Archive for September, 2007

We need namespaces!

OK, time for another PowerShell v2 feature request: we need namespaces.

Right now, if we call AD cmdlets getting user objects Get-User and this snapin gets installed on the box which already has Exchange 2007 management tools which also have Get-User – my scripts stop working.

What I would like to have (please) is some kind of using construct which would make the snapin name I supply default for subsequent name resolution. And of course at any time I should be able to use the full name to disambiguate. This is the PowerShell code I would like to supply in v2 era:

#the statement below makes the specified snapin default for name resolution
using Quest.ActiveRoles.ADManagement

Get-User "Dmitry Sotnikov" | Set-User -city “St. Petersburg” #AD snapin is used
new-group qdl.powershell #AD snapin used

#the command below is explicitly using Exchange 2007 new-mailbox
Microsoft.Exchange.Management.PowerShell.Admin\new-mailbox conf234 | ForEach-Object {

#This is using AD again
set-user –Description “Created by Exchange”


This will remove the necessity to prefix each noun (which Kirk opposes and for a good reason), and does not require everyone to create custom namespace management functions (like Antonio is doing) which don’t work for all scenarios and are not present on each workstation out there anyway so the scripts you publish in the internet don’t necessarily work, people have to copy-paste 2-line function just to run your one-liner, etc.

I think this kind of namespace support is something PowerShell team absolutely needs to provide in v2 or things will start getting really confusing very soon: even just at Microsoft how many products have some kind of notion of users, sites, computers, etc. We are on a collision course here.

I’ve submitted this to Microsoft Connect: – feel free to vote for the CR over there.

Tags: , , , ,

AD cmdlets in the voting booth

Found this via Jackson. ActiveRoles Server – the AD rules, roles, policy, identity management, provisioning, etc. product which has the AD cmdlets as a freeware component (and frankly pays the bill for the effort) is featured in a few nominations in the Info Security reader’s choice awards.

So if you like the cmdlets, one of the ways to show that is going to the site and voting for ActiveRoles Server over there.

A few other Quest products are nominated as well, so if you happen to be using them – feel free to add them to the ballot.

Tags: , , , ,

Bulk group type & scope change

How do you bulk change group scope and type in PowerShell? This came up in the newsgroup today so I thought I would blog about the solution as well.

Suppose you want to change the scope of all Global Distribution groups in your domain to Universal. Getting the groups is easy – you just use Get-QADGroup with the appropriate parameters. However, AD cmdlets 1.0.4 still don’t have the Set-QADGroup cmdlet (which is coming soon ;)) so as usual we can cheat here by using Set-QADObject cmdlet and ObjectAttributes parameter which give access to any AD objects and attributes.

Because of this workaround we’ll need to supply the appropriate value for the new type and scope. This table will help you pick the one you need:

Value GroupType
2 Global distribution group
4 Domain local distribution group
8 Universal distribution group
-2147483646 Global security group
-2147483644 Domain local security group
-2147483640 Universal security group

So for example taking all global distribution groups and making them universal is a matter of running this one-liner:

Get-QADGroup -GroupType Distribution -GroupScope Global | Set-QADObject -ObjectAttributes @{grouptype=8}

A couple of notes:

  • By default, Get-QADGroup will only retrieve the first 1000 of groups matching the criteria. If you have more you might want to change the default size limit. Setting it to 0 will remove all limitations: -SizeLimit 0.
  • Not all groups can be converted to all types.

Tags: , , , , , , ,

Russian Channel 9 goes Silverlight

Microsoft seems to be starting making Silverlight (aka Flash-killer) as the primary option to view content on some of its sites. The one I spotted is the regional Russian Channel 9 video site.

I went to the site to see the newly posted Russian version of the PowerShell for AD video with Jeffrey Snover and myself – and had to install the Silverlight plug-in to do that.

I think this was the first time (apart from the web pages on Silverlight itself and demo prototypes such as Tafiti) when Microsoft started doing that. Of course this should help drive wider adoption but at the same time I guess you need to be sure that the content is valuable enough for the visitor to install the plug-in – which was the case with me wanting to watch myself on the video. 😉

UPDATE: It looks like they now also added (or it was there from the get go and I just did not notice it) the option to download the wmv version of the video. It is just that it is somewhat below and in smaller font so Silverlight is a much more noticeable option (and the only one for video streaming.)

Tags: , , ,

VMware demos PowerGUI/PowerGadgets integration, VI goes PowerShell

Another big vendor is adopting PowerShell as the way to manage the infrastructure they provide and the vendor is… VMware. Definitely not a small name in the industry, and this by no means is some kind of side project for them. They are providing PowerShell for their key technology – VMware Infrastructure.

The announcement and a live demonstration was made at VmWorld last week. And Antonio – who delivered the session – actually made the slides available in his blog post with the news: VMworld2007_IO30.pdf.

What is even more cool is that during the session they demonstrated the integration they were getting with PowerGUI and PowerGadgets:

  • Created a quick PowerGUI pack with a node retrieving VMs,
  • Within PowerGUI console, filtered them by various properties,
  • And output the ones left into a PowerGadgets chart showing the CPU usage.

Slide on PowerGUI integration from VMware PowerShell session

This is pretty impressive and shows how much VMware “got it” and is joining the PowerShell ecosystem!

