you the ones off the top of my head and will hope that others (or myself later this week) will provide a more detailed overview.

PowerGUI Administrative Console:

• New filters: we have completely revamped the set of filter operations to make them much more user-friendly so you get “starts with”, “ends with” and so one instead of “like”
• Totally revamped code generation for the PowerShell Code tab. We got rid of scriptblocks and made the code much more readable.

PowerGUI Script Editor:

• Output window now has a live PowerShell prompt built into it!
• Multitab UI.
• Edit menu has options to copy code as HTML or RTF – for all bloggers out there.
• Errors are written to the output window (obviously in red).

Both components:

• Both x64 and x86 version installed on x64 machines.
• A much nicer input box is displayed for your read-host commands.
• Ability to manually change the UI language.

And multiple smaller improvements everywhere!

Now we will probably get back to smaller regular 1.5.x upgrades getting you even more exciting features in the next few months. There’s so much on our roadmap that this is going to be a very exciting year for the PowerGUI team and user community. Please visit our discussion forums and let us know what you think and what you want to be added to the product.

You can download this latest version as well as updated localization modules from PowerGUI.org.

Tags: PowerGUI, PowerPack, PowerShell, Release
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Steve Crouse has recently published his PowerGUI pack for Microsoft Visual Studio Team Foundation Server - thus, fulfilling James Manning’s long time wish.

This is a very nice tool allowing for browsing the work items for all the projects on a Team Foundation Server either by area or iteration. In addition you can view all open work items assigned to you, regardless of project. Project metadata such as the work item editing form definitions can be viewed for each project.

The default work item edit form can be launched for work items (although until PowerShell 2.0 is released with support for execution under Single-threaded Apartment mode the form does not function correctly.)

And, as usual the PowerShell code tab lets you easily see how everything you do translates into PowerShell - so you can later use this knowledge to automate things in your project (Steve basically loads the Team Explorer assemblies and uses them to connect to the server and retrieve data.)

You can download the VSTFS pack and leave your comments and feedback to Steve.

Tags: PowerGUI, PowerPack, PowerShell, TFS, software development, software testing
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

PowerGUI (our free PowerShell admin console and IDE) just got into the finals of the Best of TechEd 2008 competition!

Very exciting considering the products competing for the award, and the fact that last year this exact award went to PowerShell itself. Seems natural to give it to PowerGUI this time around, right?

Tags: Conferences, PowerGUI, PowerShell, TechEd, TechEd2008, awards
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Below is a step-by-step instruction on installing Windows PowerShell on Windows Server 2008 in Server Core mode.

Note that these are in no way official or supported by Microsoft. Microsoft is working on official version of .NET and PowerShell for Server Core installations, so eventually you will be able to get this fully supported. Until then below are the instructions you can use at your own risk, etc., etc.

Quick Introduction

Windows Server 2008 has a command-line installation option - Server Core - which significantly reduces the attack surface and patch requirements by the virtue of not having Explorer and other UI components not needed in datacenter.

The problem is that it only ships with traditional cmd.exe and not PowerShell. To make things worse neither PowerShell nor .NET as they are today can be installed on such systems.

Below are the steps you can take to create packages of these tools which can be installed. Basically the whole procedure consists of just four main steps:

1. Installing Visual C++ Redistributable Packages (required for .NET).
2. Installing .NET 2.0 SP1
3. Installing PowerShell.
4. Jumping around the computer and shouting “I’ve got it!”

So let’s get started!

1. Visual C++ Redistributable Packages

This is the easiest one. All you need to do is download the packages you need:

• Microsoft Visual C++ 2005 SP1 Redistributable Package (x64)
• Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)

After that, copy these files to your Server Core computer (e.g. using Robocopy) and simply run them there.

If your Server Core is 32-bit - just run vcredist_x86.exe.
If it is 64-bit, you need to install both x86 and x64 versions (vcredist_x86.exe and vcredist_x64.exe).

2. .NET Framework

This is the most tricky part. PowerShell needs .NET 2.0 and .NET 2.0 is supposed to be a component of Windows Server 2008 so we will have to get a package of the framework which can get installed on such a system. To accomplish that we will:

1. Download .NET Framework 3.5.
2. Unpack the setup to get access to the .NET 2.0 Service Pack 1 installation files.
3. Download and install the Orca MSI editor.
4. Use Orca to remove the Windows version check.
5. Run the updated MSI.

2.1. Download .NET: Go to Microsoft’s web site and download full redistributable package of .NET 3.5.

2.2. Unpack the file:
a. Create a folder c:\deploy
b. Save the downloaded .NET framework package to this folder.
c. Download the wonderful deploy.cmd script which Artem has posted and put it into the same folder.
d. Run the script.

After the script executes, the C:\Deploy\AIP folder will have both NetFx20_x64 and NetFx20_x86 folders with .NET 2.0 framework files you need.

2.3. Install Orca:

This is great but unfortunately you cannot just install the files because the MSIs are specifically checking for Windows version. So now we need to disable this check. To do this we will use Microsoft’s Orca MSI editor.

Note: This all needs to be done on a regular, not Server Core, machine. We will copy the results of our Orca operations to the Core box later on.

If you don’t have Orca, follow these steps to download it:
a. Download the Windows SDK for Windows Server 2008 and .NET Framework 3.5 installer.
b. Run the installer and deselect everything except Win32 Developer Tools (this will make sure that you only download the few megs you need.)

c. After the installation completes, go to C:\Program Files\Microsoft SDKs\Windows\v6.1\Bin and install Orca.msi.

2.4. Tweak the setup:

Now its time to do some patching.
a. Start Orca and open the MSI you need (C:\Deploy\AIP\NetFx20_x86\NetFx20a_x86.msi for 32-bit version or C:\Deploy\AIP\NetFx20_x64\NetFx20a_x64.msi for x64).
b. Click Component.
c. In x86 locate: Regtlib.exe_Tool_____X86.3643236F_FC70_11D3_A536_0090278A1BB8
In x64 locate that one and Regtlib.exe_Tool_____A64.3643236F_FC70_11D3_A536_0090278A1BB8
d. Change the Condition from (VersionNT < 600) or Version9X to just VersionNT or Version9X.

e. Save changes (either to that same MSI or a transform file.)

2.5. Install .NET

Copy the files (the whole folder) to your core machine and start the MSI via this command line (note that you need to use msiexec in order to pass the vsextui=1 parameter):

If you saved a transformed file and are running 64-bit version you will probably run:
%SystemRoot%\system32\msiexec.exe /package "NetFx20_x64\NetFx20a_x64.msi" vsextui=1 transforms="ServerCore.mst"

On x86 without a transform that would be:

%SystemRoot%\system32\msiexec.exe /package "NetFx20_x86\NetFx20a_x86.msi" vsextui=1

That’s it. Now we have .NET installed and can go to the final step - PowerShell installation!

3. Windows PowerShell

There is no PowerShell v1 setup for Windows 2008 (again, because it is supposed to be a component) but you can actually download and install the CTP (note: this is a pre-beta code - not for production use). PowerShell v2 CTP2 is available from Microsoft’s downloads page.

Download the version you need, copy the msi over to the Server Core box and simply run the msi.

4. Enjoy!

Now you can start PowerShell!

Just run:
c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

And you will see the prompt change to: PS C:>

That’s it. Now you are among the first geeks in the Universe to have PowerShell on Server Core!

Acknowledgments: I could only have this all accomplished thanks to the help I got from Alex Kibkalo and a great post by Artem Pronichkin on installing .NET on Server Core.

Tags: PowerShell, PowerShell v2, Server Core, Windows Server 2008, hack
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

While I am in the mood for reviewing the goodies from the PowerGUI extensions library, here’s another useful pack for VMware users - LabManager PowerPack by Mark Kilfoil.

You can use it to bulk-manage LabManager workspaces and perform various actions on the machines: Power On, Power Off, Suspend, Resume, Reset, Snapshot, Revert, Shut Down, and even open Remote Desktop Session.

The cool thing about the pack (besides its usefulness :)) is that LabManager as it is does not actually expose PowerShell cmdlets. Instead Mark is using remote web-service SOAP interface from his PowerShell code. Because all PowerGUI packs are open source - just XML files with PowerShell code publicly posted in the library - there’s quite some code in this pack to learn a few tricks here.

The LabManager pack is available here.

Tags: Examples, PowerGUI, PowerPack, PowerShell, VMware
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |