|
Jethro posted:Right, FISHMANPET was talking about ambiguity in terms of how Powershell interprets a statement versus the ways a person could interpret it. Yes thank you, this is what I meant by ambiguity, explained better than I could probably do myself.
|
# ? Nov 6, 2019 01:04 |
|
|
# ? May 15, 2024 04:01 |
|
Ok. This is more of a "ok, maybe I'm not going mad" question. I've got an AD group that's just 3 letters. We'll call it FOO. If I do Get-ADGroup -identity "FOO", I get an error it can't find the group. FOO is the name if I do it like Get-ADGroup -filter 'Name -like "FOO"'
|
# ? Nov 22, 2019 17:11 |
|
Irritated Goat posted:Ok. This is more of a "ok, maybe I'm not going mad" question. Your groups 'Name' and 'SamAccountName' are different. The identity argument for Get-AdGroup only takes: distinguished name, GUID, objectSid, or sAMAccountName
|
# ? Nov 22, 2019 19:06 |
|
So, every 3 weeks I have to change the passwords on a few hundred test accounts and afterwards, the services running as those accounts have to be changed as well. I wrote a script to go out to the associated servers and change the passwords on the services and it 100% works as-advertised except... the services tend to revert to the old password after reboot. Is there something I'm missing here to make this persistent? code:
|
# ? Nov 27, 2019 19:40 |
|
What return value are you getting when the Change method of the Win32_Service WMI class is invoked? Going off the doco your usage looks OK however it's a bit vague as to whether the StartName parameter is always required. In the examples section it shows changing a password by specifying only the StartPassword parameter so maybe try it without the StartName parameter (e.g. $_.change($null,$null,$null,$null,$null,$null, $null, $New_Password, $null, $null, $null))? Alternatively you may want to look at using the Set-Service cmdlet instead of WMI (Assuming your fleet has the required PS version).
|
# ? Nov 28, 2019 03:17 |
|
Pile Of Garbage posted:What return value are you getting when the Change method of the Win32_Service WMI class is invoked? Going off the doco your usage looks OK however it's a bit vague as to whether the StartName parameter is always required. In the examples section it shows changing a password by specifying only the StartPassword parameter so maybe try it without the StartName parameter (e.g. $_.change($null,$null,$null,$null,$null,$null, $null, $New_Password, $null, $null, $null))? I'll check what's getting returned when I get back to the office on Friday. I'm using wmi instead of Set-Service because they removed Set-Service's remote capability in v6 and later so you have to get funky with Invoke-Command to do that now.
|
# ? Nov 28, 2019 04:54 |
|
Toshimo posted:So, every 3 weeks I have to change the passwords on a few hundred test accounts and afterwards, the services running as those accounts have to be changed as well. Assuming that your AD environment will support it, this is exactly the case for a Managed Service Account, or Group Manage Service Account, was made for, unless you're also using those accounts to log in as or do other manual entries. I'm not any help as to the issue you raised, though.
|
# ? Nov 28, 2019 05:51 |
|
sloshmonger posted:Assuming that your AD environment will support it, this is exactly the case for a Managed Service Account, or Group Manage Service Account, was made for, unless you're also using those accounts to log in as or do other manual entries. Yes, these are test accounts that are also logged into manually, and also used to run automated testing. So, they're simultaneously:
|
# ? Nov 28, 2019 06:17 |
|
Toshimo posted:Yes, these are test accounts that are also logged into manually, and also used to run automated testing. So, they're simultaneously: Have you considered automating the provisioning and configuration of these machines with tools like packer and puppet? Manually rotating passwords is kind of an antiquated approach.
|
# ? Nov 28, 2019 07:16 |
|
New Yorp New Yorp posted:Have you considered automating the provisioning and configuration of these machines with tools like packer and puppet? Manually rotating passwords is kind of an antiquated approach. I don't get to make that call. The Agency mainframe requirement is password change every 28 days and we have to update AD to stay in sync. It would take a literal Act of Congress to change that, I suspect.
|
# ? Nov 28, 2019 08:51 |
|
That you're changing service account passwords at all is a marked improvement over the usual practice of ticking "Password never expires" and calling it a day (Which is what I've seen in almost every single AD environment I've encountered).
|
# ? Nov 28, 2019 11:06 |
|
I'm having a hard time doing what seems like a simple task. Can someone help me out here? All I'm trying to do is get a CSV file with the following fields: code:
code:
code:
code:
kiwid fucked around with this message at 21:09 on Dec 3, 2019 |
# ? Dec 3, 2019 21:05 |
|
You probably want to try to use a calculated property for the group members. I made this atrocity real quick code:
code:
code:
The Fool fucked around with this message at 21:30 on Dec 3, 2019 |
# ? Dec 3, 2019 21:26 |
|
The Fool posted:You probably want to try to use a calculated property for the group members. Hell ya, this worked. Thanks.
|
# ? Dec 3, 2019 21:32 |
|
mystes posted:Yeah you don't need to set a passphrase for the key. All it does is encrypt the private key file in case it gets stolen from your computer somehow. This is crossing into territory where you're better off setting up Ansible instead of rolling your own. Two prime reasons are, Ansible is a resume keyword that's good to have, and it has a password vault that you can access from the command line or a script/playbook. One of the things I like about Ansible is that it's a central configuration store for how you do things to remote systems. All the clients need is a consistent way to run remote commands. If only we had that in our environment.
|
# ? Dec 4, 2019 06:12 |
|
mllaneza posted:This is crossing into territory where you're better off setting up Ansible instead of rolling your own. Two prime reasons are, Ansible is a resume keyword that's good to have, and it has a password vault that you can access from the command line or a script/playbook.
|
# ? Dec 4, 2019 06:59 |
|
The latter, I would hope
|
# ? Dec 4, 2019 07:15 |
|
I wasn't even clear on whether Toast Museum currently had a way of sshing in to the servers at all, but I guess if they were set up for passphrase authentication and you really wanted to you could put all the passphrases in ansible, use it to copy the id file to each server and then ideally disable passphrase authentication?
|
# ? Dec 4, 2019 07:23 |
|
The issue wasn't making SSH connections per se, but rather making it usable for one-to-many operations by avoiding per-device passphrase entry and other confirmation/approval prompts. I'm still stuck doing monolithic imaging for macOS, so adding a couple public keys there was no problem, and disabling strict host key checking got it the rest of the way. I know that's a security risk, but the way I've been forced to run things in general involves so many big dumb security risks that this hardly budges the needle. I remember looking briefly at Ansible some time ago and coming away with the impression that it's intended for infrastructure deployment, whereas I'm dealing with a bunch of workstations. I'd be using Active Directory and Jamf right now if I weren't being prevented from doing so by departmental turf-war nonsense. Have I got the wrong idea of what Ansible is for?
|
# ? Dec 4, 2019 08:15 |
|
No you don’t, but it is a flexible enough platform that if you have a consistent way to execute remote commands in your environment you can absolutely push configuration changes to workstations as well.
|
# ? Dec 4, 2019 19:44 |
|
I'm building a PowerShell wrapper for an API and am thinking about releasing it open source as a module. Does anyone have any links to best practices/standards for doing this so I don't embarrass myself?
|
# ? Dec 5, 2019 02:34 |
|
The Fool posted:I'm building a PowerShell wrapper for an API and am thinking about releasing it open source as a module. Does anyone have any links to best practices/standards for doing this so I don't embarrass myself? I'd be interested in looking at it once you have it up. I've done a bunch of these API wrappers in powershell, they can be really cool. For best practices, my company has a module standard we use that I've never had to think twice about. At the basics you'll have your psd1, psm1, and readme files in the root. Then your private functions folder and public functions folder. We use one file per function which is nice, and the psm1 links it all together.
|
# ? Dec 5, 2019 03:20 |
|
mystes posted:I wasn't even clear on whether Toast Museum currently had a way of sshing in to the servers at all, but I guess if they were set up for passphrase authentication and you really wanted to you could put all the passphrases in ansible, use it to copy the id file to each server and then ideally disable passphrase authentication? That would be a very good first use of a one-to-many system ! I've got 2600-ish desktops in my part of the environment. I ran my Check-Hosts script against every system on the list. My hit rate for the PowerShell Remoting test was 30. I have Work To Do. Check-Hosts takes a text file full of hostnames, a folder, and admin credentials (Get-Credential) to save reports in. It starts with a DNS lookup for each one, saving hostnames into DNS-Yes.txt and DNS-No.txt. It then takes DNS-Yes.txt and runs Test-Connection on all of those hosts and saves out Pingable.txt and Not-Pingable.txt. The pingable machines are then tested with Get-Service -computername and Enter-PSSession, saving results as before, plus I'm specifically catching authentication errors and saving those off into an extra file. I'm planning to add a psexec test to write something simple to a unique text file, and a Test-Path to see if it got created. These tests helped us get the number of machines we could remotely push Acronis and KACE to from 45% of a random sample to 85%. Now I don't have to rely on hand-rolled tools to manage my network !
|
# ? Dec 5, 2019 04:14 |
|
The Fool posted:I'm building a PowerShell wrapper for an API and am thinking about releasing it open source as a module. Does anyone have any links to best practices/standards for doing this so I don't embarrass myself? I've tried to find things but haven't had much luck. We've written a number of modules like that and released them as open source: https://github.com/umn-microsoft-automation. UMN-ActiveDirectory is one that I think we've organized the files the best and used AzureDevops for testing and publishing. UMN-Google and UMN-VMWareRA are used a ton in our production workloads, but I'm really not happy with how they do error handling (they don't do any at all) so I'm not sure I'd model any code you write after that. But like I said I haven't found good examples of big modules that are just REST API wrappers. Most of the big wrapper modules I've seen are wrapping .net Libraries rather than using the REST API directly.
|
# ? Dec 5, 2019 16:24 |
|
Rough timeline of a REST API wrapper I've started working on:
The jump in complexity between Invoke-RestMethod in PowerShell and System.Net.HttpClient in C# is loving steep.
|
# ? Dec 5, 2019 18:35 |
|
Toast Museum posted:Rough timeline of a REST API wrapper I've started working on:
|
# ? Dec 5, 2019 22:35 |
|
You mean I don't have to add newtonsoft to every project now?
|
# ? Dec 5, 2019 22:38 |
|
The Fool posted:You mean I don't have to add newtonsoft to every project now?
|
# ? Dec 5, 2019 22:47 |
|
mystes posted:It's really not that bad, it's just very verbose because c# doesn't have a built in helper method that does json serialization/deserialization for you. A lot of the .net api is pretty crufty, but they've been improving it slowly, and maybe now that they added a new json library to .net core 3.0 they'll eventually create helper methods for stuff like this since they're so commonly needed now. No, that's fair, it does seem like mostly a verbosity issue. I wasn't even thinking of json, just the comparative fiddliness of instantiating a client, plus a request object to give the client, plus a response object to contain the results. Sounds straightforward enough when I put it that way, but I haven't messed with it enough yet for the details to fully sink in, so for now I definitely miss letting a cmdlet or two do all the work. On the upside, I'm just making this thing to avoid repetitive tasks and learn some coding in the process, so the only person sweating me about it is me.
|
# ? Dec 5, 2019 23:31 |
|
Toast Museum posted:No, that's fair, it does seem like mostly a verbosity issue. I wasn't even thinking of json, just the comparative fiddliness of instantiating a client, plus a request object to give the client, plus a response object to contain the results. Sounds straightforward enough when I put it that way, but I haven't messed with it enough yet for the details to fully sink in, so for now I definitely miss letting a cmdlet or two do all the work. It's good stuff to learn because not only is understanding HTTP and REST API fundamentals useful but the way System.Net.HttpClient works is quite similar to equivalent libraries in other languages (e.g. requests in Python).
|
# ? Dec 6, 2019 01:11 |
|
How do I go about scripting some DNS and AD cleanup for servers that no longer exist? I have a trio of AWS autoscaling groups that launch and terminate Windows 2016 servers running IIS and as part of launch, the servers connect to a DMZ AD. When they get terminated by the ASG, they leave behind a valid AD computer object and a record in DNS and I want to clean those up on a routine basis. Can anyone point me in the right direction?
|
# ? Dec 11, 2019 22:06 |
|
https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps The ActiveDirectory module, which is a part of RSAT but can be extracted and deployed independentally. Use it to manage your AD objects, and if DNS and AD are set up properly, the DNS entries should be removed automatically based on your scavenging settings.
|
# ? Dec 11, 2019 22:15 |
|
Agrikk posted:How do I go about scripting some DNS and AD cleanup for servers that no longer exist? Lifecycle termination hook lambda running a powershell core script to remove themselves from AD?
|
# ? Dec 12, 2019 03:02 |
|
When defining a function, is it possible to iterate over the parameters contained in a particular parameter set? I'm aiming for something like this:code:
|
# ? Dec 13, 2019 21:05 |
|
I've never done it but you should be able to accomplish what you want with either Dynamic Parameters or ValueFromRemainingArguments Both are described here: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_functions_advanced_parameters?view=powershell-5.1
|
# ? Dec 13, 2019 22:21 |
|
Toast Museum posted:When defining a function, is it possible to iterate over the parameters contained in a particular parameter set? I'm aiming for something like this: $PSBoundParameters is dictionary. So you can either iterate over $PSBoundParameters.Keys and do something like this code:
code:
edit: if I you are asking about actual parameter set (as defined on parameters of your function), you can get those by code:
Chrungka fucked around with this message at 01:40 on Dec 14, 2019 |
# ? Dec 14, 2019 01:01 |
|
Toast Museum posted:When defining a function, is it possible to iterate over the parameters contained in a particular parameter set? I'm aiming for something like this: Based on your code snippet, why not just set a single parameter as an array and pass your search values in as a single object? That way you can dynamically generate your search filter array with another command and pipe it in to this command if you wanted to. E; nevermind I see you're adding to a dictionary. Can you just accept a hashtable as your param type then? Judge Schnoopy fucked around with this message at 02:08 on Dec 14, 2019 |
# ? Dec 14, 2019 02:00 |
|
Chrungka posted:edit: if I you are asking about actual parameter set (as defined on parameters of your function), you can get those by Yep, that's what I meant! God, the default formatting on these types is fucky; I'd actually poked around in $MyInvocation.MyCommand before posting and just hadn't managed to untangle the knot As written, that snippet does return the parameters for that parameter set, but it also returns parameters from __AllParameterSets, which need to be excluded. Happily, it turns out that the parameter sets to which a parameter has been explicitly assigned are identified in $MyInvocation.MyCommand.ParameterSets.Parameters.Attributes.ParameterSetName, an intuitive place to look if ever I've seen one. Since $PSBoundParameters contains both the name and value of each parameter we're interested in (plus some we don't want), starting there and filtering out the pairs we don't need seemed more straightforward than starting from the parameter set. It does still seem more straightforward, but there is a wrinkle: enumerating the keys to use them in Where-Object means that we're dealing with an array of KeyValuePair objects rather than a dictionary. The KeyValuePairs can't be cast to a new dictionary (and ConvertTo-Json doesn't parse them correctly), so the dictionary has to be initialized first, then added to with a foreach. Putting it all together, here's the reason I'm not currently binge-watching the new season of The Expanse: code:
Judge Schnoopy posted:Based on your code snippet, why not just set a single parameter as an array and pass your search values in as a single object? That way you can dynamically generate your search filter array with another command and pipe it in to this command if you wanted to. I do intend to allow passing a hashtable to the function, but I don't care for it as the primary/only way to use it. Giving each of the API's search filters its own parameter within the function means that I can strongly type the parameters and leverage the parameter validation attributes, which seems like less of a pain than doing all the validation from scratch.
|
# ? Dec 14, 2019 06:06 |
|
So is the idea to have a function which accepts an arbitrary number of unnamed parameters? Unless I misread things that sounds like a bad idea that will very quickly become unsupportable unless it's intended on being a private function called by more accessible functions in the module.
|
# ? Dec 15, 2019 07:14 |
|
|
# ? May 15, 2024 04:01 |
|
Pile Of Garbage posted:So is the idea to have a function which accepts an arbitrary number of unnamed parameters? Unless I misread things that sounds like a bad idea that will very quickly become unsupportable unless it's intended on being a private function called by more accessible functions in the module. Not at all. The parameters are all named and defined within the function. They're all strongly typed and, where applicable, have an enum or validation attribute to make sure they only accept the right sorts of values. From an end-user perspective, they're completely normal parameters. Most of the parameters, but not all of them, contribute to a hashtable that gets converted to a JSON object and passed to a REST API. All of the parameters that go into this hashtable belong to one particular parameter set. What I was looking for (and eventually found) was a programmatic way to say "take all of the bound parameters that belong to this one parameter set and do this with them."
|
# ? Dec 15, 2019 18:38 |