Congratulations to Antonio and the whole team!


P.S. By the way, check out the documentation generation script the guys are using. I’ve already forwarded this to the AD cmdlets team.

Tags: , , , ,

Fine-Grained Password Management post from Tyson

Tyson Kopczynski – the author of Windows PowerShell Unleashed (sample chapter available here) has a post on Managing Fine Grained Password Policies.

In which he also complaints that big vendors – Microsoft in this case – are sometimes releasing features – like BitLocker or fine-grained password policies – without fully providing sufficient management tools to actually use them. Needless to say this is very much inline with what I am thinking on the need for do-it-yourself administrative consoles.

Tyson concludes by the following:

My reply to my co-worker was to use either the PasswordSettingsObject cmdlets from Quest or the PowerGUI snap-in which uses those cmdlets –

I’ve also previously blogged about both the cmdlets and the UI:

Tags: , , , , , , , , , , , ,

Changing OpsMgr UI

Right after I blogged yesterday about the value of UI customization I came across this post by Ian Blyth on how Systems Center Operations Manager console only allows you to set the agent proxy one server at a time. Ian writes how painful it is to manage multiple servers and how he has to use workarounds such as command-line or a separate utility by Boris Yanushpolsky (a friend of mine by the way: hello Boris! ;))

In the end of the post Ian mentions that he only hopes OpsMgr SP1 will bring the change.

By the way, thanks to Rob, PowerGUI already has a pack for Operations Manager which provides for bulk operations and is fully extensible so you can have UI for proxy agent management and much more without waiting for Microsoft to provide every possible option you need in some SP.

Will that help you, Ian?

Tags: , , , , , , , , , ,

Ultimate UI flexibility

Gaël has a blog post on PowerGUI showing the way future software products should provide UI providing you with scripts for whatever you do so you can easily automate the tasks you need.

I would also add another aspect to this: full customization of the UI: being able to add a tree node or action by simply searching for functionality or plugging in a script (which you could in turn get from the code you got from previous tasks). This is so much different from the old way on which you basically had to stick to whatever a software vendor shipped, and the only way to have the UI changed was to submit a change request (ever sent emails to and wait for another year or two before the vendor (provided they get another million of similar requests) release an updated version with some kind of implementation of the way they understood you. 😉

In case you don’t speak French, here’s a translation of Gaël’s post.

Tags: , , ,

New AD cmdlets demo

Robert Bobel who is Quest’s Product Manager for ActiveRoles Server (AD management, rules, roles, provisioning, approval workflow tool) and AD cmdlets has just posted his new demo of both of his products working separately and together.

He gives a quick introduction to ActiveRoles, then switches to the PowerShell command-line, explores the AD (gets users, groups, etc.), performs bulk operations like provisioning users from csv file, etc.

Then he demonstrates the integration of the free PowerShell command-line with the commercial application and shows how his PowerShell scripts can go through automated policy enforcement and approval workflows.

To see the demo just go to the Quest’s PowerShell page and click the Product in Action picture in the AD cmdlets section.

Also, if you have not seen a more detailed webcast of AD management with PowerShell which Bob and I gave a few months ago – the recording is still available for you to grab.

Tags: , , , , , , , , ,

Unintuitive expression behavior in pipelines

It looks like you cannot use expressions with $_ when submitting parameters to a cmdlet in a pipeline.

This means that the examples below do not work:

# Give all users passwords based on their samAccountNames
Get-QADUser | Set-QADUser -UserPassword $_.samAccountName

# Append a postfix to each name
Get-QADUser -City London | Rename-QADObject -NewName ($_.Name + " - London")

# Add a prefix to each file in the current folder
dir |Rename-Item -NewName ("_" + $_.Name)

No matter how intuitive these look to you, in reality they don’t work. All these $_.something get evaluated to empty strings and thus users get blank passwords, and names get changed to just the prefixes/postfixes while losing the main parts.

This happens because PowerShell v1 evaluates the expressions not for each item in the pipeline but once before items get passed to the cmdlet. So the second cmdlet in the pipeline just does not get the parameters.

The workaround is to use ForEach-Object instead of direct pipeline. So the examples above would be changed to:

# Give all users passwords based on their samAccountNames
Get-QADUser | ForEach-Object { Set-QADUser $_.DN -UserPassword $_.samAccountName }

# Append a postfix to each name
Get-QADUser -City London | ForEach-Object { Rename-QADObject $_.DN -NewName ($_.Name + " - London") }

# Add a prefix to each file in the current folder
dir |ForEach-Object { Rename-Item $_ -NewName ("_" + $_.Name) }

Specifically for the last example you could also use scriptblock instead of the expression and this will work because PowerShell team implemented scriptblock support for this particular cmdlet:

# Add a prefix to each file in the current folder
dir |Rename-Item -NewName {"_" + $_.Name}

I don’t know why was this specific design decision made, and I wish the syntax cited in the beginning of the post (and which I consider much more intuitive!) worked. If anyone from PowerShell team is reading – please consider this a feature request in addition to the security and other v2 requests I made before. 😉

For additional discussions see these forum/newsgroup threads:

Tags: , , ,

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

September 2007

%d bloggers like this: